Merge branch 'develop' into linux_syscall_auditd_update

patel-bhavin · web-flow · commit 3f8a13a1f59a · 2025-05-05T11:53:55.000-07:00
diff --git a/detections/endpoint/macos___re_opened_applications.yml b/detections/endpoint/macos___re_opened_applications.yml
@@ -1,7 +1,7 @@
 name: MacOS - Re-opened Applications
 id: 40bb64f9-f619-4e3d-8732-328d40377c4b
 version: 5
-date: '2025-05-02'
+date: '2025-05-05'
 author: Jamie Windley, Splunk
 status: experimental
 type: TTP
@@ -31,9 +31,9 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
 known_false_positives: At this stage, there are no known false positives. During testing,
-  no process events refering the com.apple.loginwindow.plist files were observed during
-  normal operation of re-opening applications on reboot. Therefore, it can be asumed
-  that any occurences of this in the process events would be worth investigating.
+  no process events referring the com.apple.loginwindow.plist files were observed during
+  normal operation of re-opening applications on reboot. Therefore, it can be assumed
+  that any occurrences of this in the process events would be worth investigating.
   In the event that the legitimate modification by the system of these files is in
   fact logged to the process log, then the process_name of that process can be added
   to an allow list.
diff --git a/detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml b/detections/endpoint/macos_amos_stealer___virtual_machine_check_activity.yml
@@ -0,0 +1,79 @@
+name: MacOS AMOS Stealer - Virtual Machine Check Activity
+id: 4e41ad21-9761-426d-8aa1-083712ff9f30
+version: 1
+date: '2025-04-25'
+author: Nasreddine Bencherchali, Splunk, Alex Karkins
+status: production
+type: Anomaly
+description: |
+  The following analytic detects AMOS Stealer VM check activity on macOS. It leverages osquery to monitor process events and identifies the execution of the "osascript" command along with specific commandline strings. This activity is significant
+  as AMOS stealer was seen using this pattern in order to check if the host is a Virtual Machine or not. If confirmed malicious, this behavior indicate that the host is already infected by the AMOS stealer, which could allow attackers to execute arbitrary code, escalate privileges, steal information, or persist within the environment, posing a significant security risk.
+data_source:
+  - osquery
+search: |
+  `osquery_macro` name=es_process_events 
+  columns.cmdline="*osascript*" AND columns.cmdline="* -e *" AND columns.cmdline="*set*" AND columns.cmdline="*system_profiler*" AND columns.cmdline IN ("*VMware*", "*QEMU*") 
+  | rename columns.* as * 
+  | stats  min(_time) as firstTime max(_time) as lastTime 
+    values(cmdline) as cmdline, 
+    values(pid) as pid, 
+    values(parent) as parent, 
+    values(path) as path,
+    values(signing_id) as signing_id,  
+    by username host 
+  | rename 
+    username as user, 
+    cmdline as process, 
+    parent as parent_process, 
+    path as process_path, 
+    host as dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `macos_amos_stealer___virtual_machine_check_activity_filter`
+how_to_implement: |
+  This detection leverages osquery and endpoint security on MacOS. Follow the link in references, which describes how to setup process auditing in MacOS with endpoint security and osquery.
+known_false_positives: None identified.
+references:
+  - https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
+  - https://www.virustotal.com/gui/search/behaviour_processes%253A%2522osascript%2520-e%2520set%2522%2520AND%2520behaviour_processes%253A%2522system_profiler%2522%2520AND%2520(behaviour_processes%253A%2522VMware%2522%2520OR%2520behaviour_processes%253A%2522QEMU%2522)?type=files
+drilldown_searches:
+  - name: View the detection results for - "$user$" and "$dest$"
+    search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+      "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+      as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+      Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+rba:
+  message: AMOS Stealer activity on host $dest$ by user $user$
+  risk_objects:
+    - field: user
+      type: user
+      score: 40
+    - field: dest
+      type: system
+      score: 40
+  threat_objects: []
+tags:
+  analytic_story:
+  - AMOS Stealer
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1059.002
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.002/amos_stealer/amos_stealer.log
+    source: osquery
+    sourcetype: osquery:results
diff --git a/detections/endpoint/macos_lolbin.yml b/detections/endpoint/macos_lolbin.yml
@@ -1,7 +1,7 @@
 name: MacOS LOLbin
 id: 58d270fb-5b39-418e-a855-4b8ac046805e
 version: 7
-date: '2025-05-02'
+date: '2025-05-05'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
@@ -13,7 +13,8 @@ description: The following analytic detects multiple executions of Living off th
   detection. If confirmed malicious, this behavior could allow attackers to execute
   arbitrary code, escalate privileges, or persist within the environment, posing a
   significant security risk.
-data_source: []
+data_source:
+- osquery
 search: '`osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*",
   "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*") | rename
   columns.* as * | stats  min(_time) as firstTime max(_time) as lastTime values(cmdline)
diff --git a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml
@@ -1,30 +1,32 @@
 name: Windows AD Replication Request Initiated from Unsanctioned Location
 id: 50998483-bb15-457b-a870-965080d9e3d3
 version: 11
-date: '2025-05-02'
+date: '2025-05-05'
 author: Dean Luxton
 type: TTP
 status: production
 data_source:
-- Windows Event Log Security 4662
-- Windows Event Log Security 4624
-description: The following analytic identifies unauthorized Active Directory replication
+  - Windows Event Log Security 4662
+  - Windows Event Log Security 4624
+description:
+  The following analytic identifies unauthorized Active Directory replication
   requests initiated from non-domain controller locations. It leverages EventCode
   4662 to detect when a computer account with replication permissions creates a handle
   to domainDNS, filtering out known domain controller IP addresses. This activity
   is significant as it may indicate a DCSync attack, where an attacker with privileged
   access can request password hashes for any or all users within the domain. If confirmed
   malicious, this could lead to unauthorized access to sensitive information and potential
   full domain compromise.
-search: '`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}",
+search:
+  '`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-11d0-afd3-00c04fd930c9}",
   "domainDNS") AND Properties IN ("*Replicating Directory Changes All*", "*{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}*",
   "*{9923a32a-3607-11d2-b9be-0000f87a36b2}*","*{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}*")
   AND AccessMask="0x100" AND (SubjectUserSid="NT AUT*" OR SubjectUserSid="S-1-5-18"
   OR SubjectDomainName="Window Manager" OR SubjectUserName="*$") | stats min(_time)
   as attack_time, count by SubjectDomainName SubjectUserName Computer Logon_ID ObjectName
   ObjectServer ObjectType OperationType status action app authentication_method dest
   dvc process process_id process_name process_path signature signature_id src src_port
-  status subject user user_group vendor_product | rename SubjectDomainName as Target_Domain,
+  subject user user_group vendor_product | rename SubjectDomainName as Target_Domain,
   SubjectUserName as user, Logon_ID as TargetLogonId | appendpipe [| map search="search
   `wineventlog_security` EventCode=4624 TargetLogonId=$TargetLogonId$"] | table attack_time,
   AuthenticationPackageName, LogonProcessName, LogonType, TargetUserSid, Target_Domain,
@@ -34,7 +36,8 @@ search: '`wineventlog_security` EventCode=4662 ObjectType IN ("%{19195a5b-6da0-1
   values(Computer) as Computer, values(status) as status, values(src_category) as
   src_category, values(src_ip) as src_ip by TargetLogonId | search NOT src_category="domain_controller"
   | `windows_ad_replication_request_initiated_from_unsanctioned_location_filter`'
-how_to_implement: To successfully implement this search, you need to be ingesting
+how_to_implement:
+  To successfully implement this search, you need to be ingesting
   eventcode `4662`. The Advanced Security Audit policy settings `Audit Directory Services
   Access` within `DS Access` needs to be enabled, as well as the following SACLs applied
   to the domain root and all descendant objects. The principals `everybody`,  `Domain
@@ -44,52 +47,55 @@ how_to_implement: To successfully implement this search, you need to be ingestin
   category of domain_controller added for domain controllers.
 known_false_positives: Genuine DC promotion may trigger this alert.
 references:
-- https://adsecurity.org/?p=1729
-- https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer
-- https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml
+  - https://adsecurity.org/?p=1729
+  - https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer
+  - https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml
 drilldown_searches:
-- name: View the detection results for - "$user$"
-  search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$user$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$user$"
+    search: '%original_detection_search% | search  user = "$user$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$user$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
-  message: Windows Active Directory Replication Request Initiated from Unsanctioned
+  message:
+    Windows Active Directory Replication Request Initiated from Unsanctioned
     Location $src_ip$ by $user$
   risk_objects:
-  - field: user
-    type: user
-    score: 100
-  - field: src_ip
-    type: system
-    score: 100
+    - field: user
+      type: user
+      score: 100
+    - field: src_ip
+      type: system
+      score: 100
   threat_objects: []
 tags:
   analytic_story:
-  - Compromised Windows Host
-  - Sneaky Active Directory Persistence Tricks
-  - Credential Dumping
+    - Compromised Windows Host
+    - Sneaky Active Directory Persistence Tricks
+    - Credential Dumping
   asset_type: Endpoint
   mitre_attack_id:
-  - T1003.006
+    - T1003.006
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
-  manual_test: This detection runs correctly when run manually and given some time
+  manual_test:
+    This detection runs correctly when run manually and given some time
     is given for data to settle in the splunk index.
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log
-    source: XmlWinEventLog:Security
-    sourcetype: XmlWinEventLog
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.006/impacket/windows-security-xml.log
+        source: XmlWinEventLog:Security
+        sourcetype: XmlWinEventLog
diff --git a/stories/amos_stealer.yml b/stories/amos_stealer.yml
@@ -0,0 +1,18 @@
+name: AMOS Stealer
+id: b12e5c84-75a0-3a79-9403-e35c9fe3485c
+version: 1
+date: '2025-05-05'
+author: Nasreddine Bencherchali, Splunk
+status: production
+description: The AMOS Stealer analytic story provides detection and investigation content for identifying and responding to threats associated with the AMOS information stealer on Mac systems. AMOS (Atomic macOS Stealer) is a known malware family designed specifically for MacOS, capable of stealing credentials, system information, and browser data. This story leverages analytics using osquery data to detect suspicious behavior consistent with AMOS, including VM detection commands used to evade analysis environments. Security teams can use the searches in this story to identify and respond to signs of AMOS compromise in their MacOS fleet.
+narrative: AMOS Stealer (Atomic macOS Stealer) is an active threat targeting macOS users, capable of harvesting sensitive data, executing scripts, and conducting system reconnaissance to evade detection. It is typically distributed through malicious downloads or phishing campaigns. Once executed, AMOS performs a variety of checks to determine whether it is running in a virtualized environment before proceeding with its payload. One notable technique involves using `osascript` with AppleScript commands to enumerate virtualization indicators like VMware and QEMU. This analytic story focuses on detecting these early-stage behaviors using `osquery` data. Detecting AMOS behavior early in its execution phase gives defenders the opportunity to isolate affected hosts, investigate lateral movement or privilege escalation attempts, and mitigate data exfiltration risk.
+references:
+- https://malpedia.caad.fkie.fraunhofer.de/details/osx.amos
+tags:
+  category:
+  - Malware
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
