Improved detections based on telemetry.

detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml → detections/deprecated/attempt_to_add_certificate_to_untrusted_store.yml

@@ -1,9 +1,9 @@
 name: Attempt To Add Certificate To Untrusted Store
 id: 6bc5243e-ef36-45dc-9b12-f4a6be131159
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-03-26'
 author: Patrick Bareiss, Rico Valdez, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: |
     The following analytic detects attempts to add a certificate to the untrusted

detections/endpoint/chcp_command_execution.yml → detections/deprecated/chcp_command_execution.yml

@@ -1,9 +1,9 @@
 name: CHCP Command Execution
 id: 21d236ec-eec1-11eb-b23e-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-23'
 author: Teoderick Contreras, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic detects the execution of the chcp.com utility, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration.
 data_source:

detections/endpoint/processes_launching_netsh.yml → detections/deprecated/processes_launching_netsh.yml

@@ -1,9 +1,9 @@
 name: Processes launching netsh
 id: b89919ed-fe5f-492c-b139-95dbb162040e
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-26'
 author: Michael Haag, Josef Kuepker, Splunk
-status: production
+status: deprecated
 type: Anomaly
 description: The following analytic identifies processes launching netsh.exe, a command-line utility used to modify network configurations. It detects this activity by analyzing data from Endpoint Detection and Response (EDR) agents, focusing on process GUIDs, names, parent processes, and command-line executions. This behavior is significant because netsh.exe can be exploited to execute malicious helper DLLs, serving as a persistence mechanism. If confirmed malicious, an attacker could gain persistent access, modify network settings, and potentially escalate privileges, posing a severe threat to the network's integrity and security.
 data_source:

detections/endpoint/sc_exe_manipulating_windows_services.yml → detections/deprecated/sc_exe_manipulating_windows_services.yml

@@ -1,9 +1,9 @@
 name: Sc exe Manipulating Windows Services
 id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-26'
 author: Rico Valdez, Splunk
-status: production
+status: deprecated
 type: TTP
 description: The following analytic detects the creation or modification of Windows services using the sc.exe command. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. This activity is significant because manipulating Windows services can be a method for attackers to establish persistence, escalate privileges, or execute arbitrary code. If confirmed malicious, this behavior could allow an attacker to maintain long-term access, disrupt services, or gain control over critical system functions, posing a severe threat to the environment.
 data_source:

detections/endpoint/anomalous_usage_of_7zip.yml

@@ -1,7 +1,7 @@
 name: Anomalous usage of 7zip
 id: 9364ee8e-a39a-11eb-8f1d-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-26'
 author: Michael Haag, Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -12,7 +12,7 @@ data_source:
     - CrowdStrike ProcessRollup2
 search: |-
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z*
+      WHERE (Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z*) AND NOT Processes.process_path = "C:\\Program Files\\VMware\\VMware Tools\\7za.exe"
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

detections/endpoint/conti_common_exec_parameter.yml

@@ -1,7 +1,7 @@
 name: Conti Common Exec parameter
 id: 624919bc-c382-11eb-adcc-acde48001122
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-26'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -12,13 +12,7 @@ data_source:
     - CrowdStrike ProcessRollup2
 search: |-
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE Processes.process = "*-m local*"
-        OR
-        Processes.process = "*-m net*"
-        OR
-        Processes.process = "*-m all*"
-        OR
-        Processes.process = "*-nomutex*"
+      WHERE Processes.process IN ("*-m local", "*-m local *", "*-m net", "*-m net *", "*-m all","*-m all *", "*-nomutex", "*-nomutex *")
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

detections/endpoint/detect_rundll32_inline_hta_execution.yml

@@ -1,7 +1,7 @@
 name: Detect Rundll32 Inline HTA Execution
 id: 91c79f14-5b41-11eb-ae93-0242ac130002
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-26'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -14,9 +14,7 @@ search: |-
     | tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
       WHERE `process_rundll32` (Processes.process=*vbscript*
         OR
-        Processes.process=*javascript*
-        OR
-        Processes.process=*about*)
+        Processes.process=*javascript*)
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

detections/endpoint/disable_schedule_task.yml

@@ -1,10 +1,10 @@
 name: Disable Schedule Task
 id: db596056-3019-11ec-a9ff-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-26'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic detects the execution of a command to disable an existing scheduled task using 'schtasks.exe' with the '/change' and '/disable' parameters. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Disabling scheduled tasks is significant as it is a common tactic used by adversaries, including malware like IcedID, to disable security applications and evade detection. If confirmed malicious, this activity could allow attackers to persist undetected, disable critical security defenses, and further compromise the targeted host.
 data_source:
     - Sysmon EventID 1

detections/endpoint/modify_acl_permission_to_files_or_folder.yml

@@ -1,7 +1,7 @@
 name: Modify ACL permission To Files Or Folder
 id: 7e8458cc-acca-11eb-9e3f-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -19,7 +19,7 @@ search: |
     from datamodel=Endpoint.Processes where
       Processes.process_name IN ("icacls.exe", "cacls.exe", "xcacls.exe")
       Processes.process IN ("*/grant*", "*/g:*", "*/g *")
-      Processes.process IN ("* Everyone:*", "* SYSTEM:*", "* S-1-1-0:*")
+      Processes.process IN ("* SYSTEM:*", "* S-1-1-0:*")
     by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
     Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
     Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec

detections/endpoint/possible_lateral_movement_powershell_spawn.yml

@@ -1,7 +1,7 @@
 name: Possible Lateral Movement PowerShell Spawn
 id: cb909b3e-512b-11ec-aa31-3e22fbd008af
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-26'
 author: Mauricio Velazco, Michael Haag, Splunk
 status: production
 type: TTP

detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml

@@ -1,7 +1,7 @@
 name: Reg exe Manipulating Windows Services Registry Keys
 id: 8470d755-0c13-45b3-bd63-387a373c10cf
-version: 14
-date: '2026-03-10'
+version: 15
+date: '2026-03-24'
 author: Rico Valdez, Splunk
 status: production
 type: TTP
@@ -12,7 +12,7 @@ data_source:
     - CrowdStrike ProcessRollup2
 search: |-
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes
-      WHERE Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services*
+      WHERE (Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services*)
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

detections/endpoint/revil_common_exec_parameter.yml

@@ -1,7 +1,7 @@
 name: Revil Common Exec Parameter
 id: 85facebe-c382-11eb-9c3e-acde48001122
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -15,10 +15,6 @@ search: |-
       WHERE Processes.process = "* -nolan *"
         OR
         Processes.process = "* -nolocal *"
-        OR
-        Processes.process = "* -fast *"
-        OR
-        Processes.process = "* -full *"
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

detections/endpoint/ryuk_wake_on_lan_command.yml

@@ -1,7 +1,7 @@
 name: Ryuk Wake on LAN Command
 id: 538d0152-7aaa-11eb-beaa-acde48001122
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-03-24'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -11,19 +11,28 @@ data_source:
     - Windows Event Log Security 4688
     - CrowdStrike ProcessRollup2
 search: |-
-    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE (
-            Processes.process="*8 LAN*"
-            OR
-            Processes.process="*9 REP*"
-        )
-      BY Processes.action Processes.dest Processes.original_file_name
-         Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
-         Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
-         Processes.process Processes.process_exec Processes.process_guid
-         Processes.process_hash Processes.process_id Processes.process_integrity_level
-         Processes.process_name Processes.process_path Processes.user
-         Processes.user_id Processes.vendor_product
+    | tstats `security_content_summariesonly`
+      count min(_time) as firstTime
+            max(_time) as lastTime
+
+    FROM datamodel=Endpoint.Processes WHERE
+
+    Processes.process IN (
+        "* 8 LAN",
+        "* 8 LAN *",
+        "* 9 REP",
+        "* 9 REP *"
+    )
+
+    BY Processes.action Processes.dest Processes.original_file_name
+       Processes.parent_process Processes.parent_process_exec
+       Processes.parent_process_guid Processes.parent_process_id
+       Processes.parent_process_name Processes.parent_process_path
+       Processes.process Processes.process_exec Processes.process_guid
+       Processes.process_hash Processes.process_id Processes.process_integrity_level
+       Processes.process_name Processes.process_path Processes.user
+       Processes.user_id Processes.vendor_product
+
     | `drop_dm_object_name(Processes)`
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`

detections/endpoint/slui_spawning_a_process.yml

@@ -1,7 +1,7 @@
 name: SLUI Spawning a Process
 id: 879c4330-b3e0-11eb-b1b1-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-24'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -12,7 +12,7 @@ data_source:
     - CrowdStrike ProcessRollup2
 search: |-
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE Processes.parent_process_name=slui.exe
+      WHERE Processes.parent_process_name=slui.exe AND NOT Processes.process_name=slui.exe
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

detections/endpoint/suspicious_rundll32_startw.yml

@@ -1,7 +1,7 @@
 name: Suspicious Rundll32 StartW
 id: 9319dda5-73f2-4d43-a85a-67ce961bddb7
-version: 12
-date: '2026-03-10'
+version: 13
+date: '2026-03-24'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -12,7 +12,7 @@ data_source:
     - CrowdStrike ProcessRollup2
 search: |-
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE `process_rundll32` Processes.process=*start*
+      WHERE `process_rundll32` Processes.process IN ("*startw", "*startw *")
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

detections/endpoint/system_user_discovery_with_whoami.yml

@@ -1,10 +1,10 @@
 name: System User Discovery With Whoami
 id: 894fc43e-6f50-47d5-a68b-ee9ee23e18f4
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-03-24'
 author: Mauricio Velazco, Splunk
 status: production
-type: Anomaly
+type: Hunting
 description: The following analytic detects the execution of `whoami.exe` without any arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant because both Red Teams and adversaries use `whoami.exe` to identify the current logged-in user, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this behavior could indicate an attacker is gathering information to further compromise the system, potentially leading to privilege escalation or lateral movement within the network.
 data_source:
     - Sysmon EventID 1
@@ -14,6 +14,8 @@ search: |-
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
       WHERE (
             Processes.process_name="whoami.exe"
+            OR
+            Processes.process_original_file_name="whoami.exe"
         )
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
@@ -30,29 +32,6 @@ how_to_implement: The detection is based on data that originates from Endpoint D
 known_false_positives: Administrators or power users may use this command for troubleshooting.
 references:
     - https://attack.mitre.org/techniques/T1033/
-drilldown_searches:
-    - name: View the detection results for - "$user$" and "$dest$"
-      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
-    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-      earliest_offset: $info_min_time$
-      latest_offset: $info_max_time$
-rba:
-    message: An instance of $parent_process_name$ spawning $process_name$ was identified on endpoint $dest$ by user $user$.
-    risk_objects:
-        - field: user
-          type: user
-          score: 20
-        - field: dest
-          type: system
-          score: 20
-    threat_objects:
-        - field: parent_process_name
-          type: parent_process_name
-        - field: process_name
-          type: process_name
 tags:
     analytic_story:
         - Winter Vivern

detections/endpoint/windows_account_access_removal_via_logoff_exec.yml

@@ -1,7 +1,7 @@
 name: Windows Account Access Removal via Logoff Exec
 id: 223572ab-8768-4e20-9b39-c38707af80dc
-version: 6
-date: '2026-03-10'
+version: 7
+date: '2026-03-26'
 author: Teoderick Contreras, Splunk
 data_source:
     - Sysmon EventID 1
@@ -10,7 +10,7 @@ status: production
 description: "The following analytic detects the process of logging off a user through the use of the quser and logoff commands. By monitoring for these commands, the analytic identifies actions where a user session is forcibly terminated, which could be part of an administrative task or a potentially unauthorized access attempt. This detection helps identify potential misuse or malicious activity where a user’s access is revoked without proper authorization, providing insight into potential security incidents involving account management or session manipulation."
 search: |-
     | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE Processes.process_name = logoff.exe
+      WHERE Processes.process_name = logoff.exe Processes.parent_process_name IN ("cmd.exe", "powershell.exe", "pwsh.exe")
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

detections/endpoint/windows_application_whitelisting_bypass_attempt_via_rundll32.yml

@@ -1,7 +1,7 @@
 name: Windows Application Whitelisting Bypass Attempt via Rundll32
 id: 1ef5dab0-e1f1-495d-a272-d134583c10b1
-version: 3
-date: '2026-03-10'
+version: 4
+date: '2026-03-24'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -33,6 +33,7 @@ search: |
     `process_rundll32`
     Processes.process IN ("*syssetup*", "*advpack*", "*setupapi*")
     Processes.process IN ("*LaunchINFSection*", "*InstallHinfSection*", "*SetupInfObjectInstallAction*")
+    NOT (Processes.parent_process_name="msiexec.exe" Processes.process="* C:\\Program Files (x86)\\Netskope\\EPDLP Deployment\\*")
     by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
        Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
        Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec