Merge branch 'develop' into eventlog-stuff

Author: patel-bhavin

…ad_with_urlcache_and_split_arguments.yml …ad_with_urlcache_and_split_arguments.ymldetections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml renamed to detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml renamed to detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml

@@ -1,11 +1,12 @@
 name: CertUtil Download With URLCache and Split Arguments
 id: 415b4306-8bfb-11eb-85c4-acde48001122
-version: 12
-date: '2025-04-16'
+version: 13
+date: '2025-04-24'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects the use of certutil.exe to download files
+description: This analytic has been deprecated in favor of "Windows CertUtil Download".
+  The following analytic detects the use of certutil.exe to download files
   using the `-urlcache` and `-f` arguments. It leverages Endpoint Detection and Response
   (EDR) data, focusing on command-line executions that include these specific arguments.
   This activity is significant because certutil.exe is typically used for certificate

…d_with_verifyctl_and_split_arguments.yml …d_with_verifyctl_and_split_arguments.ymldetections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml renamed to detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml renamed to detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml

@@ -1,11 +1,12 @@
 name: CertUtil Download With VerifyCtl and Split Arguments
 id: 801ad9e4-8bfb-11eb-8b31-acde48001122
-version: 12
-date: '2025-04-16'
+version: 13
+date: '2025-04-24'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects the use of `certutil.exe` to download
+description: This analytic has been deprecated in favor of "Windows CertUtil Download".
+  The following analytic detects the use of `certutil.exe` to download
   files using the `-VerifyCtl` and `-f` arguments. This behavior is identified by
   monitoring command-line executions for these specific arguments via Endpoint Detection
   and Response (EDR) telemetry. This activity is significant because `certutil.exe`

…_certutil_download_with_url_argument.yml …_certutil_download_with_url_argument.ymldetections/endpoint/windows_certutil_download_with_url_argument.yml renamed to detections/deprecated/windows_certutil_download_with_url_argument.yml detections/endpoint/windows_certutil_download_with_url_argument.yml renamed to detections/deprecated/windows_certutil_download_with_url_argument.yml

@@ -1,11 +1,12 @@
 name: Windows CertUtil Download With URL Argument
 id: 4fc5ca00-4c7c-46b3-8772-c98a4b8bd944
-version: 5
-date: '2025-04-16'
+version: 6
+date: '2025-04-24'
 author: Nasreddine Bencherchali, Splunk
-status: production
+status: deprecated
 type: TTP
-description: The following analytic detects the use of `certutil.exe` to download
+description: This analytic has been deprecated in favor of "Windows CertUtil Download".
+  The following analytic detects the use of `certutil.exe` to download
   files using the `-URL` arguments. This behavior is identified by monitoring command-line
   executions for these specific arguments via Endpoint Detection and Response (EDR)
   telemetry. This activity is significant because `certutil.exe` is a legitimate tool

…/windows_remote_access_software_hunt.yml …/windows_remote_access_software_hunt.ymldetections/endpoint/windows_remote_access_software_hunt.yml renamed to detections/deprecated/windows_remote_access_software_hunt.yml detections/endpoint/windows_remote_access_software_hunt.yml renamed to detections/deprecated/windows_remote_access_software_hunt.yml

@@ -1,11 +1,11 @@
 name: Windows Remote Access Software Hunt
 id: 8bd22c9f-05a2-4db1-b131-29271f28cb0a
-version: 7
-date: '2025-04-18'
+version: 8
+date: '2025-04-30'
 author: Michael Haag, Splunk
-status: production
+status: deprecated
 type: Hunting
-description: The following analytic identifies the use of remote access software within
+description: This search is deprecated in favor of the new detection - Detect Remote Access Software Usage Process. The following analytic identifies the use of remote access software within
   the environment. It leverages data from Endpoint Detection and Response (EDR) agents,
   focusing on process execution logs. This detection is significant as unauthorized
   remote access tools can be used by adversaries to maintain persistent access to

detections/endpoint/chcp_command_execution.yml

@@ -1,15 +1,14 @@
 name: CHCP Command Execution
 id: 21d236ec-eec1-11eb-b23e-acde48001122
-version: 6
-date: '2025-02-19'
+version: 7
+date: '2025-04-24'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
-description: The following analytic detects the execution of the chcp.exe application,
+type: Anomaly
+description: The following analytic detects the execution of the chcp.com utility,
   which is used to change the active code page of the console. This detection leverages
   data from Endpoint Detection and Response (EDR) agents, focusing on process creation
-  events where chcp.exe is executed by cmd.exe with specific command-line arguments.
-  This activity is significant because it can indicate the presence of malware, such
+  events. This activity is significant because it can indicate the presence of malware, such
   as IcedID, which uses this technique to determine the locale region, language, or
   country of the compromised host. If confirmed malicious, this could lead to further
   system compromise and data exfiltration.
@@ -18,7 +17,6 @@ data_source:
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where Processes.process_name=chcp.com
-  Processes.parent_process_name = cmd.exe (Processes.parent_process=*/c* OR Processes.parent_process=*/k*)
   by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
@@ -35,8 +33,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
-known_false_positives: other tools or script may used this to change code page to
-  UTF-* or others
+known_false_positives: other tools or script may used this to change code page to UTF-* or others
 references:
 - https://ss64.com/nt/chcp.html
 - https://twitter.com/tccontre18/status/1419941156633329665?s=20

detections/endpoint/check_elevated_cmd_using_whoami.yml

@@ -1,12 +1,15 @@
 name: Check Elevated CMD using whoami
 id: a9079b18-1633-11ec-859c-acde48001122
-version: 6
-date: '2024-11-13'
+version: 7
+date: '2025-04-24'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
-description: The following analytic identifies the execution of the 'whoami' command
-  with specific parameters to check for elevated privileges. It leverages data from
+description: The following analytic identifies the execution of the "whoami" command
+  with the "/group" flag, where the results are passed to the "find" command in order
+  to look for a the string "12288". This string represents the SID of the group
+  "Mandatory Label\High Mandatory Level" effectively checking if the current process
+  is running as a "High" integrity process or with Administrator privileges. It leverages data from
   Endpoint Detection and Response (EDR) agents, focusing on process and command-line
   telemetry. This activity is significant because it is commonly used by attackers,
   such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious,
@@ -35,7 +38,7 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
-known_false_positives: unknown
+known_false_positives: The combination of these commands is unlikely to occur in a production environment. Any matches should be investigated. 
 references: []
 drilldown_searches:
 - name: View the detection results for - "$dest$" and "$user$"

detections/endpoint/detect_remote_access_software_usage_process.yml

@@ -1,34 +1,38 @@
 name: Detect Remote Access Software Usage Process
 id: ffd5e001-2e34-48f4-97a2-26dc4bb08178
-version: 8
-date: '2025-04-18'
-author: Steven Dick
+version: 9
+date: '2025-04-30'
+author: Steven Dick, Sebastian Wurl, Splunk Community
 status: production
 type: Anomaly
 description: The following analytic detects the execution of known remote access software
   within the environment. It leverages data from Endpoint Detection and Response (EDR)
   agents, focusing on process names and parent processes mapped to the Endpoint data
-  model. This activity is significant as adversaries often use remote access tools
-  like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access.
+  model. We then compare with with a list of known remote access software shipped as a lookup file - remote_access_software. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access.
   If confirmed malicious, this could allow attackers to control systems remotely,
   exfiltrate data, or deploy additional malware, posing a severe threat to the organization's
   security.
 data_source:
 - Sysmon EventID 1
 - Windows Event Log Security 4688
 - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes
-  where Processes.dest!=unknown Processes.process!=unknown by Processes.action Processes.dest
-  Processes.original_file_name Processes.parent_process Processes.parent_process_exec
-  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
-  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
-  Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name
-  Processes.process_path Processes.user Processes.user_id Processes.vendor_product
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)`
-  | lookup remote_access_software remote_utility AS process_name OUTPUT isutility,
-  description as signature, comment_reference as desc, category | search isutility
-  = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_process_filter`'
+search: |
+  | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process 
+    from datamodel=Endpoint.Processes 
+    where 
+    [| inputlookup remote_access_software where isutility=TRUE
+    | rename remote_utility AS Processes.process_name 
+    | fields Processes.process_name] 
+    AND Processes.dest!="unknown" 
+    AND Processes.user!="unknown" 
+    by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `drop_dm_object_name(Processes)` 
+  | lookup remote_access_software remote_utility AS process_name OUTPUT isutility description AS signature comment_reference AS desc category
+  | search isutility = TRUE
+  | `remote_access_software_usage_exceptions`
+  | `detect_remote_access_software_usage_process_filter`
 how_to_implement: The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
@@ -107,3 +111,6 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/detection_of_tools_built_by_nirsoft.yml

@@ -1,10 +1,10 @@
 name: Detection of tools built by NirSoft
 id: 3d8d201c-aa03-422d-b0ee-2e5ecf9718c0
-version: 7
-date: '2024-11-13'
+version: 8
+date: '2025-04-24'
 author: Bhavin Patel, Splunk
 status: experimental
-type: TTP
+type: Anomaly
 description: The following analytic identifies the execution of tools built by NirSoft
   by detecting specific command-line arguments such as "/stext" and "/scomma". It
   leverages data from Endpoint Detection and Response (EDR) agents, focusing on process
@@ -37,10 +37,10 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
 known_false_positives: While legitimate, these NirSoft tools are prone to abuse. You
-  should verfiy that the tool was used for a legitimate purpose.
+  should verify that the tool was used for a legitimate purpose.
 references: []
 rba:
-  message: NirSoft tools detected on $dest$
+  message: NirSoft tool detected on $dest$
   risk_objects:
   - field: user
     type: user

detections/endpoint/excessive_number_of_taskhost_processes.yml

@@ -1,11 +1,12 @@
 name: Excessive number of taskhost processes
 id: f443dac2-c7cf-11eb-ab51-acde48001122
-version: 7
-date: '2024-11-13'
+version: 8
+date: '2025-04-25'
 author: Michael Hart
 status: production
 type: Anomaly
-description: The following analytic identifies an excessive number of taskhost.exe
+description:
+  The following analytic identifies an excessive number of taskhost.exe
   and taskhostex.exe processes running within a short time frame. It leverages data
   from Endpoint Detection and Response (EDR) agents, focusing on process names and
   their counts. This behavior is significant as it is commonly associated with post-exploitation
@@ -14,10 +15,11 @@ description: The following analytic identifies an excessive number of taskhost.e
   activity could indicate an ongoing attack, allowing attackers to execute code, escalate
   privileges, or move laterally within the network.
 data_source:
-- Sysmon EventID 1
-- Windows Event Log Security 4688
-- CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` values(Processes.action) as action
+  - Sysmon EventID 1
+  - Windows Event Log Security 4688
+  - CrowdStrike ProcessRollup2
+search:
+  '| tstats `security_content_summariesonly` values(Processes.action) as action
   values(Processes.original_file_name) as original_file_name values(Processes.parent_process)
   as parent_process values(Processes.parent_process_exec) as parent_process_exec values(Processes.parent_process_guid)
   as parent_process_guid values(Processes.parent_process_id) as parent_process_id
@@ -41,9 +43,11 @@ search: '| tstats `security_content_summariesonly` values(Processes.action) as a
   values(process_hash) as process_hash values(process_id) as process_id values(process_integrity_level)
   as process_integrity_level values(user) as user values(process_path) as process_path
   values(user_id) as user_id values(vendor_product) as vendor_product values(process_name)
-  as process_name by _time, dest, firstTime, lastTime | `security_content_ctime(firstTime)`
+  as process_name by _time, dest, firstTime, lastTime | where taskhost_count >
+  10 or taskhostex_count > 10 | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+how_to_implement:
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.
@@ -52,46 +56,49 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
-known_false_positives: Administrators, administrative actions or certain applications
+known_false_positives:
+  Administrators, administrative actions or certain applications
   may run many instances of taskhost and taskhostex concurrently.  Filter as needed.
 references:
-- https://attack.mitre.org/software/S0250/
+  - https://attack.mitre.org/software/S0250/
 drilldown_searches:
-- name: View the detection results for - "$dest$"
-  search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$dest$"
+    search: '%original_detection_search% | search  dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
-  message: An excessive amount of taskhost.exe and taskhostex.exe was executed on
+  message:
+    An excessive amount of taskhost.exe and taskhostex.exe was executed on
     $dest$ indicative of suspicious behavior.
   risk_objects:
-  - field: dest
-    type: system
-    score: 56
+    - field: dest
+      type: system
+      score: 56
   threat_objects: []
 tags:
   analytic_story:
-  - Meterpreter
+    - Meterpreter
   asset_type: Endpoint
   mitre_attack_id:
-  - T1059
+    - T1059
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log
-    source: XmlWinEventLog:Security
-    sourcetype: XmlWinEventLog
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log
+        source: XmlWinEventLog:Security
+        sourcetype: XmlWinEventLog

detections/endpoint/java_writing_jsp_file.yml

@@ -1,7 +1,7 @@
 name: Java Writing JSP File
 id: eb65619c-4f8d-4383-a975-d352765d344b
-version: 8
-date: '2025-04-22'
+version: 9
+date: '2025-04-28'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -72,6 +72,7 @@ tags:
   - Spring4Shell CVE-2022-22965
   - Atlassian Confluence Server and Data Center CVE-2022-26134
   - SysAid On-Prem Software CVE-2023-47246 Vulnerability
+  - SAP NetWeaver Exploitation
   asset_type: Endpoint
   cve:
   - CVE-2022-22965