You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: detections/endpoint/attacker_tools_on_endpoint.yml
+29-8Lines changed: 29 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -1,22 +1,43 @@
1
1
name: Attacker Tools On Endpoint
2
2
id: a51bfe1a-94f0-48cc-b4e4-16a110145893
3
-
version: 16
3
+
version: 17
4
4
date: '2026-04-15'
5
5
author: Bhavin Patel, Splunk, sventec, Github Community
6
6
status: production
7
7
type: TTP
8
-
description: The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, or data exfiltration. It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names. This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.
8
+
description: |-
9
+
The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, privilege escalation, password dumping or data exfiltration.
10
+
It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names.
11
+
This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.
9
12
data_source:
10
13
- Sysmon EventID 1
11
14
- Windows Event Log Security 4688
12
15
- CrowdStrike ProcessRollup2
13
16
- Cisco Network Visibility Module Flow Data
14
17
search: |-
15
-
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process FROM datamodel=Endpoint.Processes
16
-
WHERE [
17
-
| inputlookup attacker_tools
18
-
| rename attacker_tool_names AS Processes.process_name
19
-
| fields Processes.process_name] AND Processes.dest!=unknown AND Processes.user!=unknown by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
18
+
| tstats `security_content_summariesonly`
19
+
count min(_time) as firstTime
20
+
max(_time) as lastTime
21
+
values(Processes.process) as process
22
+
values(Processes.parent_process) as parent_process
23
+
FROM datamodel=Endpoint.Processes WHERE [
24
+
| inputlookup attacker_tools
25
+
| rename attacker_tool_names AS Processes.process_name
26
+
| fields Processes.process_name
27
+
]
28
+
AND
29
+
Processes.dest!=unknown
30
+
Processes.user!=unknown
31
+
32
+
by Processes.action Processes.dest Processes.original_file_name
message: An attacker tool $process_name$, listed in attacker_tools.csv is executed on host $dest$ by User $user$. This process $process_name$ is known to do- $description$
60
+
message: An attacker tool $process_name$, listed in attacker_tools.csv is executed on host $dest$ by User $user$. $process_name$ is known for [$description$].
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
34
+
known_false_positives: False positives may occur if legitimate software or administrative tools create key files in the root directory, although this is uncommon in normal operations. Filter alerts based on known approved applications.
name: View the detection results for - "$user$" and "$dest$"
41
+
search: '%original_detection_search% | search user = "$user$" dest = "$dest$"'
42
+
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
43
+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
44
+
earliest_offset: 7d
45
+
latest_offset: "0"
46
+
rba:
47
+
message: .key file created in the root of the system drive at $file_path$ on $dest$.
name: Windows AppCertDLL Modification Via Command Line
2
+
id: 3ba73a2b-3396-47e4-bdef-c80e6a7895c0
3
+
version: 1
4
+
date: '2026-04-13'
5
+
author: Raven Tait, Splunk
6
+
status: production
7
+
type: Anomaly
8
+
description: |-
9
+
This analytic detects attempts to modify AppCertDLL registry keys via some command line utility. Values under this key are used to specify DLLs loaded by the Windows Session Manager.
10
+
Such modifications can be abused by attackers to load malicious code early in the system startup process, enabling persistent malware execution with high privileges.
11
+
If confirmed malicious, this behavior may lead to system compromise, persistence, and the evasion of security controls.
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
40
+
known_false_positives: |-
41
+
Modifications to AppCertDLL keys may be made by legitimate software updates or trusted system management tools. Review changes to ensure they are from approved sources.
42
+
drilldown_searches:
43
+
- earliest_offset: $info_min_time$
44
+
latest_offset: $info_max_time$
45
+
name: View the detection results for - "$user$" and "$dest$"
46
+
search: '%original_detection_search% | search user = "$user$" dest = "$dest$"'
47
+
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
48
+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
49
+
earliest_offset: 7d
50
+
latest_offset: "0"
51
+
rba:
52
+
message: Potential AppCertDLL modification activity observed on $dest$ via $process$.
name: Windows Azure PowerShell Module Installation Via PowerShell Script
2
+
id: 344bed10-9a8b-4398-8bf3-ec9114125260
3
+
version: 1
4
+
date: '2026-04-13'
5
+
author: Raven Tait, Splunk
6
+
status: production
7
+
type: Anomaly
8
+
description: |-
9
+
This analytic detects the installation of Azure AD and cloud management modules via PowerShell Script Block Logging.
10
+
Tools such as AADInternals, AzureAD, MSOnline, and Az.Resources provide deep access to Azure Active Directory objects, user accounts, service principals, and tenant configurations making them high-value targets for adversaries conducting reconnaissance, privilege escalation, or persistence operations post-compromise.
11
+
data_source:
12
+
- Powershell Script Block Logging 4104
13
+
search: |-
14
+
`powershell`
15
+
EventID="4104"
16
+
ScriptBlockText IN (
17
+
"*Install-Module -Name AADInternals*",
18
+
"*Install-Module -Name Az.Resources*",
19
+
"*Install-Module -Name AzureAd*",
20
+
"*Install-Module -Name MSOnline*",
21
+
"*Install-Module AADInternals*",
22
+
"*Install-Module Az.Resources*",
23
+
"*Install-Module AzureAd*",
24
+
"*Install-Module MSOnline*"
25
+
)
26
+
| fillnull
27
+
| stats count min(_time) as firstTime
28
+
max(_time) as lastTime
29
+
by Computer EventID ScriptBlockText signature signature_id
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
38
+
known_false_positives: Legitimate administrators often install these modules for managing Azure environments. Filter alerts for authorized personnel and approved administrative activities.
39
+
drilldown_searches:
40
+
- earliest_offset: $info_min_time$
41
+
latest_offset: $info_max_time$
42
+
name: View the detection results for - "$user$" and "$dest$"
43
+
search: '%original_detection_search% | search user = "$user$" dest = "$dest$"'
44
+
- name: View risk events for the last 7 days for - "$user$" and "$dest$"
45
+
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
46
+
earliest_offset: 7d
47
+
latest_offset: "0"
48
+
rba:
49
+
message: Potential Azure PowerShell module installation observed on $dest$ via script block $ScriptBlockId$.
0 commit comments