From 884eede4ce697dfd7e19252ec734ab2ce49db1f7 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 30 Apr 2025 12:14:30 -0700 Subject: [PATCH 1/4] updating search --- .../windows_remote_access_software_hunt.yml | 6 ++-- ...t_remote_access_software_usage_process.yml | 36 +++++++++++-------- removed/deprecation_mapping.YML | 5 +++ 3 files changed, 30 insertions(+), 17 deletions(-) rename detections/{endpoint => deprecated}/windows_remote_access_software_hunt.yml (98%) diff --git a/detections/endpoint/windows_remote_access_software_hunt.yml b/detections/deprecated/windows_remote_access_software_hunt.yml similarity index 98% rename from detections/endpoint/windows_remote_access_software_hunt.yml rename to detections/deprecated/windows_remote_access_software_hunt.yml index 67dbe00f02..1f2e1de847 100644 --- a/detections/endpoint/windows_remote_access_software_hunt.yml +++ b/detections/deprecated/windows_remote_access_software_hunt.yml @@ -1,9 +1,9 @@ name: Windows Remote Access Software Hunt id: 8bd22c9f-05a2-4db1-b131-29271f28cb0a -version: 7 -date: '2025-04-18' +version: 8 +date: '2025-04-30' author: Michael Haag, Splunk -status: production +status: deprecated type: Hunting description: The following analytic identifies the use of remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index 9d3d572175..5f2a04d5e4 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Process id: ffd5e001-2e34-48f4-97a2-26dc4bb08178 -version: 8 -date: '2025-04-18' +version: 9 +date: '2025-04-30' author: Steven Dick status: production type: Anomaly @@ -17,18 +17,23 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes - where Processes.dest!=unknown Processes.process!=unknown by Processes.action Processes.dest - Processes.original_file_name Processes.parent_process Processes.parent_process_exec - Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name - Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name - Processes.process_path Processes.user Processes.user_id Processes.vendor_product - | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` - | lookup remote_access_software remote_utility AS process_name OUTPUT isutility, - description as signature, comment_reference as desc, category | search isutility - = True | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_process_filter`' +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process + from datamodel=Endpoint.Processes + where + [| inputlookup remote_access_software where isutility=TRUE + | rename remote_utility AS Processes.process_name + | fields Processes.process_name] + AND Processes.dest!="unknown" + AND Processes.user!="unknown" + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `drop_dm_object_name(Processes)` + | lookup remote_access_software remote_utility AS process_name OUTPUT isutility description AS signature comment_reference AS desc category + | search isutility = TRUE + | `remote_access_software_usage_exceptions` + | `detect_remote_access_software_usage_process_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, @@ -107,3 +112,6 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/screenconnect/screenconnect_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1219/atomic_red_team/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/removed/deprecation_mapping.YML b/removed/deprecation_mapping.YML index 99e8eb5874..219df33168 100644 --- a/removed/deprecation_mapping.YML +++ b/removed/deprecation_mapping.YML @@ -1,4 +1,9 @@ detections: + - content: Windows Remote Access Software Hunt + removed_in_version: 5.8.0 + reason: Detection has been replaced by a new detection with a more specific name and logic + replacement_content: + - Detect Remote Access Software Usage Process - content: Detect Large Outbound ICMP Packets removed_in_version: 5.6.0 reason: Detection has been replaced by a new detection with a more specific name From 6b2f2e9636daa1288ede8e3e7e3b6bda9e4a43a3 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 30 Apr 2025 12:15:14 -0700 Subject: [PATCH 2/4] remove manual test for a CI run --- .../endpoint/detect_remote_access_software_usage_process.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index 5f2a04d5e4..f768ab922a 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -32,7 +32,6 @@ search: | | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility description AS signature comment_reference AS desc category | search isutility = TRUE - | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_process_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -105,7 +104,7 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - manual_test: This detection uses A&I lookups from Enterprise Security. + # manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: From 26e2f594627919760017d9e9c4c89e5c026fc777 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 30 Apr 2025 12:20:03 -0700 Subject: [PATCH 3/4] add back manual_Test --- .../detect_remote_access_software_usage_process.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index f768ab922a..7074ab0fe1 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -2,14 +2,13 @@ name: Detect Remote Access Software Usage Process id: ffd5e001-2e34-48f4-97a2-26dc4bb08178 version: 9 date: '2025-04-30' -author: Steven Dick +author: Steven Dick, Sebastian Wurl, Splunk Community status: production type: Anomaly description: The following analytic detects the execution of known remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes mapped to the Endpoint data - model. This activity is significant as adversaries often use remote access tools - like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. + model. We then compare with with a list of known remote access software shipped as a lookup file - remote_access_software. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security. @@ -32,6 +31,7 @@ search: | | `drop_dm_object_name(Processes)` | lookup remote_access_software remote_utility AS process_name OUTPUT isutility description AS signature comment_reference AS desc category | search isutility = TRUE + | `remote_access_software_usage_exceptions` | `detect_remote_access_software_usage_process_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related @@ -104,7 +104,7 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - # manual_test: This detection uses A&I lookups from Enterprise Security. + manual_test: This detection uses A&I lookups from Enterprise Security. tests: - name: True Positive Test attack_data: From 4d1ff91ee3b95a53070da1219b6c300777972a97 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 30 Apr 2025 12:24:55 -0700 Subject: [PATCH 4/4] updated messaging --- detections/deprecated/windows_remote_access_software_hunt.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/deprecated/windows_remote_access_software_hunt.yml b/detections/deprecated/windows_remote_access_software_hunt.yml index 1f2e1de847..f1ce42bcbd 100644 --- a/detections/deprecated/windows_remote_access_software_hunt.yml +++ b/detections/deprecated/windows_remote_access_software_hunt.yml @@ -5,7 +5,7 @@ date: '2025-04-30' author: Michael Haag, Splunk status: deprecated type: Hunting -description: The following analytic identifies the use of remote access software within +description: This search is deprecated in favor of the new detection - Detect Remote Access Software Usage Process. The following analytic identifies the use of remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This detection is significant as unauthorized remote access tools can be used by adversaries to maintain persistent access to