Skip to content

Commit 917fe77

Browse files
RavenTaitnasbenchpatel-bhavin
authored
Add Big Batch of Snap Attack Converted Rules (#4015)
--------- Co-authored-by: Nasreddine Bencherchali <nasreddineb@splunk.com> Co-authored-by: Bhavin Patel <bpatel@splunk.com>
1 parent 4d4c7ee commit 917fe77

69 files changed

Lines changed: 5177 additions & 129 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

detections/endpoint/attacker_tools_on_endpoint.yml

Lines changed: 29 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,43 @@
11
name: Attacker Tools On Endpoint
22
id: a51bfe1a-94f0-48cc-b4e4-16a110145893
3-
version: 16
3+
version: 17
44
date: '2026-04-15'
55
author: Bhavin Patel, Splunk, sventec, Github Community
66
status: production
77
type: TTP
8-
description: The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, or data exfiltration. It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names. This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.
8+
description: |-
9+
The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, privilege escalation, password dumping or data exfiltration.
10+
It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names.
11+
This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.
912
data_source:
1013
- Sysmon EventID 1
1114
- Windows Event Log Security 4688
1215
- CrowdStrike ProcessRollup2
1316
- Cisco Network Visibility Module Flow Data
1417
search: |-
15-
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process FROM datamodel=Endpoint.Processes
16-
WHERE [
17-
| inputlookup attacker_tools
18-
| rename attacker_tool_names AS Processes.process_name
19-
| fields Processes.process_name] AND Processes.dest!=unknown AND Processes.user!=unknown by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
18+
| tstats `security_content_summariesonly`
19+
count min(_time) as firstTime
20+
max(_time) as lastTime
21+
values(Processes.process) as process
22+
values(Processes.parent_process) as parent_process
23+
FROM datamodel=Endpoint.Processes WHERE [
24+
| inputlookup attacker_tools
25+
| rename attacker_tool_names AS Processes.process_name
26+
| fields Processes.process_name
27+
]
28+
AND
29+
Processes.dest!=unknown
30+
Processes.user!=unknown
31+
32+
by Processes.action Processes.dest Processes.original_file_name
33+
Processes.parent_process Processes.parent_process_exec
34+
Processes.parent_process_guid Processes.parent_process_id
35+
Processes.parent_process_name Processes.parent_process_path
36+
Processes.process Processes.process_exec Processes.process_guid
37+
Processes.process_hash Processes.process_id Processes.process_integrity_level
38+
Processes.process_name Processes.process_path Processes.user
39+
Processes.user_id Processes.vendor_product
40+
2041
| `security_content_ctime(firstTime)`
2142
| `security_content_ctime(lastTime)`
2243
| `drop_dm_object_name(Processes)`
@@ -36,7 +57,7 @@ drilldown_searches:
3657
earliest_offset: 7d
3758
latest_offset: "0"
3859
rba:
39-
message: An attacker tool $process_name$, listed in attacker_tools.csv is executed on host $dest$ by User $user$. This process $process_name$ is known to do- $description$
60+
message: An attacker tool $process_name$, listed in attacker_tools.csv is executed on host $dest$ by User $user$. $process_name$ is known for [$description$].
4061
risk_objects:
4162
- field: user
4263
type: user
Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
name: Windows .Key File Creation in Root Directory
2+
id: 90e71722-8c0f-43b4-937a-6222325976c2
3+
version: 1
4+
date: '2026-04-13'
5+
author: Raven Tait, Splunk
6+
status: production
7+
type: Anomaly
8+
description: |-
9+
Detects the creation of a .key file in the root directory of the system drive.
10+
This activity was seen with various ransomware before performing encryption of files.
11+
data_source:
12+
- Sysmon EventID 11
13+
search: |-
14+
| tstats `security_content_summariesonly`
15+
count min(_time) as firstTime
16+
max(_time) as lastTime
17+
18+
from datamodel=Endpoint.Filesystem where
19+
20+
Filesystem.file_name="*.key"
21+
22+
by Filesystem.dest Filesystem.file_create_time
23+
Filesystem.process_path Filesystem.process_guid
24+
Filesystem.process_id Filesystem.file_path
25+
Filesystem.action Filesystem.file_name
26+
Filesystem.user Filesystem.vendor_product
27+
28+
| `drop_dm_object_name(Filesystem)`
29+
| where match(file_path, "^[A-Za-z]:\\\\[^\\\\]+\.key$")
30+
| `security_content_ctime(firstTime)`
31+
| `security_content_ctime(lastTime)`
32+
| `windows__key_file_creation_in_root_directory_filter`
33+
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
34+
known_false_positives: False positives may occur if legitimate software or administrative tools create key files in the root directory, although this is uncommon in normal operations. Filter alerts based on known approved applications.
35+
references:
36+
- https://www.cisa.gov/uscert/ncas/alerts/aa22-321a
37+
drilldown_searches:
38+
- earliest_offset: $info_min_time$
39+
latest_offset: $info_max_time$
40+
name: View the detection results for - "$user$" and "$dest$"
41+
search: '%original_detection_search% | search user = "$user$" dest = "$dest$"'
42+
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
43+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
44+
earliest_offset: 7d
45+
latest_offset: "0"
46+
rba:
47+
message: .key file created in the root of the system drive at $file_path$ on $dest$.
48+
risk_objects:
49+
- field: dest
50+
type: system
51+
score: 20
52+
threat_objects:
53+
- field: file_path
54+
type: file_path
55+
tags:
56+
analytic_story:
57+
- Ransomware
58+
asset_type: Endpoint
59+
mitre_attack_id:
60+
- T1486
61+
product:
62+
- Splunk Enterprise
63+
- Splunk Enterprise Security
64+
- Splunk Cloud
65+
security_domain: endpoint
66+
tests:
67+
- name: True Positive Test
68+
attack_data:
69+
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1022/snapattack/snapattack.log
70+
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
71+
sourcetype: XmlWinEventLog
Lines changed: 81 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,81 @@
1+
name: Windows AppCertDLL Modification Via Command Line
2+
id: 3ba73a2b-3396-47e4-bdef-c80e6a7895c0
3+
version: 1
4+
date: '2026-04-13'
5+
author: Raven Tait, Splunk
6+
status: production
7+
type: Anomaly
8+
description: |-
9+
This analytic detects attempts to modify AppCertDLL registry keys via some command line utility. Values under this key are used to specify DLLs loaded by the Windows Session Manager.
10+
Such modifications can be abused by attackers to load malicious code early in the system startup process, enabling persistent malware execution with high privileges.
11+
If confirmed malicious, this behavior may lead to system compromise, persistence, and the evasion of security controls.
12+
data_source:
13+
- Sysmon EventID 1
14+
- Windows Event Log Security 4688
15+
- CrowdStrike ProcessRollup2
16+
search: |-
17+
| tstats `security_content_summariesonly`
18+
count min(_time) as firstTime
19+
max(_time) as lastTime
20+
21+
from datamodel=Endpoint.Processes where
22+
23+
Processes.process="*\\Control\\Session Manager\\AppCertDLLs*"
24+
25+
by Processes.process Processes.vendor_product Processes.user_id
26+
Processes.process_hash Processes.parent_process_name
27+
Processes.parent_process_exec Processes.action Processes.dest
28+
Processes.process_current_directory Processes.process_path
29+
Processes.process_integrity_level Processes.original_file_name
30+
Processes.parent_process Processes.parent_process_path
31+
Processes.parent_process_guid Processes.parent_process_id
32+
Processes.process_guid Processes.process_id
33+
Processes.user Processes.process_name
34+
35+
| `drop_dm_object_name(Processes)`
36+
| `security_content_ctime(firstTime)`
37+
| `security_content_ctime(lastTime)`
38+
| `windows_appcertdll_modification_via_command_line_filter`
39+
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
40+
known_false_positives: |-
41+
Modifications to AppCertDLL keys may be made by legitimate software updates or trusted system management tools. Review changes to ensure they are from approved sources.
42+
drilldown_searches:
43+
- earliest_offset: $info_min_time$
44+
latest_offset: $info_max_time$
45+
name: View the detection results for - "$user$" and "$dest$"
46+
search: '%original_detection_search% | search user = "$user$" dest = "$dest$"'
47+
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
48+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
49+
earliest_offset: 7d
50+
latest_offset: "0"
51+
rba:
52+
message: Potential AppCertDLL modification activity observed on $dest$ via $process$.
53+
risk_objects:
54+
- field: dest
55+
type: system
56+
score: 20
57+
threat_objects:
58+
- field: parent_process_name
59+
type: parent_process_name
60+
- field: process_name
61+
type: process_name
62+
- field: process
63+
type: process
64+
tags:
65+
analytic_story:
66+
- Windows Persistence Techniques
67+
- Windows Privilege Escalation
68+
asset_type: Endpoint
69+
mitre_attack_id:
70+
- T1546.009
71+
product:
72+
- Splunk Enterprise
73+
- Splunk Enterprise Security
74+
- Splunk Cloud
75+
security_domain: endpoint
76+
tests:
77+
- name: True Positive Test
78+
attack_data:
79+
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.009/snapattack/snapattack.log
80+
source: XmlWinEventLog:Security
81+
sourcetype: XmlWinEventLog
Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
name: Windows Azure PowerShell Module Installation Via PowerShell Script
2+
id: 344bed10-9a8b-4398-8bf3-ec9114125260
3+
version: 1
4+
date: '2026-04-13'
5+
author: Raven Tait, Splunk
6+
status: production
7+
type: Anomaly
8+
description: |-
9+
This analytic detects the installation of Azure AD and cloud management modules via PowerShell Script Block Logging.
10+
Tools such as AADInternals, AzureAD, MSOnline, and Az.Resources provide deep access to Azure Active Directory objects, user accounts, service principals, and tenant configurations making them high-value targets for adversaries conducting reconnaissance, privilege escalation, or persistence operations post-compromise.
11+
data_source:
12+
- Powershell Script Block Logging 4104
13+
search: |-
14+
`powershell`
15+
EventID="4104"
16+
ScriptBlockText IN (
17+
"*Install-Module -Name AADInternals*",
18+
"*Install-Module -Name Az.Resources*",
19+
"*Install-Module -Name AzureAd*",
20+
"*Install-Module -Name MSOnline*",
21+
"*Install-Module AADInternals*",
22+
"*Install-Module Az.Resources*",
23+
"*Install-Module AzureAd*",
24+
"*Install-Module MSOnline*"
25+
)
26+
| fillnull
27+
| stats count min(_time) as firstTime
28+
max(_time) as lastTime
29+
by Computer EventID ScriptBlockText signature signature_id
30+
user_id vendor_product Guid Opcode
31+
Name Path ProcessID ScriptBlockId
32+
33+
| rename Computer as dest
34+
| `security_content_ctime(firstTime)`
35+
| `security_content_ctime(lastTime)`
36+
| `windows_azure_powershell_module_installation_via_powershell_script_filter`
37+
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
38+
known_false_positives: Legitimate administrators often install these modules for managing Azure environments. Filter alerts for authorized personnel and approved administrative activities.
39+
drilldown_searches:
40+
- earliest_offset: $info_min_time$
41+
latest_offset: $info_max_time$
42+
name: View the detection results for - "$user$" and "$dest$"
43+
search: '%original_detection_search% | search user = "$user$" dest = "$dest$"'
44+
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
45+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
46+
earliest_offset: 7d
47+
latest_offset: "0"
48+
rba:
49+
message: Potential Azure PowerShell module installation observed on $dest$ via script block $ScriptBlockId$.
50+
risk_objects:
51+
- field: dest
52+
type: system
53+
score: 50
54+
threat_objects: []
55+
tags:
56+
analytic_story:
57+
- Azure Active Directory Account Takeover
58+
- Azure Active Directory Persistence
59+
- Azure Active Directory Privilege Escalation
60+
asset_type: Endpoint
61+
mitre_attack_id:
62+
- T1078
63+
- T1021.007
64+
- T1136.003
65+
- T1098
66+
- T1069.003
67+
product:
68+
- Splunk Enterprise
69+
- Splunk Enterprise Security
70+
- Splunk Cloud
71+
security_domain: endpoint
72+
tests:
73+
- name: True Positive Test
74+
attack_data:
75+
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/snapattack/snapattack.log
76+
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
77+
sourcetype: XmlWinEventLog

0 commit comments

Comments
 (0)