Merge branch 'develop' into ctl_515

Author: patel-bhavin

detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml

@@ -1,7 +1,7 @@
 name: Cisco NVM - Curl Execution With Insecure Flags
 id: cc695238-3117-4e60-aa83-4beac2a42c69
-version: 2
-date: '2025-09-09'
+version: 3
+date: '2025-09-10'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -13,7 +13,7 @@ description: |
   This behavior may indicate an attempt to bypass certificate validation to connect to potentially untrusted or malicious endpoints,
   a common tactic in red team operations, malware staging, or data exfiltration over HTTPS.
 data_source:
-  - Cisco Network Visibility Module Flow Data
+- Cisco Network Visibility Module Flow Data
 search: |
   `cisco_network_visibility_module_flowdata`
   process_name = "curl.exe"
@@ -56,39 +56,41 @@ known_false_positives: |
   Usage of these flags to reach public IPs or uncommon destinations should be reviewed.
   Tuning may be required for domains with known certificate issues.
 references:
-  - https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
+- https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/
 drilldown_searches:
-  - name: View the detection results for - "$src$"
-    search: '%original_detection_search% | search  src = "$src$"'
-    earliest_offset: $info_min_time$
-    latest_offset: $info_max_time$
-  - name: View risk events for the last 7 days for - "$src$"
-    search:
-      '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168  | stats count min(_time)
-      as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
-      as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
-      as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
-      by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
-    earliest_offset: $info_min_time$
-    latest_offset: $info_max_time$
+- name: View the detection results for - "$src$"
+  search: '%original_detection_search% | search  src = "$src$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
 rba:
-  message: The host $src$ executed curl with insecure flags and communicated with $dest$ / $dest_hostname$ over port $dest_port$
+  message: The host $src$ executed curl with insecure flags and communicated 
+    with $dest$ / $dest_hostname$ over port $dest_port$
   risk_objects:
-    - field: src
-      type: system
-      score: 30
+  - field: src
+    type: system
+    score: 30
   threat_objects:
-    - field: process_name
-      type: process_name
+  - field: process_name
+    type: process_name
 tags:
   analytic_story:
-    - Cisco Network Visibility Module Analytics
+  - Cisco Network Visibility Module Analytics
+  - PromptLock
   asset_type: Endpoint
   mitre_attack_id:
-    - T1197
+  - T1197
   product:
-    - Splunk Enterprise
-    - Splunk Enterprise Security
+  - Splunk Enterprise
+  - Splunk Enterprise Security
   security_domain: endpoint
 tests:
   - name: True Positive Test - Cisco NVM

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -114,6 +114,7 @@ tags:
   - Interlock Ransomware
   - Interlock Rat
   - NailaoLocker Ransomware
+  - PromptLock
   - GhostRedirector IIS Module and Rungan Backdoor
   asset_type: Endpoint
   mitre_attack_id:

detections/endpoint/executables_or_script_creation_in_temp_path.yml

@@ -1,34 +1,37 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 15
-date: '2025-08-07'
+version: 16
+date: '2025-09-10'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic identifies the creation of executables or scripts
-  in suspicious file paths on Windows systems. It leverages the Endpoint.Filesystem
-  data model to detect files with specific extensions (e.g., .exe, .dll, .ps1) created
-  in uncommon directories (e.g., \windows\fonts\, \users\public\). This activity is
-  significant as adversaries often use these paths to evade detection and maintain
-  persistence. If confirmed malicious, this behavior could allow attackers to execute
-  unauthorized code, escalate privileges, or persist within the environment, posing
-  a significant security threat.
+description: The following analytic identifies the creation of executables or 
+  scripts in suspicious file paths on Windows systems. It leverages the 
+  Endpoint.Filesystem data model to detect files with specific extensions (e.g.,
+  .exe, .dll, .ps1) created in uncommon directories (e.g., \windows\fonts\, 
+  \users\public\). This activity is significant as adversaries often use these 
+  paths to evade detection and maintain persistence. If confirmed malicious, 
+  this behavior could allow attackers to execute unauthorized code, escalate 
+  privileges, or persist within the environment, posing a significant security 
+  threat.
 data_source:
 - Sysmon EventID 11
 search: '| tstats `security_content_summariesonly` values(Filesystem.file_path) as
   file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem
   where Filesystem.file_name IN ("*.exe", "*.dll", "*.sys", "*.com", "*.vbs", "*.vbe",
-  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN ("*\\AppData\\Local\\Temp\\*",
-  "*:\\Windows\\Temp\\*", "*:\\Temp*") by Filesystem.action Filesystem.dest Filesystem.file_access_time
-  Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name
-  Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid
-  Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)`
-  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_temp_path_filter`'
-how_to_implement: To successfully implement this search you need to be ingesting information
-  on process that include the name of the Filesystem responsible for the changes from
-  your endpoints into the `Endpoint` datamodel in the `Filesystem` node.
-known_false_positives: Administrators may allow creation of script or exe in the paths
-  specified. Filter as needed.
+  "*.js", "*.ps1", "*.bat", "*.cmd", "*.pif", "*.msc") AND Filesystem.file_path IN
+  ("*\\AppData\\Local\\Temp\\*", "*:\\Windows\\Temp\\*", "*:\\Temp*") by Filesystem.action
+  Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash
+  Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl
+  Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user
+  Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_temp_path_filter`'
+how_to_implement: To successfully implement this search you need to be ingesting
+  information on process that include the name of the Filesystem responsible for
+  the changes from your endpoints into the `Endpoint` datamodel in the 
+  `Filesystem` node.
+known_false_positives: Administrators may allow creation of script or exe in the
+  paths specified. Filter as needed.
 references:
 - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
 - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
@@ -49,8 +52,9 @@ drilldown_searches:
   earliest_offset: $info_min_time$
   latest_offset: $info_max_time$
 rba:
-  message: Potentially suspicious executable or script with file name $file_name$,
-    $file_path$ and process_id $process_id$ was created in temporary folder by $user$
+  message: Potentially suspicious executable or script with file name 
+    $file_name$, $file_path$ and process_id $process_id$ was created in 
+    temporary folder by $user$
   risk_objects:
   - field: user
     type: user
@@ -102,6 +106,7 @@ tags:
   - Amadey
   - IcedID
   - Interlock Rat
+  - PromptLock
   asset_type: Endpoint
   mitre_attack_id:
   - T1036
@@ -113,6 +118,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
     sourcetype: XmlWinEventLog

detections/endpoint/windows_curl_upload_to_remote_destination.yml

@@ -1,18 +1,18 @@
 name: Windows Curl Upload to Remote Destination
 id: 42f8f1a2-4228-11ec-aade-acde48001122
-version: 10
-date: '2025-06-20'
+version: 11
+date: '2025-09-10'
 author: Michael Haag, Splunk
 status: production
 type: TTP
-description:
-  The following analytic detects the use of Windows Curl.exe to upload
-  a file to a remote destination. It identifies command-line arguments such as `-T`,
-  `--upload-file`, `-d`, `--data`, and `-F` in process execution logs. This activity
-  is significant because adversaries may use Curl to exfiltrate data or upload malicious
-  payloads. If confirmed malicious, this could lead to data breaches or further compromise
-  of the system. Analysts should review parallel processes and network logs to determine
-  if the upload was successful and isolate the endpoint if necessary.
+description: The following analytic detects the use of Windows Curl.exe to 
+  upload a file to a remote destination. It identifies command-line arguments 
+  such as `-T`, `--upload-file`, `-d`, `--data`, and `-F` in process execution 
+  logs. This activity is significant because adversaries may use Curl to 
+  exfiltrate data or upload malicious payloads. If confirmed malicious, this 
+  could lead to data breaches or further compromise of the system. Analysts 
+  should review parallel processes and network logs to determine if the upload 
+  was successful and isolate the endpoint if necessary.
 data_source:
   - Sysmon EventID 1
   - Windows Event Log Security 4688
@@ -29,19 +29,18 @@ search:
   Processes.process_path Processes.user Processes.user_id Processes.vendor_product
   | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `windows_curl_upload_to_remote_destination_filter`'
-how_to_implement:
-  The detection is based on data that originates from Endpoint Detection
-  and Response (EDR) agents. These agents are designed to provide security-related
-  telemetry from the endpoints where the agent is installed. To implement this search,
-  you must ingest logs that contain the process GUID, process name, and parent process.
-  Additionally, you must ingest complete command-line executions. These logs must
-  be processed using the appropriate Splunk Technology Add-ons that are specific to
-  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
-  data model. Use the Splunk Common Information Model (CIM) to normalize the field
-  names and speed up the data modeling process.
-known_false_positives:
-  False positives may be limited to source control applications
-  and may be required to be filtered out.
+how_to_implement: The detection is based on data that originates from Endpoint 
+  Detection and Response (EDR) agents. These agents are designed to provide 
+  security-related telemetry from the endpoints where the agent is installed. To
+  implement this search, you must ingest logs that contain the process GUID, 
+  process name, and parent process. Additionally, you must ingest complete 
+  command-line executions. These logs must be processed using the appropriate 
+  Splunk Technology Add-ons that are specific to the EDR product. The logs must 
+  also be mapped to the `Processes` node of the `Endpoint` data model. Use the 
+  Splunk Common Information Model (CIM) to normalize the field names and speed 
+  up the data modeling process.
+known_false_positives: False positives may be limited to source control 
+  applications and may be required to be filtered out.
 references:
   - https://everything.curl.dev/usingcurl/uploads
   - https://techcommunity.microsoft.com/t5/containers/tar-and-curl-come-to-windows/ba-p/382409
@@ -62,9 +61,9 @@ drilldown_searches:
     earliest_offset: $info_min_time$
     latest_offset: $info_max_time$
 rba:
-  message:
-    An instance of $parent_process_name$ spawning $process_name$ was identified
-    on endpoint $dest$ by user $user$ uploading a file to a remote destination.
+  message: An instance of $parent_process_name$ spawning $process_name$ was 
+    identified on endpoint $dest$ by user $user$ uploading a file to a remote 
+    destination.
   risk_objects:
     - field: user
       type: user
@@ -79,9 +78,10 @@ rba:
       type: process_name
 tags:
   analytic_story:
-    - Compromised Windows Host
-    - Ingress Tool Transfer
-    - Cisco Network Visibility Module Analytics
+  - Compromised Windows Host
+  - Ingress Tool Transfer
+  - Cisco Network Visibility Module Analytics
+  - PromptLock
   asset_type: Endpoint
   mitre_attack_id:
     - T1105

detections/endpoint/windows_driver_load_non_standard_path.yml

@@ -1,7 +1,7 @@
 name: Windows Driver Load Non-Standard Path
 id: 9216ef3d-066a-4958-8f27-c84589465e62
-version: 7
-date: '2025-05-02'
+version: 8
+date: '2025-09-23'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -14,36 +14,42 @@ description: The following analytic detects the loading of new Kernel Mode Drive
   escalate privileges, or maintain persistence within the environment, posing a severe
   threat to system integrity and security.
 data_source:
-- Windows Event Log System 7045
+  - Windows Event Log System 7045
 search: >-
-  `wineventlog_system` EventCode=7045 ServiceType="kernel mode driver"
-  | regex ImagePath!="(?i)^(\w:\\\\Windows\\\\|\w:\\\\Program\sFile|\\\\systemroot\\\\|%SystemRoot%|system32\\\\|\\\\ProgramData\\\\Microsoft\\\\Windows\sDefender\\\\Definition\sUpdates\\\\)"
-  | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode
-  ImagePath ServiceName ServiceType  | rename Computer as dest  | `security_content_ctime(firstTime)`  |
-  `security_content_ctime(lastTime)`  | `windows_driver_load_non_standard_path_filter`
-how_to_implement: To implement this analytic, the Windows EventCode 7045 will need
-  to be logged. The Windows TA for Splunk is also recommended.
-known_false_positives: False positives may be present based on legitimate third party
-  applications needing to install drivers. Filter, or allow list known good drivers
-  consistently being installed in these paths.
+  `wineventlog_system` 
+  EventCode = 7045 
+  ServiceType = "kernel mode driver"
+  | regex ImagePath != "(?i)^(\w:\\\\Program Files\\\\|\w:\\\\Program Files \(x86\)\\\\|\w:\\\\Windows\\\\System32\\\\|\w:\\\\Windows\\\\SysWOW64\\\\|\w:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Definition Updates\\\\|\w:\\\\ProgramData\\\\Microsoft\\\\Windows Defender\\\\Platform\\\\|%SystemRoot%|\\\\SystemRoot\\\\|SystemRoot\\\\)"
+  | stats count min(_time) as firstTime max(_time) as lastTime by
+    Computer EventCode ImagePath ServiceName ServiceType
+  | rename Computer as dest
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`  
+  | `windows_driver_load_non_standard_path_filter`
+how_to_implement: |
+  To implement this analytic, the Windows EventCode 7045 will need to be logged.
+  The Windows TA for Splunk is also recommended.
+known_false_positives: |
+  False positives may be present based on legitimate third party applications needing to install drivers.
+  Filter, or allow list known good drivers consistently being installed in these paths.
 references:
-- https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/
-- https://attack.mitre.org/techniques/T1014/
-- https://www.fuzzysecurity.com/tutorials/28.html
+  - https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/
+  - https://attack.mitre.org/techniques/T1014/
+  - https://www.fuzzysecurity.com/tutorials/28.html
 drilldown_searches:
-- name: View the detection results for - "$dest$"
-  search: '%original_detection_search% | search  dest = "$dest$"'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
-- name: View risk events for the last 7 days for - "$dest$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
-    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
-    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
-    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
-    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
-    | `security_content_ctime(lastTime)`'
-  earliest_offset: $info_min_time$
-  latest_offset: $info_max_time$
+  - name: View the detection results for - "$dest$"
+    search: '%original_detection_search% | search  dest = "$dest$"'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
+  - name: View risk events for the last 7 days for - "$dest$"
+    search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+      starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+      values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+      as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+      as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+      | `security_content_ctime(lastTime)`'
+    earliest_offset: $info_min_time$
+    latest_offset: $info_max_time$
 rba:
   message: A kernel mode driver was loaded from a non-standard path on $dest$.
   risk_objects:
@@ -53,24 +59,24 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - Windows Drivers
-  - CISA AA22-320A
-  - AgentTesla
-  - BlackByte Ransomware
-  - BlackSuit Ransomware
+    - Windows Drivers
+    - CISA AA22-320A
+    - AgentTesla
+    - BlackByte Ransomware
+    - BlackSuit Ransomware
   asset_type: Endpoint
   mitre_attack_id:
-  - T1014
-  - T1068
+    - T1014
+    - T1068
   product:
-  - Splunk Enterprise
-  - Splunk Enterprise Security
-  - Splunk Cloud
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
   security_domain: endpoint
 tests:
-- name: True Positive Test
-  attack_data:
-  - data: 
-      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log
-    source: XmlWinEventLog:System
-    sourcetype: XmlWinEventLog
+  - name: True Positive Test
+    attack_data:
+    - data: 
+        https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/drivers/xml7045_windows-system.log
+      source: XmlWinEventLog:System
+      sourcetype: XmlWinEventLog