Merge branch 'develop' into small-tuning

Author: patel-bhavin

detections/endpoint/excessive_number_of_taskhost_processes.yml

@@ -1,11 +1,12 @@
 name: Excessive number of taskhost processes
 id: f443dac2-c7cf-11eb-ab51-acde48001122
-version: 7
-date: '2024-11-13'
+version: 8
+date: '2025-04-25'
 author: Michael Hart
 status: production
 type: Anomaly
-description: The following analytic identifies an excessive number of taskhost.exe
+description:
+  The following analytic identifies an excessive number of taskhost.exe
   and taskhostex.exe processes running within a short time frame. It leverages data
   from Endpoint Detection and Response (EDR) agents, focusing on process names and
   their counts. This behavior is significant as it is commonly associated with post-exploitation
@@ -14,10 +15,11 @@ description: The following analytic identifies an excessive number of taskhost.e
   activity could indicate an ongoing attack, allowing attackers to execute code, escalate
   privileges, or move laterally within the network.
 data_source:
-- Sysmon EventID 1
-- Windows Event Log Security 4688
-- CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` values(Processes.action) as action
+  - Sysmon EventID 1
+  - Windows Event Log Security 4688
+  - CrowdStrike ProcessRollup2
+search:
+  '| tstats `security_content_summariesonly` values(Processes.action) as action
   values(Processes.original_file_name) as original_file_name values(Processes.parent_process)
   as parent_process values(Processes.parent_process_exec) as parent_process_exec values(Processes.parent_process_guid)
   as parent_process_guid values(Processes.parent_process_id) as parent_process_id
@@ -41,9 +43,11 @@ search: '| tstats `security_content_summariesonly` values(Processes.action) as a
   values(process_hash) as process_hash values(process_id) as process_id values(process_integrity_level)
   as process_integrity_level values(user) as user values(process_path) as process_path
   values(user_id) as user_id values(vendor_product) as vendor_product values(process_name)
-  as process_name by _time, dest, firstTime, lastTime | `security_content_ctime(firstTime)`
+  as process_name by _time, dest, firstTime, lastTime | where taskhost_count >
+  10 or taskhostex_count > 10 | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+how_to_implement:
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.
@@ -52,46 +56,49 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
-known_false_positives: Administrators, administrative actions or certain applications
+known_false_positives:
+  Administrators, administrative actions or certain applications
   may run many instances of taskhost and taskhostex concurrently.  Filter as needed.
 references:
-- https://attack.mitre.org/software/S0250/
+  - https://attack.mitre.org/software/S0250/
 drilldown_searches:
-- name: View the detection results for - "$dest$"
-  search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$dest$"
+    search: '%original_detection_search% | search  dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
-  message: An excessive amount of taskhost.exe and taskhostex.exe was executed on
+  message:
+    An excessive amount of taskhost.exe and taskhostex.exe was executed on
     $dest$ indicative of suspicious behavior.
   risk_objects:
-  - field: dest
-    type: system
-    score: 56
+    - field: dest
+      type: system
+      score: 56
   threat_objects: []
 tags:
   analytic_story:
-  - Meterpreter
+    - Meterpreter
   asset_type: Endpoint
   mitre_attack_id:
-  - T1059
+    - T1059
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log
-    source: XmlWinEventLog:Security
-    sourcetype: XmlWinEventLog
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/excessive_distinct_processes_from_windows_temp/windows-xml.log
+        source: XmlWinEventLog:Security
+        sourcetype: XmlWinEventLog

detections/endpoint/java_writing_jsp_file.yml

@@ -1,7 +1,7 @@
 name: Java Writing JSP File
 id: eb65619c-4f8d-4383-a975-d352765d344b
-version: 8
-date: '2025-04-22'
+version: 9
+date: '2025-04-28'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -72,6 +72,7 @@ tags:
   - Spring4Shell CVE-2022-22965
   - Atlassian Confluence Server and Data Center CVE-2022-26134
   - SysAid On-Prem Software CVE-2023-47246 Vulnerability
+  - SAP NetWeaver Exploitation
   asset_type: Endpoint
   cve:
   - CVE-2022-22965

detections/endpoint/windows_adfind_exe.yml

@@ -1,11 +1,12 @@
 name: Windows AdFind Exe
 id: bd3b0187-189b-46c0-be45-f52da2bae67f
-version: 8
-date: '2024-11-13'
+version: 9
+date: '2025-04-24'
 author: Jose Hernandez, Bhavin Patel, Splunk
 status: production
 type: TTP
-description: The following analytic identifies the execution of `adfind.exe` with
+description:
+  The following analytic identifies the execution of `adfind.exe` with
   specific command-line arguments related to Active Directory queries. It leverages
   data from Endpoint Detection and Response (EDR) agents, focusing on process names,
   command-line arguments, and parent processes. This activity is significant because
@@ -14,10 +15,11 @@ description: The following analytic identifies the execution of `adfind.exe` wit
   allow attackers to map the AD environment, facilitating further attacks such as
   privilege escalation or lateral movement.
 data_source:
-- Sysmon EventID 1
-- Windows Event Log Security 4688
-- CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  - Sysmon EventID 1
+  - Windows Event Log Security 4688
+  - CrowdStrike ProcessRollup2
+search:
+  '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where ((Processes.process="* -f *"
   OR Processes.process="* -b *") AND (Processes.process=*objectcategory* OR Processes.process="*-gcb
   *" OR Processes.process="* -sc *" )) OR ((Processes.process="*trustdmp*" OR Processes.process="*dclist*"))
@@ -27,8 +29,9 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
   Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level
   Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
-  | `windows_adfind_exe_filter`| `windows_adfind_exe_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection
+  | `windows_adfind_exe_filter`'
+how_to_implement:
+  The detection is based on data that originates from Endpoint Detection
   and Response (EDR) agents. These agents are designed to provide security-related
   telemetry from the endpoints where the agent is installed. To implement this search,
   you must ingest logs that contain the process GUID, process name, and parent process.
@@ -37,61 +40,64 @@ how_to_implement: The detection is based on data that originates from Endpoint D
   the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
   data model. Use the Splunk Common Information Model (CIM) to normalize the field
   names and speed up the data modeling process.
-known_false_positives: ADfind is a command-line tool for AD administration and management
+known_false_positives:
+  ADfind is a command-line tool for AD administration and management
   that is seen to be leveraged by various adversaries. Filter out legitimate administrator
   usage using the filter macro.
 references:
-- https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
-- https://www.mandiant.com/resources/a-nasty-trick-from-credential-theft-malware-to-business-disruption
-- https://www.joeware.net/freetools/tools/adfind/index.htm
-- https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
+  - https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
+  - https://www.mandiant.com/resources/a-nasty-trick-from-credential-theft-malware-to-business-disruption
+  - https://www.joeware.net/freetools/tools/adfind/index.htm
+  - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
 drilldown_searches:
-- name: View the detection results for - "$user$"
-  search: '%original_detection_search% | search  user = "$user$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$user$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$user$"
+    search: '%original_detection_search% | search  user = "$user$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$user$"
+    search:
+      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
-  message: Windows AdFind Exe detected with command-line arguments associated with
+  message:
+    Windows AdFind Exe detected with command-line arguments associated with
     Active Directory queries on machine - [dest]
   risk_objects:
-  - field: user
-    type: user
-    score: 25
+    - field: user
+      type: user
+      score: 25
   threat_objects: []
 tags:
   analytic_story:
-  - Domain Trust Discovery
-  - IcedID
-  - NOBELIUM Group
-  - Graceful Wipe Out Attack
-  - BlackSuit Ransomware
+    - Domain Trust Discovery
+    - IcedID
+    - NOBELIUM Group
+    - Graceful Wipe Out Attack
+    - BlackSuit Ransomware
   asset_type: Endpoint
   atomic_guid:
-  - 736b4f53-f400-4c22-855d-1a6b5a551600
-  - b95fd967-4e62-4109-b48d-265edfd28c3a
-  - e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
-  - 5e2938fb-f919-47b6-8b29-2f6a1f718e99
-  - abf00f6c-9983-4d9a-afbc-6b1c6c6448e1
-  - 51a98f96-0269-4e09-a10f-e307779a8b05
+    - 736b4f53-f400-4c22-855d-1a6b5a551600
+    - b95fd967-4e62-4109-b48d-265edfd28c3a
+    - e1ec8d20-509a-4b9a-b820-06c9b2da8eb7
+    - 5e2938fb-f919-47b6-8b29-2f6a1f718e99
+    - abf00f6c-9983-4d9a-afbc-6b1c6c6448e1
+    - 51a98f96-0269-4e09-a10f-e307779a8b05
   mitre_attack_id:
-  - T1018
+    - T1018
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log
-    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: XmlWinEventLog
+  - name: True Positive Test
+    attack_data:
+      - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1018/atomic_red_team/windows-sysmon.log
+        source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+        sourcetype: XmlWinEventLog

detections/endpoint/windows_java_spawning_shells.yml

@@ -1,7 +1,7 @@
 name: Windows Java Spawning Shells
 id: 28c81306-5c47-11ec-bfea-acde48001122
-version: 9
-date: '2024-12-16'
+version: 10
+date: '2025-04-28'
 author: Michael Haag, Splunk
 status: experimental
 type: TTP
@@ -61,6 +61,7 @@ tags:
   - Log4Shell CVE-2021-44228
   - SysAid On-Prem Software CVE-2023-47246 Vulnerability
   - Cleo File Transfer Software
+  - SAP NetWeaver Exploitation
   asset_type: Endpoint
   cve:
   - CVE-2021-44228

detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml

@@ -1,7 +1,7 @@
 name: Windows Process Injection into Commonly Abused Processes
 id: 1e1dedc6-f6f3-41a0-9dd7-a1245904fe75
-version: 2
-date: '2025-04-16'
+version: 3
+date: '2025-04-28'
 author: 0xC0FFEEEE, Github Community
 type: Anomaly
 status: production
@@ -70,6 +70,7 @@ tags:
   analytic_story:
   - BishopFox Sliver Adversary Emulation Framework
   - Earth Alux
+  - SAP NetWeaver Exploitation
   asset_type: Endpoint
   mitre_attack_id:
   - T1055.002

detections/web/sap_netweaver_visual_composer_exploitation_attempt.yml

@@ -0,0 +1,52 @@
+name: SAP NetWeaver Visual Composer Exploitation Attempt
+id: a583b9f1-9c3a-4402-9441-b981654dea6c
+version: 1
+date: '2025-04-28'
+author: Michael Haag, Splunk
+status: production
+type: Hunting
+description: |
+  Detects potential exploitation attempts targeting CVE-2025-31324, a critical unauthenticated file upload vulnerability in SAP NetWeaver Visual Composer. This flaw allows remote attackers to send specially crafted POST requests to the /developmentserver/metadatauploader endpoint, enabling arbitrary file uploads—commonly webshells—resulting in full system compromise. The detection looks for HTTP HEAD or POST requests with a 200 OK status to sensitive Visual Composer endpoints, which may indicate reconnaissance or active exploitation. Successful exploitation can lead to attackers gaining privileged access, deploying malware, and impacting business-critical SAP resources. Immediate patching and investigation of suspicious activity are strongly recommended, as this vulnerability is being actively exploited in the wild.
+data_source:
+- Suricata
+search: '| tstats count min(_time) as firstTime max(_time) as lastTime 
+  from datamodel=Web.Web 
+  where (Web.url IN ("/CTCWebService/CTCWebServiceBean", "/VisualComposer/services/DesignTimeService", "/ctc/CTCWebService/CTCWebServiceBean")) 
+  AND Web.http_method IN ("HEAD", "POST") 
+  AND Web.status=200
+  by Web.src, Web.dest, Web.http_method, Web.url, Web.http_user_agent, Web.url_length, sourcetype
+  | `drop_dm_object_name("Web")`
+  | eval action=case(http_method="HEAD", "Recon/Probe", http_method="POST", "Possible Exploitation")
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | table firstTime, lastTime, src, dest, http_method, action, url, user_agent, url_length, sourcetype
+  | `sap_netweaver_visual_composer_exploitation_attempt_filter`'
+how_to_implement: |
+  Ensure that the Web data model is accelerated and populated with web server or web proxy logs capturing HTTP request and response data.
+  This search relies on HTTP method, status code, and URL path fields to identify suspicious access patterns against SAP NetWeaver endpoints.
+known_false_positives: |
+  Some legitimate administrative activity may access SAP NetWeaver services. However, HEAD or POST requests directly resulting in a 200 OK 
+  to Visual Composer endpoints are uncommon and should be investigated carefully.
+references:
+- https://onapsis.com/blog/active-exploitation-of-sap-vulnerability-cve-2025-31324/
+- https://reliaquest.com/blog/threat-spotlight-reliaquest-uncovers-vulnerability-behind-sap-netweaver-compromise/
+- https://www.rapid7.com/blog/post/2025/04/28/etr-active-exploitation-of-sap-netweaver-visual-composer-cve-2025-31324/
+tags:
+  analytic_story:
+  - SAP NetWeaver Exploitation
+  asset_type: Web Server
+  mitre_attack_id:
+  - T1190
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+  cve:
+  - CVE-2025-31324
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/sap/suricata_sapnetweaver.log
+    sourcetype: suricata
+    source: suricata