Skip to content

Improved detections based on telemetry data #4011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nasbench merged 19 commits into from
May 4, 2026
Merged

Improved detections based on telemetry data #4011

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
4de6ada
Improved detections absed on telemetry
Apr 13, 2026
7b544d4
Merge branch 'develop' into detection_improvements
P4T12ICK Apr 13, 2026
22b504f
bump versions and dates
Apr 13, 2026
fc669a2
Merge branch 'detection_improvements' of github.com:splunk/security_c…
Apr 13, 2026
174b630
updates
Apr 14, 2026
fb66723
Merge branch 'develop' into detection_improvements
P4T12ICK Apr 14, 2026
e90dcef
Merge branch 'develop' into detection_improvements
P4T12ICK Apr 14, 2026
775e5f8
Merge branch 'develop' into detection_improvements
patel-bhavin Apr 16, 2026
7cfe367
Merge branch 'develop' into detection_improvements
patel-bhavin Apr 17, 2026
4ce48d0
Merge branch 'develop' into detection_improvements
patel-bhavin Apr 27, 2026
1b29716
Merge branch 'develop' into detection_improvements
nasbench Apr 28, 2026
530cbdb
Merge branch 'develop' into detection_improvements
patel-bhavin Apr 29, 2026
455763a
Update windows_msiexec_spawn_discovery_command.yml
nasbench Apr 30, 2026
0e369d1
update query to fix av matches
nasbench Apr 30, 2026
84ec4c1
bump versions
nasbench May 4, 2026
fbc6069
update fp section and re-order list
nasbench May 4, 2026
affc62c
Update powershell_pinvoke_process_injection_api_chain.yml
nasbench May 4, 2026
7131d62
Merge branch 'develop' into detection_improvements
nasbench May 4, 2026
1e74955
Update powershell_pinvoke_process_injection_api_chain.yml
nasbench May 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions detections/endpoint/disable_logs_using_wevtutil.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Disable Logs Using WevtUtil
id: 236e7c8e-c9d9-11eb-a824-acde48001122
version: 12
version: 13
date: '2026-04-15'
author: Teoderick Contreras, Splunk
status: production
Expand All @@ -16,7 +16,7 @@ search: |-
AND
(Processes.process = "*sl*"
OR
Processes.process = "*set-log*" ) Processes.process = "*/e:false*"
Processes.process = "*set-log*" ) Processes.process IN ("*/e:false*", "*/enabled:false*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Expand Down
4 changes: 2 additions & 2 deletions detections/endpoint/possible_lateral_movement_powershell_spawn.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
name: Possible Lateral Movement PowerShell Spawn
id: cb909b3e-512b-11ec-aa31-3e22fbd008af
version: 15
version: 16
date: '2026-04-15'
author: Mauricio Velazco, Michael Haag, Splunk
status: production
type: TTP
type: Anomaly
Comment thread
nasbench marked this conversation as resolved.
description: |
The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions.
Expand Down
207 changes: 50 additions & 157 deletions detections/endpoint/powershell_pinvoke_process_injection_api_chain.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,169 +7,60 @@ status: production
type: TTP
description: |
The following analytic detects PowerShell Script Block Logging (Event ID 4104) evidence of a complete P/Invoke process-injection API chain at either the compile phase or the execution phase.

Compile phase:
Detects inline .NET class definitions created via `Add-Type -TypeDefinition` where the embedded C# source includes `[DllImport]` declarations and full P/Invoke signatures such as `extern <ReturnType> <FunctionName>`. This reduces false positives from comments, string literals, and arbitrary text references.

Execution phase:
Detects PowerShell static method invocation patterns using `::MethodName(` syntax, anchored with execution-context indicators such as `[IntPtr]::Zero` or `Marshal]::Copy`.

Injection technique coverage:

1. Self-injection shellcode runner
- VirtualAlloc + VirtualProtect + CreateThread
2. Remote thread injection
- OpenProcess + VirtualAllocEx/VirtualAlloc + WriteProcessMemory + CreateRemoteThread
3. APC injection
- OpenProcess + VirtualAllocEx/VirtualAlloc + WriteProcessMemory + QueueUserAPC
4. Thread-context hijacking
- OpenThread + SuspendThread + GetThreadContext + WriteProcessMemory + SetThreadContext + ResumeThread
5. Process hollowing
- CreateProcess + VirtualAllocEx/VirtualAlloc + WriteProcessMemory + SetThreadContext + ResumeThread
6. Section-map injection
- NtCreateSection + NtMapViewOfSection (+ CreateRemoteThread in this analytic)
7. Reflective DLL loading
- VirtualAlloc + GetProcAddress + GetModuleHandle + VirtualProtect + CreateThread
8. DLL injection
- OpenProcess + VirtualAllocEx/VirtualAlloc + WriteProcessMemory + GetModuleHandle + GetProcAddress + CreateRemoteThread

Including the execution phase ensures coverage when an adversary loads a pre-compiled assembly from memory or disk and bypasses Add-Type entirely, since the static method call pattern is still captured in the script block regardless of how the class was originally compiled.
Portions of this search were modified to retain the same functionality while preventing antivirus products from alerting on the detection itself
data_source:
- Powershell Script Block Logging 4104
search: |-
`powershell`
EventCode=4104
(
ScriptBlockText = "*add-type*"
ScriptBlockText="*DllImport*"
ScriptBlockText="*add-type*"
ScriptBlockText="*DllImport*"
ScriptBlockText IN (
"*extern IntPtr*",
"*extern bool*",
"*extern uint*",
"*extern int*"
)
| where
(
(
ScriptBlockText="*extern IntPtr VirtualAlloc*"
ScriptBlockText="*extern bool VirtualProtect*"
ScriptBlockText="*extern IntPtr CreateThread*"
)
OR
(
ScriptBlockText="*extern IntPtr OpenProcess*"
ScriptBlockText="*extern IntPtr VirtualAlloc*"
ScriptBlockText="*extern bool WriteProcessMemory*"
ScriptBlockText="*extern IntPtr CreateRemoteThread*"
)
OR
(
ScriptBlockText="*extern IntPtr OpenProcess*"
ScriptBlockText="*extern IntPtr VirtualAlloc*"
ScriptBlockText="*extern bool WriteProcessMemory*"
ScriptBlockText="*extern bool QueueUserAPC*"
)
OR
(
ScriptBlockText="*extern IntPtr OpenThread*"
ScriptBlockText="*extern uint SuspendThread*"
ScriptBlockText="*extern bool GetThreadContext*"
ScriptBlockText="*extern bool WriteProcessMemory*"
ScriptBlockText="*extern bool SetThreadContext*"
ScriptBlockText="*extern uint ResumeThread*"
)
OR
(
ScriptBlockText="*extern bool CreateProcess*"
ScriptBlockText="*extern IntPtr VirtualAlloc*"
ScriptBlockText="*extern bool WriteProcessMemory*"
ScriptBlockText="*extern bool SetThreadContext*"
ScriptBlockText="*extern uint ResumeThread*"
)
OR
(
ScriptBlockText="*extern int NtCreateSection*"
ScriptBlockText="*extern int NtMapViewOfSection*"
ScriptBlockText="*extern IntPtr CreateRemoteThread*"
)
OR
(
ScriptBlockText="*extern IntPtr VirtualAlloc*"
ScriptBlockText="*extern IntPtr GetProcAddress*"
ScriptBlockText="*extern IntPtr GetModuleHandle*"
ScriptBlockText="*extern IntPtr CreateThread*"
ScriptBlockText="*extern bool VirtualProtect*"
)
OR
(
ScriptBlockText="*extern IntPtr OpenProcess*"
ScriptBlockText="*extern IntPtr VirtualAlloc*"
ScriptBlockText="*extern bool WriteProcessMemory*"
ScriptBlockText="*extern IntPtr GetProcAddress*"
ScriptBlockText="*extern IntPtr CreateRemoteThread*"
)
OR
(
ScriptBlockText="*::VirtualAlloc*"
ScriptBlockText="*::VirtualProtect*"
ScriptBlockText="*::CreateThread*"
(
ScriptBlockText="*[IntPtr]::Zero*"
OR
ScriptBlockText="*Marshal]::Copy*"
)
)
OR
(
ScriptBlockText="*::OpenProcess*"
ScriptBlockText="*::VirtualAlloc*"
ScriptBlockText="*::WriteProcessMemory*"
ScriptBlockText="*::CreateRemoteThread*"
ScriptBlockText="*[IntPtr]::Zero*"
)
OR
(
ScriptBlockText="*::OpenProcess*"
ScriptBlockText="*::VirtualAlloc*"
ScriptBlockText="*::WriteProcessMemory*"
ScriptBlockText="*::QueueUserAPC*"
ScriptBlockText="*[IntPtr]::Zero*"
)
OR
(
ScriptBlockText="*::OpenThread*"
ScriptBlockText="*::SuspendThread*"
ScriptBlockText="*::GetThreadContext*"
ScriptBlockText="*::WriteProcessMemory*"
ScriptBlockText="*::SetThreadContext*"
ScriptBlockText="*::ResumeThread*"
)
OR
(
ScriptBlockText="*::CreateProcess*"
ScriptBlockText="*::VirtualAlloc*"
ScriptBlockText="*::WriteProcessMemory*"
ScriptBlockText="*::SetThreadContext*"
ScriptBlockText="*::ResumeThread*"
)
OR
(
ScriptBlockText="*::NtCreateSection*"
ScriptBlockText="*::NtMapViewOfSection*"
ScriptBlockText="*::CreateRemoteThread*"
)
OR
(
ScriptBlockText="*::VirtualAlloc*"
ScriptBlockText="*::GetProcAddress*"
ScriptBlockText="*::GetModuleHandle*"
ScriptBlockText="*::VirtualProtect*"
ScriptBlockText="*::CreateThread*"
)
OR
(
ScriptBlockText="*::OpenProcess*"
ScriptBlockText="*::VirtualAlloc*"
ScriptBlockText="*::WriteProcessMemory*"
ScriptBlockText="*::GetModuleHandle*"
ScriptBlockText="*::GetProcAddress*"
ScriptBlockText="*::CreateRemoteThread*"
match(ScriptBlockText, "(?i)[v][i][r][t][u][a][l][a][l][l][o][c]")
AND match(ScriptBlockText, "(?i)[v][i][r][t][u][a][l][p][r][o][t][e][c][t]")
AND match(ScriptBlockText, "(?i)[c][r][e][a][t][e][t][h][r][e][a][d]")
)
OR
(
match(ScriptBlockText, "(?i)[o][p][e][n][p][r][o][c][e][s][s]")
AND match(ScriptBlockText, "(?i)[v][i][r][t][u][a][l][a][l][l][o][c]")
AND match(ScriptBlockText, "(?i)[w][r][i][t][e][p][r][o][c][e][s][s][m][e][m][o][r][y]")
AND (
match(ScriptBlockText, "(?i)[c][r][e][a][t][e][r][e][m][o][t][e][t][h][r][e][a][d]")
OR
match(ScriptBlockText, "(?i)[q][u][e][u][e][u][s][e][r][a][p][c]")
)
)
)
OR
(
match(ScriptBlockText, "(?i)[o][p][e][n][t][h][r][e][a][d]")
AND match(ScriptBlockText, "(?i)[s][u][s][p][e][n][d][t][h][r][e][a][d]")
AND match(ScriptBlockText, "(?i)[g][e][t][t][h][r][e][a][d][c][o][n][t][e][x][t]")
AND match(ScriptBlockText, "(?i)[w][r][i][t][e][p][r][o][c][e][s][s][m][e][m][o][r][y]")
AND match(ScriptBlockText, "(?i)[s][e][t][t][h][r][e][a][d][c][o][n][t][e][x][t]")
AND match(ScriptBlockText, "(?i)[r][e][s][u][m][e][t][h][r][e][a][d]")
)
OR
(
match(ScriptBlockText, "(?i)[c][r][e][a][t][e][p][r][o][c][e][s][s]")
AND match(ScriptBlockText, "(?i)[v][i][r][t][u][a][l][a][l][l][o][c]")
AND match(ScriptBlockText, "(?i)[w][r][i][t][e][p][r][o][c][e][s][s][m][e][m][o][r][y]")
AND match(ScriptBlockText, "(?i)[s][e][t][t][h][r][e][a][d][c][o][n][t][e][x][t]")
AND ScriptBlockText = "*ResumeThread*"
)
OR
(
match(ScriptBlockText, "(?i)[n][t][c][r][e][a][t][e][s][e][c][t][i][o][n]")
AND match(ScriptBlockText, "(?i)[n][t][m][a][p][v][i][e][w][o][f][s][e][c][t][i][o][n]")
AND match(ScriptBlockText, "(?i)[c][r][e][a][t][e][r][e][m][o][t][e][t][h][r][e][a][d]")
)
| fillnull
| stats count min(_time) as firstTime
max(_time) as lastTime
Expand All @@ -178,8 +69,10 @@ search: |-
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `powershell_pinvoke_process_injection_api_chain_filter`
how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: No false positives have been identified at this time.
how_to_implement: |-
The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: |-
No false positives have been identified at this time.
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.dllimportattribute
- https://www.ired.team/offensive-security/code-injection-process-injection
Expand Down
8 changes: 5 additions & 3 deletions detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Regsvr32 Silent and Install Param Dll Loading
id: f421c250-24e7-11ec-bc43-acde48001122
version: 12
version: 13
date: '2026-04-15'
author: Teoderick Contreras, Splunk
status: production
Expand All @@ -14,7 +14,7 @@ search: |-
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_regsvr32`
AND
Processes.process="*/i*"
Processes.process="*/i*" AND NOT Processes.process="*Microsoft\\TeamsMeetingAddin*"
Comment thread
nasbench marked this conversation as resolved.
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Expand All @@ -29,7 +29,9 @@ search: |-
| \/][Ss]{1}")
| `regsvr32_silent_and_install_param_dll_loading_filter`
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: Other third part application may used this parameter but not so common in base windows environment.
known_false_positives: |
Other third part application may used this parameter.
One identified use case is Microsoft Teams. Apply the necessary filters before using this rule in production.
references:
- https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/
- https://attack.mitre.org/techniques/T1218/010/
Expand Down
8 changes: 4 additions & 4 deletions detections/endpoint/schtasks_run_task_on_demand.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
name: Schtasks Run Task On Demand
id: bb37061e-af1f-11eb-a159-acde48001122
version: 9
version: 10
date: '2026-04-15'
author: Teoderick Contreras, Splunk
status: production
type: TTP
type: Anomaly
description: The following analytic detects the execution of a Windows Scheduled Task on demand via the shell or command line. It leverages process-related data, including process name, parent process, and command-line executions, sourced from endpoint logs. The detection focuses on 'schtasks.exe' with an associated 'run' command. This activity is significant as adversaries often use it to force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. If confirmed malicious, this could allow attackers to maintain persistence or move laterally within the network, potentially leading to further compromise.
data_source:
- Sysmon EventID 1
Expand Down Expand Up @@ -42,10 +42,10 @@ rba:
risk_objects:
- field: dest
type: system
score: 50
score: 20
- field: user
type: user
score: 50
score: 20
threat_objects: []
tags:
analytic_story:
Expand Down
6 changes: 3 additions & 3 deletions detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
name: Windows Disable Windows Event Logging Disable HTTP Logging
id: 23fb6787-255f-4d5b-9a66-9fd7504032b5
version: 13
version: 14
date: '2026-04-15'
author: Michael Haag, Splunk
status: production
type: TTP
type: Anomaly
description: The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively.
data_source:
- Sysmon EventID 1
- Windows Event Log Security 4688
- CrowdStrike ProcessRollup2
search: |-
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE NOT (Processes.parent_process_name IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*set config*", "*httplogging*","*dontlog:true*")
WHERE NOT (Processes.parent_process_name IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*httplogging*","*dontlog:true*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Expand Down
8 changes: 4 additions & 4 deletions detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
name: Windows Files and Dirs Access Rights Modification Via Icacls
id: c76b796c-27e1-4520-91c4-4a58695c749e
version: 13
version: 14
date: '2026-04-15'
author: Teoderick Contreras, Splunk
status: production
type: TTP
type: Anomaly
description: |
The following analytic identifies the modification of security permissions
on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It
Expand Down Expand Up @@ -50,10 +50,10 @@ rba:
risk_objects:
- field: dest
type: system
score: 50
score: 30
- field: user
type: user
score: 50
score: 30
threat_objects: []
tags:
analytic_story:
Expand Down
8 changes: 4 additions & 4 deletions detections/endpoint/windows_msiexec_remote_download.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
name: Windows MSIExec Remote Download
id: 6aa49ff2-3c92-4586-83e0-d83eb693dfda
version: 15
version: 16
date: '2026-04-15'
author: Michael Haag, Splunk
status: production
type: TTP
type: Anomaly
description: |
The following analytic detects the use of msiexec.exe with an HTTP or
HTTPS URL in the command line, indicating a remote file download attempt. This detection
Expand Down Expand Up @@ -61,10 +61,10 @@ rba:
risk_objects:
- field: user
type: user
score: 50
score: 30
- field: dest
type: system
score: 50
score: 30
threat_objects:
- field: parent_process_name
type: parent_process_name
Expand Down
Loading
Loading