diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index af14105b71..bf314b0b07 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -1,6 +1,6 @@ name: Disable Logs Using WevtUtil id: 236e7c8e-c9d9-11eb-a824-acde48001122 -version: 12 +version: 13 date: '2026-04-15' author: Teoderick Contreras, Splunk status: production @@ -16,7 +16,7 @@ search: |- AND (Processes.process = "*sl*" OR - Processes.process = "*set-log*" ) Processes.process = "*/e:false*" + Processes.process = "*set-log*" ) Processes.process IN ("*/e:false*", "*/enabled:false*") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index 0f5253a183..f3bb170db8 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -1,10 +1,10 @@ name: Possible Lateral Movement PowerShell Spawn id: cb909b3e-512b-11ec-aa31-3e22fbd008af -version: 15 +version: 16 date: '2026-04-15' author: Mauricio Velazco, Michael Haag, Splunk status: production -type: TTP +type: Anomaly description: | The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. diff --git a/detections/endpoint/powershell_pinvoke_process_injection_api_chain.yml b/detections/endpoint/powershell_pinvoke_process_injection_api_chain.yml index 4cbce6492e..be15cb2f61 100644 --- a/detections/endpoint/powershell_pinvoke_process_injection_api_chain.yml +++ b/detections/endpoint/powershell_pinvoke_process_injection_api_chain.yml @@ -7,169 +7,60 @@ status: production type: TTP description: | The following analytic detects PowerShell Script Block Logging (Event ID 4104) evidence of a complete P/Invoke process-injection API chain at either the compile phase or the execution phase. - - Compile phase: - Detects inline .NET class definitions created via `Add-Type -TypeDefinition` where the embedded C# source includes `[DllImport]` declarations and full P/Invoke signatures such as `extern `. This reduces false positives from comments, string literals, and arbitrary text references. - - Execution phase: - Detects PowerShell static method invocation patterns using `::MethodName(` syntax, anchored with execution-context indicators such as `[IntPtr]::Zero` or `Marshal]::Copy`. - - Injection technique coverage: - - 1. Self-injection shellcode runner - - VirtualAlloc + VirtualProtect + CreateThread - 2. Remote thread injection - - OpenProcess + VirtualAllocEx/VirtualAlloc + WriteProcessMemory + CreateRemoteThread - 3. APC injection - - OpenProcess + VirtualAllocEx/VirtualAlloc + WriteProcessMemory + QueueUserAPC - 4. Thread-context hijacking - - OpenThread + SuspendThread + GetThreadContext + WriteProcessMemory + SetThreadContext + ResumeThread - 5. Process hollowing - - CreateProcess + VirtualAllocEx/VirtualAlloc + WriteProcessMemory + SetThreadContext + ResumeThread - 6. Section-map injection - - NtCreateSection + NtMapViewOfSection (+ CreateRemoteThread in this analytic) - 7. Reflective DLL loading - - VirtualAlloc + GetProcAddress + GetModuleHandle + VirtualProtect + CreateThread - 8. DLL injection - - OpenProcess + VirtualAllocEx/VirtualAlloc + WriteProcessMemory + GetModuleHandle + GetProcAddress + CreateRemoteThread - - Including the execution phase ensures coverage when an adversary loads a pre-compiled assembly from memory or disk and bypasses Add-Type entirely, since the static method call pattern is still captured in the script block regardless of how the class was originally compiled. + Portions of this search were modified to retain the same functionality while preventing antivirus products from alerting on the detection itself data_source: - Powershell Script Block Logging 4104 search: |- `powershell` EventCode=4104 - ( - ScriptBlockText = "*add-type*" - ScriptBlockText="*DllImport*" + ScriptBlockText="*add-type*" + ScriptBlockText="*DllImport*" + ScriptBlockText IN ( + "*extern IntPtr*", + "*extern bool*", + "*extern uint*", + "*extern int*" + ) + | where ( - ( - ScriptBlockText="*extern IntPtr VirtualAlloc*" - ScriptBlockText="*extern bool VirtualProtect*" - ScriptBlockText="*extern IntPtr CreateThread*" - ) - OR - ( - ScriptBlockText="*extern IntPtr OpenProcess*" - ScriptBlockText="*extern IntPtr VirtualAlloc*" - ScriptBlockText="*extern bool WriteProcessMemory*" - ScriptBlockText="*extern IntPtr CreateRemoteThread*" - ) - OR - ( - ScriptBlockText="*extern IntPtr OpenProcess*" - ScriptBlockText="*extern IntPtr VirtualAlloc*" - ScriptBlockText="*extern bool WriteProcessMemory*" - ScriptBlockText="*extern bool QueueUserAPC*" - ) - OR - ( - ScriptBlockText="*extern IntPtr OpenThread*" - ScriptBlockText="*extern uint SuspendThread*" - ScriptBlockText="*extern bool GetThreadContext*" - ScriptBlockText="*extern bool WriteProcessMemory*" - ScriptBlockText="*extern bool SetThreadContext*" - ScriptBlockText="*extern uint ResumeThread*" - ) - OR - ( - ScriptBlockText="*extern bool CreateProcess*" - ScriptBlockText="*extern IntPtr VirtualAlloc*" - ScriptBlockText="*extern bool WriteProcessMemory*" - ScriptBlockText="*extern bool SetThreadContext*" - ScriptBlockText="*extern uint ResumeThread*" - ) - OR - ( - ScriptBlockText="*extern int NtCreateSection*" - ScriptBlockText="*extern int NtMapViewOfSection*" - ScriptBlockText="*extern IntPtr CreateRemoteThread*" - ) - OR - ( - ScriptBlockText="*extern IntPtr VirtualAlloc*" - ScriptBlockText="*extern IntPtr GetProcAddress*" - ScriptBlockText="*extern IntPtr GetModuleHandle*" - ScriptBlockText="*extern IntPtr CreateThread*" - ScriptBlockText="*extern bool VirtualProtect*" - ) - OR - ( - ScriptBlockText="*extern IntPtr OpenProcess*" - ScriptBlockText="*extern IntPtr VirtualAlloc*" - ScriptBlockText="*extern bool WriteProcessMemory*" - ScriptBlockText="*extern IntPtr GetProcAddress*" - ScriptBlockText="*extern IntPtr CreateRemoteThread*" - ) - OR - ( - ScriptBlockText="*::VirtualAlloc*" - ScriptBlockText="*::VirtualProtect*" - ScriptBlockText="*::CreateThread*" - ( - ScriptBlockText="*[IntPtr]::Zero*" - OR - ScriptBlockText="*Marshal]::Copy*" - ) - ) - OR - ( - ScriptBlockText="*::OpenProcess*" - ScriptBlockText="*::VirtualAlloc*" - ScriptBlockText="*::WriteProcessMemory*" - ScriptBlockText="*::CreateRemoteThread*" - ScriptBlockText="*[IntPtr]::Zero*" - ) - OR - ( - ScriptBlockText="*::OpenProcess*" - ScriptBlockText="*::VirtualAlloc*" - ScriptBlockText="*::WriteProcessMemory*" - ScriptBlockText="*::QueueUserAPC*" - ScriptBlockText="*[IntPtr]::Zero*" - ) - OR - ( - ScriptBlockText="*::OpenThread*" - ScriptBlockText="*::SuspendThread*" - ScriptBlockText="*::GetThreadContext*" - ScriptBlockText="*::WriteProcessMemory*" - ScriptBlockText="*::SetThreadContext*" - ScriptBlockText="*::ResumeThread*" - ) - OR - ( - ScriptBlockText="*::CreateProcess*" - ScriptBlockText="*::VirtualAlloc*" - ScriptBlockText="*::WriteProcessMemory*" - ScriptBlockText="*::SetThreadContext*" - ScriptBlockText="*::ResumeThread*" - ) - OR - ( - ScriptBlockText="*::NtCreateSection*" - ScriptBlockText="*::NtMapViewOfSection*" - ScriptBlockText="*::CreateRemoteThread*" - ) - OR - ( - ScriptBlockText="*::VirtualAlloc*" - ScriptBlockText="*::GetProcAddress*" - ScriptBlockText="*::GetModuleHandle*" - ScriptBlockText="*::VirtualProtect*" - ScriptBlockText="*::CreateThread*" - ) - OR - ( - ScriptBlockText="*::OpenProcess*" - ScriptBlockText="*::VirtualAlloc*" - ScriptBlockText="*::WriteProcessMemory*" - ScriptBlockText="*::GetModuleHandle*" - ScriptBlockText="*::GetProcAddress*" - ScriptBlockText="*::CreateRemoteThread*" + match(ScriptBlockText, "(?i)[v][i][r][t][u][a][l][a][l][l][o][c]") + AND match(ScriptBlockText, "(?i)[v][i][r][t][u][a][l][p][r][o][t][e][c][t]") + AND match(ScriptBlockText, "(?i)[c][r][e][a][t][e][t][h][r][e][a][d]") + ) + OR + ( + match(ScriptBlockText, "(?i)[o][p][e][n][p][r][o][c][e][s][s]") + AND match(ScriptBlockText, "(?i)[v][i][r][t][u][a][l][a][l][l][o][c]") + AND match(ScriptBlockText, "(?i)[w][r][i][t][e][p][r][o][c][e][s][s][m][e][m][o][r][y]") + AND ( + match(ScriptBlockText, "(?i)[c][r][e][a][t][e][r][e][m][o][t][e][t][h][r][e][a][d]") + OR + match(ScriptBlockText, "(?i)[q][u][e][u][e][u][s][e][r][a][p][c]") ) ) - ) + OR + ( + match(ScriptBlockText, "(?i)[o][p][e][n][t][h][r][e][a][d]") + AND match(ScriptBlockText, "(?i)[s][u][s][p][e][n][d][t][h][r][e][a][d]") + AND match(ScriptBlockText, "(?i)[g][e][t][t][h][r][e][a][d][c][o][n][t][e][x][t]") + AND match(ScriptBlockText, "(?i)[w][r][i][t][e][p][r][o][c][e][s][s][m][e][m][o][r][y]") + AND match(ScriptBlockText, "(?i)[s][e][t][t][h][r][e][a][d][c][o][n][t][e][x][t]") + AND match(ScriptBlockText, "(?i)[r][e][s][u][m][e][t][h][r][e][a][d]") + ) + OR + ( + match(ScriptBlockText, "(?i)[c][r][e][a][t][e][p][r][o][c][e][s][s]") + AND match(ScriptBlockText, "(?i)[v][i][r][t][u][a][l][a][l][l][o][c]") + AND match(ScriptBlockText, "(?i)[w][r][i][t][e][p][r][o][c][e][s][s][m][e][m][o][r][y]") + AND match(ScriptBlockText, "(?i)[s][e][t][t][h][r][e][a][d][c][o][n][t][e][x][t]") + AND ScriptBlockText = "*ResumeThread*" + ) + OR + ( + match(ScriptBlockText, "(?i)[n][t][c][r][e][a][t][e][s][e][c][t][i][o][n]") + AND match(ScriptBlockText, "(?i)[n][t][m][a][p][v][i][e][w][o][f][s][e][c][t][i][o][n]") + AND match(ScriptBlockText, "(?i)[c][r][e][a][t][e][r][e][m][o][t][e][t][h][r][e][a][d]") + ) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime @@ -178,8 +69,10 @@ search: |- | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `powershell_pinvoke_process_injection_api_chain_filter` -how_to_implement: The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. -known_false_positives: No false positives have been identified at this time. +how_to_implement: |- + The following analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging. +known_false_positives: |- + No false positives have been identified at this time. references: - https://learn.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.dllimportattribute - https://www.ired.team/offensive-security/code-injection-process-injection diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index a58976f5be..44b72c35a1 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -1,6 +1,6 @@ name: Regsvr32 Silent and Install Param Dll Loading id: f421c250-24e7-11ec-bc43-acde48001122 -version: 12 +version: 13 date: '2026-04-15' author: Teoderick Contreras, Splunk status: production @@ -14,7 +14,7 @@ search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE `process_regsvr32` AND - Processes.process="*/i*" + Processes.process="*/i*" AND NOT Processes.process="*Microsoft\\TeamsMeetingAddin*" BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path @@ -29,7 +29,9 @@ search: |- | \/][Ss]{1}") | `regsvr32_silent_and_install_param_dll_loading_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Other third part application may used this parameter but not so common in base windows environment. +known_false_positives: | + Other third part application may used this parameter. + One identified use case is Microsoft Teams. Apply the necessary filters before using this rule in production. references: - https://app.any.run/tasks/dc93ee63-050c-4ff8-b07e-8277af9ab939/ - https://attack.mitre.org/techniques/T1218/010/ diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml index 5f6dbc8a9c..facbec5906 100644 --- a/detections/endpoint/schtasks_run_task_on_demand.yml +++ b/detections/endpoint/schtasks_run_task_on_demand.yml @@ -1,10 +1,10 @@ name: Schtasks Run Task On Demand id: bb37061e-af1f-11eb-a159-acde48001122 -version: 9 +version: 10 date: '2026-04-15' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the execution of a Windows Scheduled Task on demand via the shell or command line. It leverages process-related data, including process name, parent process, and command-line executions, sourced from endpoint logs. The detection focuses on 'schtasks.exe' with an associated 'run' command. This activity is significant as adversaries often use it to force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. If confirmed malicious, this could allow attackers to maintain persistence or move laterally within the network, potentially leading to further compromise. data_source: - Sysmon EventID 1 @@ -42,10 +42,10 @@ rba: risk_objects: - field: dest type: system - score: 50 + score: 20 - field: user type: user - score: 50 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml index 865684f32d..97530fef74 100644 --- a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml +++ b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml @@ -1,10 +1,10 @@ name: Windows Disable Windows Event Logging Disable HTTP Logging id: 23fb6787-255f-4d5b-9a66-9fd7504032b5 -version: 13 +version: 14 date: '2026-04-15' author: Michael Haag, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively. data_source: - Sysmon EventID 1 @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE NOT (Processes.parent_process_name IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*set config*", "*httplogging*","*dontlog:true*") + WHERE NOT (Processes.parent_process_name IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*httplogging*","*dontlog:true*") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index 7b564ccb03..79076d1415 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -1,10 +1,10 @@ name: Windows Files and Dirs Access Rights Modification Via Icacls id: c76b796c-27e1-4520-91c4-4a58695c749e -version: 13 +version: 14 date: '2026-04-15' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: | The following analytic identifies the modification of security permissions on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It @@ -50,10 +50,10 @@ rba: risk_objects: - field: dest type: system - score: 50 + score: 30 - field: user type: user - score: 50 + score: 30 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index c3b29d1939..3d7c27519b 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -1,10 +1,10 @@ name: Windows MSIExec Remote Download id: 6aa49ff2-3c92-4586-83e0-d83eb693dfda -version: 15 +version: 16 date: '2026-04-15' author: Michael Haag, Splunk status: production -type: TTP +type: Anomaly description: | The following analytic detects the use of msiexec.exe with an HTTP or HTTPS URL in the command line, indicating a remote file download attempt. This detection @@ -61,10 +61,10 @@ rba: risk_objects: - field: user type: user - score: 50 + score: 30 - field: dest type: system - score: 50 + score: 30 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml index 431e935c2d..e69520d834 100644 --- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml +++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml @@ -1,31 +1,137 @@ name: Windows MSIExec Spawn Discovery Command id: e9d05aa2-32f0-411b-930c-5b8ca5c4fcee -version: 14 +version: 15 date: '2026-04-15' -author: Michael Haag, Splunk +author: Michael Haag, Nasreddine Bencherchali, Splunk status: production -type: TTP -description: The following analytic detects MSIExec spawning multiple discovery commands, such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. This activity is significant because MSIExec typically does not spawn child processes other than itself, making this behavior highly suspicious. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network. +type: Anomaly +description: |- + The following analytic detects MSIExec spawning multiple discovery commands. + This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. + If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: |- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.parent_process_name=msiexec.exe Processes.process_name IN ("powershell.exe", "pwsh.exe","cmd.exe", "nltest.exe","ipconfig.exe","systeminfo.exe") - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Endpoint.Processes WHERE + + Processes.parent_process_name=msiexec.exe + + ( + Processes.process_name IN ( + "arp.exe" + "dsget.exe", + "hostname.exe", + "ipconfig.exe", + "nbtstat.exe", + "netdom.exe", + "nltest.exe", + "ntdsutil.exe", + "qprocess.exe", + "qwinsta.exe", + "systeminfo.exe" + "wmic.exe" + ) + OR + ( + Processes.process_name IN ( + "bash.exe", + "cmd.exe", + "powershell.exe", + "powershell_ise.exe", + "pwsh.exe" + ) + + ( + Processes.process IN ( + "*arp *", + "*dsget*", + "*hostname*", + "*ipconfig*", + "*nbtstat*", + "*netdom*", + "*nltest*", + "*ntdsutil*", + "*qprocess *", + "*qwinsta*", + "*systeminfo*", + "*wmic *" + ) + OR + ( + ( + Processes.process IN ( + "*net *", + "*net.exe *", + "*net1*" + "*net1.exe*" + ) + OR + Processes.process_name IN ( + "net.exe", + "net1.exe" + ) + ) + Processes.process = "*view*" + ) + OR + ( + ( + Processes.process IN ( + "*reg *", + "*reg.exe *" + "*sc *", + "*sc.exe *", + ) + OR + Processes.process_name IN ( + "reg.exe", + "sc.exe" + ) + ) + Processes.process = "*query*" + NOT Processes.process = "* /SC *" + ) + OR + ( + ( + Processes.process IN ( + "*query *", + "*query.exe*" + ) + OR + Processes.process_name = "query.exe" + ) + Processes.process IN ( + "* process", + "* session", + "* user", + ) + ) + ) + ) + ) + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec + Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_msiexec_spawn_discovery_command_filter` -how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: False positives will be present with MSIExec spawning Cmd or PowerShell. Filtering will be needed. In addition, add other known discovery processes to enhance query. +how_to_implement: |- + The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: False positives might still be present, depending on the installer. Filter as needed. references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md @@ -43,10 +149,10 @@ rba: risk_objects: - field: user type: user - score: 50 + score: 30 - field: dest type: system - score: 50 + score: 30 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml index eafa290546..94214bd90a 100644 --- a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml +++ b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml @@ -1,6 +1,6 @@ name: Windows New Deny Permission Set On Service SD Via Sc.EXE id: d0f6a5e5-dbfd-46e1-8bd5-2e2905947c33 -version: 9 +version: 10 date: '2026-04-15' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production @@ -43,6 +43,14 @@ search: |- "*;LS*", "*;S-1-5-19*" ) + NOT Processes.process IN ( + "*macmnsvc*", + "*masvc*", + "*McAfeeFramework*", + "*mfefire*", + "*mfemms*", + "*mfevtp*", + ) BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id diff --git a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml index 2f52e0dcb3..63f88abcda 100644 --- a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml +++ b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml @@ -1,10 +1,10 @@ name: Windows Suspicious Child Process Spawned From WebServer id: 2d4470ef-7158-4b47-b68b-1f7f16382156 -version: 10 +version: 11 date: '2026-04-15' author: Steven Dick status: production -type: TTP +type: Anomaly description: The following analytic identifies the execution of suspicious processes typically associated with WebShell activity on web servers. It detects when processes like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate an adversary exploiting a web application vulnerability to install a WebShell, providing persistent access and command execution capabilities. If confirmed malicious, this activity could allow attackers to maintain control over the compromised server, execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive data. data_source: - Sysmon EventID 1 @@ -48,10 +48,10 @@ rba: risk_objects: - field: user type: user - score: 50 + score: 10 - field: dest type: system - score: 50 + score: 10 threat_objects: - field: process_name type: process_name