splunk · nasbench · Apr 7, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 7, 2026
@@ -1,7 +1,7 @@
 name: Dump LSASS via procdump
 id: 3742ebfe-64c2-11eb-ae93-0242ac130002
-version: 18
-date: '2026-03-10'
+version: 19
+date: '2026-04-08'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -34,8 +34,19 @@ search: |
       OR
       Processes.original_file_name=procdump
     )
-    Processes.process IN (*-ma*, *-mm*, "*-mp*", */ma*, */mm*, "*/mp*")
-    Processes.process IN (* ls*, "* keyiso*", "* samss*")
+    Processes.process IN (
+        "*-ma*",
+        "*-mm*",
+        "*-mp*",
+        "*/ma*",
+        "*/mm*",
+        "*/mp*"
+    )
+    Processes.process IN (
+        "* keyiso*",
+        "* ls*",
+        "* samss*"
+    )
 
     by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
        Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id

@@ -1,28 +1,42 @@
 name: Network Connection Discovery With Arp
 id: ae008c0f-83bd-4ed4-9350-98d4328e15d2
-version: 8
-date: '2026-02-25'
+version: 9
+date: '2026-04-09'
 author: Mauricio Velazco, Splunk
 status: production
 type: Hunting
-description: The following analytic detects the execution of `arp.exe` with the `-a` flag, which is used to list network connections on a compromised system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and related telemetry. Monitoring this activity is significant because both Red Teams and adversaries use `arp.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify active devices, and plan further lateral movement or attacks.
+description: |-
+    The following analytic detects the execution of `arp.exe` with the `-a` flag, which is used to list network connections on a compromised system. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and related telemetry. Monitoring this activity is significant because both Red Teams and adversaries use `arp.exe` for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify active devices, and plan further lateral movement or attacks.
 data_source:
     - Sysmon EventID 1
     - Windows Event Log Security 4688
     - CrowdStrike ProcessRollup2
 search: |-
-    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE (
-            Processes.process_name="arp.exe"
-        )
-        (Processes.process=*-a*)
-      BY Processes.action Processes.dest Processes.original_file_name
-         Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
-         Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
-         Processes.process Processes.process_exec Processes.process_guid
-         Processes.process_hash Processes.process_id Processes.process_integrity_level
-         Processes.process_name Processes.process_path Processes.user
-         Processes.user_id Processes.vendor_product
+    | tstats `security_content_summariesonly`
+      count min(_time) as firstTime
+            max(_time) as lastTime
+
+    FROM datamodel=Endpoint.Processes WHERE
+
+    (
+        Processes.process_name="arp.exe"
+        OR
+        Processes.process_original_file_name="arp.exe"
+    )
+    Processes.process IN (
+        "* -a*",
+        "* -g *",
+        "* /a *",
+        "* /g *"
+    )
+    BY Processes.action Processes.dest Processes.original_file_name
+       Processes.parent_process Processes.parent_process_exec
+       Processes.parent_process_guid Processes.parent_process_id
+       Processes.parent_process_name Processes.parent_process_path
+       Processes.process Processes.process_exec Processes.process_guid
+       Processes.process_hash Processes.process_id Processes.process_integrity_level
+       Processes.process_name Processes.process_path Processes.user
+       Processes.user_id Processes.vendor_product
     | `drop_dm_object_name(Processes)`
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`

@@ -1,7 +1,7 @@
 name: Sunburst Correlation DLL and Network Event
 id: 701a8740-e8db-40df-9190-5516d3819787
-version: 9
-date: '2026-03-10'
+version: 10
+date: '2026-04-07'
 author: Patrick Bareiss, Splunk
 status: experimental
 type: TTP
@@ -10,11 +10,21 @@ data_source:
     - Sysmon EventID 7
     - Sysmon EventID 22
 search: |-
-    | (`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com)
-      | eventstats dc(EventCode) AS dc_events
-      | where dc_events=2
-      | stats count min(_time) as firstTime max(_time) as lastTime
-        BY Image ImageLoaded dest
+    `sysmon`
+    (
+        EventCode=7
+        ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll
+    )
+    OR
+    (
+        EventCode=22
+        QueryName=*avsvmcloud.com
+    )
+    | eventstats dc(EventCode) AS dc_events
+    | where dc_events=2
+    | stats count min(_time) as firstTime
+                  max(_time) as lastTime
+        by Image ImageLoaded dest
            loaded_file loaded_file_path original_file_name
            process_exec process_guid process_hash
            process_id process_name process_path

@@ -1,7 +1,7 @@
 name: Windows AD Privileged Account SID History Addition
 id: 6b521149-b91c-43aa-ba97-c2cac59ec830
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-04-07'
 author: Dean Luxton
 type: TTP
 status: production
@@ -10,16 +10,16 @@ data_source:
     - Windows Event Log Security 4738
 description: The following analytic identifies when the SID of a privileged user is added to the SID History attribute of another user. It leverages Windows Security Event Codes 4742 and 4738, combined with identity lookups, to detect this activity. This behavior is significant as it may indicate an attempt to abuse SID history for unauthorized access across multiple domains. If confirmed malicious, this activity could allow an attacker to escalate privileges or maintain persistent access within the environment, posing a significant security risk.
 search: |-
-    `wineventlog_security` (EventCode=4742 OR EventCode=4738) NOT SidHistory IN ("%%1793", -)
-      | rex field=SidHistory "(^%{
-      | ^)(?P<SidHistory>.*?)(}$
-      | $)"
-      | eval category="privileged"
-      | lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match
-      | where isnotnull(match)
-      | rename TargetSid as userSid
-      | table _time action status host user userSid SidHistory Logon_ID src_user dest
-      | `windows_ad_privileged_account_sid_history_addition_filter`
+    `wineventlog_security`
+    EventCode IN (4742, 4738)
+    NOT SidHistory IN ("%%1793", -)
+    | rex field=SidHistory "(^%{|^)(?P<SidHistory>.*?)(}$|$)"
+    | eval category="privileged"
+    | lookup identity_lookup_expanded category, identity as SidHistory OUTPUT identity_tag as match
+    | where isnotnull(match)
+    | rename TargetSid as userSid
+    | table _time action status host user userSid SidHistory Logon_ID src_user dest
+    | `windows_ad_privileged_account_sid_history_addition_filter`
 how_to_implement: Ensure you have objectSid and the Down Level Logon Name `DOMAIN\sAMACountName` added to the identity field of your Asset and Identities lookup, along with the category of privileged for the applicable users. Ensure you are ingesting eventcodes 4742 and 4738. Two advanced audit policies `Audit User Account Management` and `Audit Computer Account Management` under `Account Management` are required to generate these event codes.
 known_false_positives: Migration of privileged accounts.
 references:

@@ -69,7 +69,7 @@ tags:
         - Splunk Enterprise
         - Splunk Enterprise Security
         - Splunk Cloud
-    security_domain: access
+    security_domain: endpoint
 tests:
     - name: True Positive Test
       attack_data:

@@ -1,15 +1,15 @@
 name: Windows DLL Side-Loading In Calc
 id: af01f6db-26ac-440e-8d89-2793e303f137
-version: 11
-date: '2026-03-10'
+version: 12
+date: '2026-04-07'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
 description: The following analytic detects the loading of the "WindowsCodecs.dll" by calc.exe from a non-standard location This could be indicative of a potential DLL side-loading technique. This detection leverages Sysmon EventCode 7 to identify the DLL side-loading activity. In previous versions of the "calc.exe" binary, namely on Windows 7, it was vulnerable to DLL side-loading, where an attacker is able to load an arbitrary DLL named "WindowsCodecs.dll". This technique has been observed in Qakbot malware. This activity is significant as it indicates potential malware execution through a trusted process, which can bypass security controls. If confirmed malicious, this could allow attackers to execute arbitrary code, maintain persistence, and escalate privileges within the environment.
 data_source:
     - Sysmon EventID 7
 search: |
-    '`sysmon`
+    `sysmon`
     EventCode=7
     Image="*\\calc.exe"
     ImageLoaded="*\\WindowsCodecs.dll"

@@ -11,7 +11,7 @@ description: |
     This technique can be used by attackers to execute arbitrary commands through SSH proxy configurations, potentially enabling command & control activities or remote code execution. The detection focuses on commonly abused Windows scripting engines and web requests that may indicate malicious activity when spawned through SSH proxy commands.
 data_source:
     - Sysmon EventID 1
-    - Windows Event Log Security 4688
+    - CrowdStrike ProcessRollup2
 search: |-
     | tstats `security_content_summariesonly`
       count min(_time) as firstTime

@@ -12,7 +12,6 @@ description: |
     Such activity might be a strong indicator of exploitation of the aforementioned vulnerability.
 data_source:
     - Sysmon EventID 1
-    - Windows Event Log Security 4688
     - CrowdStrike ProcessRollup2
 search: |
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime

@@ -1,23 +1,25 @@
 name: WMI Permanent Event Subscription
 id: 71bfdb13-f200-4c6c-b2c9-a2e07adf437d
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-04-07'
 author: Rico Valdez, Splunk
 status: experimental
 type: TTP
 description: The following analytic detects the creation of permanent event subscriptions using Windows Management Instrumentation (WMI). It leverages Sysmon EventID 5 data to identify instances where the event consumers are not the expected "NTEventLogEventConsumer." This activity is significant because it suggests an attacker is attempting to achieve persistence by running malicious scripts or binaries in response to specific system events. If confirmed malicious, this could lead to severe impacts such as data theft, ransomware deployment, or other damaging outcomes. Investigate the associated scripts or binaries to identify the source of the attack.
 data_source: []
 search: |-
-    `wmi` EventCode=5861 Binding
-      | rex field=Message "Consumer =\s+(?<consumer>[^;
-      | ^$]+)"
-      | search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\""
-      | stats count min(_time) as firstTime max(_time) as lastTime
-        BY ComputerName, consumer, Message
-      | `security_content_ctime(firstTime)`
-      | `security_content_ctime(lastTime)`
-      | rename ComputerName as dest
-      | `wmi_permanent_event_subscription_filter`
+    `wmi`
+    EventCode=5861
+    Binding
+    | rex field=Message "Consumer =\s+(?<consumer>[^;|^$]+)"
+    | search consumer!="NTEventLogEventConsumer=\"SCM Event Log Consumer\""
+    | stats count min(_time) as firstTime
+                  max(_time) as lastTime
+      by ComputerName, consumer, Message
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | rename ComputerName as dest
+    | `wmi_permanent_event_subscription_filter`
 how_to_implement: To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].
 known_false_positives: Although unlikely, administrators may use event subscriptions for legitimate purposes.
 references: []

@@ -1,22 +1,27 @@
 name: WMI Temporary Event Subscription
 id: 38cbd42c-1098-41bb-99cf-9d6d2b296d83
-version: 8
-date: '2026-03-10'
+version: 9
+date: '2026-04-07'
 author: Rico Valdez, Splunk
 status: experimental
 type: TTP
 description: The following analytic detects the creation of WMI temporary event subscriptions. It leverages Windows Event Logs, specifically EventCode 5860, to identify these activities. This detection is significant because attackers often use WMI to execute commands, gather information, or maintain persistence within a compromised system. If confirmed malicious, this activity could allow an attacker to execute arbitrary code, escalate privileges, or persist in the environment. Analysts should review the specific WMI queries and assess their intent, considering potential false positives from legitimate administrative tasks.
 data_source: []
 search: |-
-    `wmi` EventCode=5860 Temporary
-      | rex field=Message "NotificationQuery =\s+(?<query>[^;
-      | ^$]+)"
-      | search query!="SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'" AND query!="SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'"
-      | stats count min(_time) as firstTime max(_time) as lastTime
-        BY ComputerName, query
-      | `security_content_ctime(firstTime)`
-      | `security_content_ctime(lastTime)`
-      | `wmi_temporary_event_subscription_filter`
+    `wmi`
+    EventCode=5860
+    Temporary
+    | rex field=Message "NotificationQuery =\s+(?<query>[^;|^$]+)"
+    | search
+        query!="FROM Win32_ProcessStartTrace WHERE ProcessName = 'wsmprovhost.exe'"
+        AND
+        query!="FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'"
+    | stats count min(_time) as firstTime
+                  max(_time) as lastTime
+      by ComputerName, query
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `wmi_temporary_event_subscription_filter`
 how_to_implement: To successfully implement this search, you must be ingesting the Windows WMI activity logs. This can be done by adding a stanza to inputs.conf on the system generating logs with a title of [WinEventLog://Microsoft-Windows-WMI-Activity/Operational].
 known_false_positives: Some software may create WMI temporary event subscriptions for various purposes. The included search contains an exception for two of these that occur by default on Windows 10 systems. You may need to modify the search to create exceptions for other legitimate events.
 references: []

@@ -1,25 +1,24 @@
 name: Cisco Secure Firewall - Potential Data Exfiltration
 id: 3d8536b6-52b4-4c3e-b695-3f2e90bb22be
-version: 5
-date: '2026-03-10'
+version: 7
+date: '2026-04-09'
 author: Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
 description: |
-    The following analytic detects potentially suspicious large outbound data transfers from internal to external networks. It leverages Cisco Secure Firewall Threat Defense logs and calculates the total volume of data exchanged per connection by summing InitiatorBytes and ResponderBytes. Connections exceeding 100 MB are flagged, as these may indicate unauthorized data exfiltration, especially if initiated by unusual users, hosts, or processes. This analytic is scoped to inside-to-outside flows using a macro (cisco_secure_firewall_inside_to_outside) to abstract environment-specific zone definitions. If confirmed malicious, this behavior may reflect data staging and exfiltration over an encrypted or stealthy transport.
+    The following analytic detects potentially suspicious large volumes of data sent by the connection initiator on flows from internal to external networks. It leverages Cisco Secure Firewall Threat Defense ConnectionEvent logs and thresholds on InitiatorBytes (bytes transmitted by the initiator), which for typical inside-initiated client sessions approximates upload or outbound payload from the internal host and avoids flagging large downloads where most bytes appear in ResponderBytes. Connections where the initiator sent at least 100 MB are flagged, as these may indicate unauthorized data exfiltration, especially if associated with unusual users, hosts, or processes. This analytic is scoped to inside-to-outside flows using a macro (cisco_secure_firewall_inside_to_outside) to abstract environment-specific zone definitions. If confirmed malicious, this behavior may reflect data staging and exfiltration over an encrypted or stealthy transport.
 data_source:
     - Cisco Secure Firewall Threat Defense Connection Event
 search: |
     `cisco_secure_firewall` EventType=ConnectionEvent `cisco_secure_firewall_inside_to_outside`
-    | eval total_bytes = InitiatorBytes + ResponderBytes
-    | eval total_mb = round(total_bytes / 1024 / 1024, 2)
-    | where total_mb >= 100
-    | eval Exfiltrated = total_mb + " MB"
+    | eval initiator_mb = round(InitiatorBytes / 1024 / 1024, 2)
+    | where initiator_mb >= 100
+    | eval Potentially_Exfiltrated = initiator_mb + " MB"
     | stats min(_time) as firstTime max(_time) as lastTime
         Values(url) as url
         Values(rule) as rule
         Values(dest_port) as dest_port
-        by src, dest, Exfiltrated, transport, action
+        by src, dest, Potentially_Exfiltrated, transport, action
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
     | `cisco_secure_firewall___potential_data_exfiltration_filter`
@@ -33,8 +32,9 @@ how_to_implement: |
     The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
     The access policy must also enable logging.
 known_false_positives: |
-    Large outbound transfers may occur due to legitimate activities such as cloud backups, file syncing, OS or application updates, or developer build deployments.
+    Large initiator-side transfers may occur due to legitimate activities such as cloud backups, file syncing, or developer build deployments.
     Backup servers, CI/CD pipelines, and enterprise sync tools (e.g., OneDrive, Dropbox) may exhibit similar patterns.
+    Uncommon connection initiation (e.g., certain server-initiated or asymmetric paths) can change which side is logged as the initiator; tune or filter those scenarios if needed.
     Additional validation using user context, scheduled task windows, or endpoint telemetry is recommended to reduce false positives.
 references:
     - https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf
@@ -48,7 +48,7 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
 rba:
-    message: Potential data exfiltration from $src$ to $dest$ with $Exfiltrated$ MB of data exfiltrated"
+    message: Potential data exfiltration activity from $src$ to $dest$ — With $Potentially_Exfiltrated$ transferred (initiator bytes)
     risk_objects:
         - field: src
           type: system