splunk
diff --git a/‎data_sources/windows_event_log_security_4723.yml‎
Lines changed: 116 additions & 0 deletions b/‎data_sources/windows_event_log_security_4723.yml‎
Lines changed: 116 additions & 0 deletions
diff --git a/‎detections/endpoint/windows_admin_password_changed_by_non_admin.yml‎
Lines changed: 70 additions & 0 deletions b/‎detections/endpoint/windows_admin_password_changed_by_non_admin.yml‎
Lines changed: 70 additions & 0 deletions
diff --git a/‎detections/endpoint/windows_cloud_files_filter_loaded_by_uncommon_process.yml‎
Lines changed: 79 additions & 0 deletions b/‎detections/endpoint/windows_cloud_files_filter_loaded_by_uncommon_process.yml‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎detections/endpoint/windows_cloud_files_filter_log_created_by_non_system_process.yml‎
Lines changed: 72 additions & 0 deletions b/‎detections/endpoint/windows_cloud_files_filter_log_created_by_non_system_process.yml‎
Lines changed: 72 additions & 0 deletions
@@ -0,0 +1,116 @@
+name: Windows Event Log Security 4723
+id: df19b271-57c8-4f31-817a-6c5566985484
+version: 1
+creation_date: '2026-06-15'
+modification_date: '2026-06-15'
+author: Raven Tait, Splunk
+description: Logs an event when an attempt is made to change an account's password, whether successful or not.
+mitre_components:
+- User Account Modification
+source: XmlWinEventLog:Security
+sourcetype: XmlWinEventLog
+separator: EventCode
+separator_value: '4723'
+supported_TA:
+    - name: Splunk Add-on for Microsoft Windows
+      url: https://splunkbase.splunk.com/app/742
+      version: 10.0.1
+fields:
+- _time
+- Caller_Domain
+- Caller_User_Name
+- CategoryString
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetSid
+- TargetUserName
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product
+output_fields:
+- dest
+example_log: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider 
+  Name="Microsoft-Windows-Security-Auditing" Guid="54849625-5478-4994-A5BA-3E3B0328C30D"></Provider>
+  <EventID>4723</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode>
+  <Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime="2026-04-21T17:43:18.298641Z">
+  </TimeCreated><EventRecordID>781490</EventRecordID><Correlation ActivityID="9F3364FE-E417-0002-2065-339F17E4DA01">
+  </Correlation><Execution ProcessID="724" ThreadID="12596"></Execution><Channel>Security</Channel>
+  <Computer>WIN10-21H1.strt.labs</Computer><Security></Security></System><EventData>
+  <Data Name="TargetUserName">Administrator</Data><Data Name="TargetDomainName">WIN10-21H1</Data>
+  <Data Name="TargetSid">S-1-5-21-1538153195-943065003-848949206-500</Data><Data Name="SubjectUserSid">
+  S-1-5-21-1538153195-943065003-848949206-1003</Data><Data Name="SubjectUserName">bob</Data>
+  <Data Name="SubjectDomainName">WIN10-21H1</Data><Data Name="SubjectLogonId">0x61a292</Data>
+  <Data Name="PrivilegeList">-</Data></EventData></Event>
@@ -0,0 +1,70 @@
+name: Windows Admin Password Changed by Non-Admin
+id: 6d4c4d88-cd60-43a1-8c70-c74a9614f724
+version: 1
+creation_date: '2026-04-27'
+modification_date: '2026-04-27'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: |-
+    The following analytic detects when a unprivileged user changes an Admin accounts password. This is a common artifact of successful exploitation of the BlueHammer Windows Defender privilege escalation. The attacker's process momentarily changes the passwords of high-value local accounts including the built-in Administrator to spawn an authenticated shell session, then immediately reverts the passwords to avoid detection. This uses EventID 4723 to log this activity.
+data_source:
+    - Windows Event Log Security 4723
+search: |-
+    `wineventlog_security`
+    EventCode=4723
+    | rex field=object_id "-(?<target_rid>\d+)$"
+    | rex field=SubjectUserSid "-(?<subject_rid>\d+)$"
+    | where target_rid="500" OR tonumber(target_rid) IN (512,513,518,519,520)
+    | where tonumber(subject_rid) >= 1000
+    | where SubjectUserSid != object_id
+    | stats count min(_time) as firstTime
+                  max(_time) as lastTime
+      by dest user object_id EventCode src_user
+         SubjectUserSid SubjectLogonId PrivilegeList
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `windows_admin_password_changed_by_non_admin_filter`
+how_to_implement: |-
+    The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: |-
+    Some IT support tools or automated scripts may change administrator passwords during maintenance. Verify changes against authorized administrative activities to reduce false alerts.
+references:
+    - https://github.com/Nightmare-Eclipse/BlueHammer
+drilldown_searches:
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View the detection results for - "$dest$"
+      search: '%original_detection_search% | search  dest = "$dest$"'
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View risk events for the last 7 days for - "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+finding:
+    title: Non-Administrator account $src_user$ changed password of Admin account $user$ on $dest$.
+    entity:
+        field: dest
+        type: system
+        score: 50
+analytic_story:
+    - Windows Privilege Escalation
+    - BlueHammer
+asset_type: Endpoint
+mitre_attack_id:
+    - T1068
+    - T1543.003
+product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+category: endpoint
+security_domain: endpoint
+cve:
+    - CVE-2026-33825
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/bluehammer/windows-security.log
+          source: XmlWinEventLog:Security
+          sourcetype: XmlWinEventLog
+      test_type: unit
@@ -0,0 +1,79 @@
+name: Windows Cloud Files Filter Loaded by Uncommon Process
+id: 77b85062-274e-43a5-9dab-c25862b85291
+version: 1
+creation_date: '2026-05-18'
+modification_date: '2026-05-18'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: |-
+    The following analytic detects cldapi.dll being loaded by a process not associated with legitimate cloud sync activity.
+    The Windows Cloud Files API (cldapi.dll) is abused by several local privilege escalation exploits.
+data_source:
+    - Sysmon EventID 7
+search: |-
+    `sysmon`
+    EventID=7
+    ImageLoaded="*\\cldapi.dll"
+    NOT Image IN (
+      "*\\box.exe",
+      "*\\dropbox.exe",
+      "*\\googledrivefs.exe",
+      "*\\icloud.exe",
+      "*\\onedrive*.exe",
+      "*\\Windows\\explorer.exe"
+      "*\\Windows\\System32\\*",
+      "*\\Windows\\Syswow64\\*",
+      "*\\Windows\\WinSxS\\*"
+    )
+    | stats count min(_time) as firstTime
+                    max(_time) as lastTime
+        by Computer ImageLoaded EventID dest loaded_file loaded_file_path process_exec
+           process_guid process_hash process_id process_name process_path
+           service_dll_signature_exists service_dll_signature_verified signature_id user_id
+           vendor_product
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `windows_cloud_files_filter_loaded_by_uncommon_process_filter`
+how_to_implement: |-
+    To successfully implement this search, you need to be ingesting logs with the driver loaded and Signature from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
+known_false_positives: |-
+    False positives may include other third-party cloud-based file storage software.
+    Filter as necessary for your environment.
+references:
+    - https://www.huntress.com/blog/nightmare-eclipse-intrusion
+    - https://www.threatlocker.com/blog/miniplasma-windows-privilege-escalation-zero-day-affects-fully-patched-systems
+drilldown_searches:
+    - name: View the detection results for - "$dest$"
+      search: '%original_detection_search% | search  dest = "$dest$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: "0"
+intermediate_findings:
+    entities:
+        - field: dest
+          type: system
+          score: 20
+          message: Cloud Files Filter ($ImageLoaded$) loaded by suspicious process $Image$ on $dest$
+analytic_story:
+    - RedSun
+    - BlueHammer
+asset_type: Endpoint
+mitre_attack_id:
+    - T1543.003
+product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+category: endpoint
+security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/redsun/windows-sysmon.log
+          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+          sourcetype: XmlWinEventLog
+      test_type: unit
@@ -0,0 +1,72 @@
+name: Windows Cloud Files Filter Log Created by Non-System Process
+id: 2e0042b9-8a75-49ca-b3a2-948f04b752bf
+version: 1
+creation_date: '2026-05-01'
+modification_date: '2026-05-01'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: |-
+    Detects a non-system process causing creation of CldFlt0.etl under C:\Windows\System32\LogFiles\CloudFiles\.
+    This path is initialised by the CldFlt driver when a process calls CfRegisterSyncRoot() or CfConnectSyncRoot().
+    In the RedSun exploit this is a side-effect of the DoCloudStuff() function that registers a fake sync provider to create the cloud-tagged bait file.
+    Legitimate cloud providers (OneDrive etc.) register sync roots from SYSTEM-level service processes, not from user-context executables.
+data_source:
+    - Sysmon EventID 11
+search: |-
+    `sysmon`
+    EventCode=11
+    TargetFilename = "*\\Windows\\System32\\LogFiles\\CloudFiles\\*"
+    NOT Image IN (
+        "*:\\Windows\\System32*",
+        "*:\\Windows\\SysWOW64*",
+        "*:\\Program Files\\WindowsApps\\*"
+    )
+    | stats count min(_time) as firstTime
+                  max(_time) as lastTime
+      by action dest file_name file_path Image process_guid
+         process_id user_id vendor_product
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `windows_cloud_files_filter_log_created_by_non_system_process_filter`
+how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
+known_false_positives: No false positives have been identified at this time.
+references:
+    - https://github.com/Nightmare-Eclipse/RedSun
+    - https://www.huntress.com/blog/nightmare-eclipse-intrusion
+drilldown_searches:
+    - name: View the detection results for - "$dest$"
+      search: '%original_detection_search% | search  dest = "$dest$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: "0"
+finding:
+    title: Non-System process $Image$ created a cloud files filter $file_name$ on host $dest$
+    entity:
+        field: dest
+        type: system
+        score: 50
+analytic_story:
+    - RedSun
+    - Windows Privilege Escalation
+asset_type: Endpoint
+mitre_attack_id:
+    - T1068
+product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+category: endpoint
+security_domain: endpoint
+cve:
+    - CVE-2026-33825
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/redsun/windows-sysmon.log
+          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+          sourcetype: XmlWinEventLog
+      test_type: unit