splunk · RavenTait · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
@@ -0,0 +1,49 @@
+name: Windows AppCertDLL Modification
+id: 3ba73a2b-3396-47e4-bdef-c80e6a7895c0
+version: 1
+date: '2026-04-13'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: This analytic detects attempts to modify AppCertDLL registry keys, which are used to specify DLLs loaded by the Windows Session Manager. Such modifications can be abused by attackers to load malicious code early in the system startup process, enabling persistent malware execution with high privileges. If confirmed malicious, this behavior may lead to system compromise, persistence, and the evasion of security controls.
+data_source:
+    - Sysmon EventID 1
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*controlset*\\control\\session manager*appcertdlls*" by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash Processes.parent_process_name Processes.parent_process_exec Processes.action Processes.dest Processes.process_current_directory Processes.process_path Processes.process_integrity_level Processes.original_file_name Processes.parent_process Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_appcertdll_modification_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: Modifications to AppCertDLL keys may be made by legitimate software updates or trusted system management tools. Review changes to ensure they are from approved sources.
+drilldown_searches:
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: "0"
+rba:
+    message: Potential AppCertDLL Modification activity observed on $dest$ via $process$.via $process$.
+    risk_objects:
+        - field: dest
+          type: system
+          score: 20
+    threat_objects:
+        - field: parent_process_name
+          type: process
+tags:
+    analytic_story:
+        - Windows Persistence Techniques
+        - Windows Privilege Escalation
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1546.009
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.009/snapattack/snapattack.log
+          source: XmlWinEventLog:Security
+          sourcetype: XmlWinEventLog
@@ -0,0 +1,56 @@
+name: Windows Azure Domain Federated via Powershell
+id: 59a8662f-f616-4494-8fa1-29ae77fc2018
+version: 1
+date: '2026-04-13'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: 'The ConvertTo-AADIntBackdoor command is part of the AADInternals toolkit, which is used primarily for security testing and administrative tasks in Azure Active Directory (Azure AD) environments. This particular command is designed to create a "backdoor" in a federated Azure AD domain.
+
+
+    When executed, ConvertTo-AADIntBackdoor modifies the federation settings of a domain by adding or changing the federation configuration to allow an attacker to control the authentication process. This manipulation enables the creation of security tokens that can impersonate any user within the Azure AD tenant. Consequently, this allows an attacker to bypass Multi-Factor Authentication (MFA), escalate privileges, and maintain persistent access to the Azure AD environment.'
+data_source:
+    - Powershell Script Block Logging 4104
+search: '`powershell` EventID="4104" ScriptBlockText="*ConvertTo-AADIntBackdoor*" | fillnull | stats count by Computer, EventID, ScriptBlockText, signature, signature_id, user_id, vendor_product, Guid, Opcode, Name, Path, ProcessID, ScriptBlockId | rename Computer as dest |`security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_azure_domain_federated_via_powershell_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: Certain administrative or security testing activities in Azure AD environments may use ConvertTo-AADIntBackdoor for legitimate federation configuration changes. Review and allow such actions from trusted administrators and approved tools.
+references:
+    - https://atomicredteam.io/privilege-escalation/T1484.002/#atomic-test-1---add-federation-to-azure-ad
+drilldown_searches:
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: "0"
+rba:
+    message: Potential Azure Domain Federated via Powershell activity observed on $dest$.
+    risk_objects:
+        - field: dest
+          type: system
+          score: 50
+    threat_objects: []
+tags:
+    analytic_story:
+        - Azure Active Directory Persistence
+        - Azure Active Directory Account Takeover
+        - Azure Active Directory Privilege Escalation
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1482
+        - T1078
+        - T1212
+        - T1071.001
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/snapattack/snapattack.log
+          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
+          sourcetype: XmlWinEventLog
@@ -0,0 +1,52 @@
+name: Windows Azure Powershell Modules Installed
+id: 344bed10-9a8b-4398-8bf3-ec9114125260
+version: 1
+date: '2026-04-13'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: 'Detects PowerShell Script Block Logging events capturing the usage of Azure AD and cloud management modules commonly abused by threat actors during cloud-focused attacks. Tools such as AADInternals, AzureAD, MSOnline, and Az.Resources provide deep access to Azure Active Directory objects, user accounts, service principals, and tenant configurations — making them high-value for adversaries conducting reconnaissance, privilege escalation, or persistence operations post-compromise.'
+data_source:
+    - Powershell Script Block Logging 4104
+search: '`powershell` EventID="4104" ScriptBlockText IN ("*Install-Module AzureAd*", "*Install-Module AADInternals*", "*Install-Module MSOnline*", "*Install-Module Az.Resources*", "*Install-Module -Name AzureAd*", "*Install-Module -Name MSOnline*", "*Install-Module -Name AADInternal*", "*Install-Module -Name Az.Resources*") | fillnull | stats count by Computer, EventID, ScriptBlockText, signature, signature_id, user_id, vendor_product, Guid, Opcode, Name, Path, ProcessID, ScriptBlockId | rename Computer as dest| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_azure_powershell_modules_installed_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: Legitimate administrators often install these modules for managing Azure environments. Filter alerts for authorized personnel and approved administrative activities.
+drilldown_searches:
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: "0"
+rba:
+    message: Potential Azure Powershell Modules Installed activity observed on $dest$ via $process$.
+    risk_objects:
+        - field: dest
+          type: system
+          score: 50
+    threat_objects: []
+tags:
+    analytic_story:
+        - Azure Active Directory Account Takeover
+        - Azure Active Directory Persistence
+        - Azure Active Directory Privilege Escalation
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1078
+        - T1021.007
+        - T1136.003
+        - T1098
+        - T1069.003
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/snapattack/snapattack.log
+          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
+          sourcetype: XmlWinEventLog
@@ -0,0 +1,50 @@
+name: Windows Azure Storage Tools
+id: 980648f3-f4cc-4d56-86cf-0d6e7aa5d34e
+version: 1
+date: '2026-04-13'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: 'Detects execution of Azure Storage utilities such as AzCopy and Storage Explorer, which can be abused by threat actors for covert data exfiltration. These tools enable large-scale data transfers over trusted cloud channels, allowing malicious activity to blend with legitimate traffic and evade traditional network defenses. Adversaries may leverage them post-compromise to stage or extract sensitive data from endpoints. While legitimate administrative use is expected, anomalous execution patterns, unexpected users, or unusual parent processes should be treated as potential indicators of compromise and investigated promptly.'
+data_source:
+    - Sysmon EventID 1
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("AzCopy.exe", "StorageExplorer.exe") by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash Processes.parent_process_name Processes.parent_process_exec Processes.action Processes.dest Processes.process_current_directory Processes.process_path Processes.process_integrity_level Processes.original_file_name Processes.parent_process Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_azure_storage_tools_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: Legitimate IT operations and cloud administrators frequently use Windows Azure Storage Tools for data management and backups. Investigate unexpected usage to rule out unauthorized access or exfiltration.
+references:
+    - https://blog.talosintelligence.com/emerging-interlock-ransomware/
+drilldown_searches:
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: "0"
+rba:
+    message: Potential Azure Storage Tools activity observed on $dest$ via $process$.
+    risk_objects:
+        - field: dest
+          type: system
+          score: 50
+    threat_objects:
+        - field: parent_process_name
+          type: process
+tags:
+    analytic_story:
+        - Data Exfiltration
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1567.002
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567.002/snapattack/snapattack.log
+          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+          sourcetype: XmlWinEventLog