diff --git a/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml b/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml index c48bd01701..f1fe80d09d 100644 --- a/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml +++ b/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml @@ -1,7 +1,7 @@ name: Cisco AI Defense Security Alerts by Application Name id: 105e4a69-ec55-49fc-be1f-902467435ea8 -version: 2 -date: '2025-03-21' +version: 3 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/application/cisco_secure_application_alerts.yml b/detections/application/cisco_secure_application_alerts.yml index f111f024d6..6e69995755 100644 --- a/detections/application/cisco_secure_application_alerts.yml +++ b/detections/application/cisco_secure_application_alerts.yml @@ -1,7 +1,7 @@ name: Cisco Secure Application Alerts id: 9982bff4-fc5d-49a3-ab9e-2dbbab2a711b -version: 1 -date: '2025-02-04' +version: 2 +date: '2025-05-02' author: Ryan Long, Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/application/crushftp_server_side_template_injection.yml b/detections/application/crushftp_server_side_template_injection.yml index 01fc428ed4..191dbf5fcf 100644 --- a/detections/application/crushftp_server_side_template_injection.yml +++ b/detections/application/crushftp_server_side_template_injection.yml @@ -1,7 +1,7 @@ name: CrushFTP Server Side Template Injection id: ccf6b7a3-bd39-4bc9-a949-143a8d640dbc -version: 3 -date: '2025-01-21' +version: 4 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - CrushFTP diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index db367690c3..169d29b718 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -1,7 +1,7 @@ name: Detect Distributed Password Spray Attempts id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-05-02' author: Dean Luxton status: production type: Hunting diff --git a/detections/application/detect_html_help_spawn_child_process.yml b/detections/application/detect_html_help_spawn_child_process.yml index d4dd55f277..4047b390a4 100644 --- a/detections/application/detect_html_help_spawn_child_process.yml +++ b/detections/application/detect_html_help_spawn_child_process.yml @@ -1,7 +1,7 @@ name: Detect HTML Help Spawn Child Process id: 723716de-ee55-4cd4-9759-c44e7e55ba4b -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/application/detect_new_login_attempts_to_routers.yml b/detections/application/detect_new_login_attempts_to_routers.yml index fb892eaaa3..d54cfb30ca 100644 --- a/detections/application/detect_new_login_attempts_to_routers.yml +++ b/detections/application/detect_new_login_attempts_to_routers.yml @@ -1,7 +1,7 @@ name: Detect New Login Attempts to Routers id: bce3ed7c-9b1f-42a0-abdf-d8b123a34836 -version: 4 -date: '2025-01-21' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: TTP diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index 21275d7c0a..cec371b2da 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -1,7 +1,7 @@ name: Detect Password Spray Attempts id: 086ab581-8877-42b3-9aee-4a7ecb0923af -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/application/email_attachments_with_lots_of_spaces.yml b/detections/application/email_attachments_with_lots_of_spaces.yml index e75c27439a..4b73142907 100644 --- a/detections/application/email_attachments_with_lots_of_spaces.yml +++ b/detections/application/email_attachments_with_lots_of_spaces.yml @@ -1,7 +1,7 @@ name: Email Attachments With Lots Of Spaces id: 56e877a6-1455-4479-ada6-0550dc1e22f8 -version: 5 -date: '2025-01-21' +version: 6 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/application/email_files_written_outside_of_the_outlook_directory.yml b/detections/application/email_files_written_outside_of_the_outlook_directory.yml index e3a6e01a10..2b683f0f10 100644 --- a/detections/application/email_files_written_outside_of_the_outlook_directory.yml +++ b/detections/application/email_files_written_outside_of_the_outlook_directory.yml @@ -1,7 +1,7 @@ name: Email files written outside of the Outlook directory id: 8d52cf03-ba25-4101-aa78-07994aed4f74 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: TTP diff --git a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml index ccbe394899..ae9e6c81bd 100644 --- a/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml +++ b/detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml @@ -1,7 +1,7 @@ name: Email servers sending high volume traffic to hosts id: 7f5fb3e1-4209-4914-90db-0ec21b556378 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: Anomaly diff --git a/detections/application/ivanti_vtm_new_account_creation.yml b/detections/application/ivanti_vtm_new_account_creation.yml index 1cb41a1d85..f252b27333 100644 --- a/detections/application/ivanti_vtm_new_account_creation.yml +++ b/detections/application/ivanti_vtm_new_account_creation.yml @@ -1,7 +1,7 @@ name: Ivanti VTM New Account Creation id: b04be6e5-2002-4349-8742-52285635b8f5 -version: 3 -date: '2025-01-21' +version: 4 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Ivanti VTM Audit diff --git a/detections/application/monitor_email_for_brand_abuse.yml b/detections/application/monitor_email_for_brand_abuse.yml index fb4e90525e..d81f11a512 100644 --- a/detections/application/monitor_email_for_brand_abuse.yml +++ b/detections/application/monitor_email_for_brand_abuse.yml @@ -1,7 +1,7 @@ name: Monitor Email For Brand Abuse id: b2ea1f38-3a3e-4b8a-9cf1-82760d86a6b8 -version: 5 -date: '2025-01-21' +version: 6 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: TTP diff --git a/detections/application/no_windows_updates_in_a_time_frame.yml b/detections/application/no_windows_updates_in_a_time_frame.yml index 5c20fa4d04..f4e1520164 100644 --- a/detections/application/no_windows_updates_in_a_time_frame.yml +++ b/detections/application/no_windows_updates_in_a_time_frame.yml @@ -1,7 +1,7 @@ name: No Windows Updates in a time frame id: 1a77c08c-2f56-409c-a2d3-7d64617edd4f -version: 4 -date: '2025-01-21' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: Hunting diff --git a/detections/application/okta_authentication_failed_during_mfa_challenge.yml b/detections/application/okta_authentication_failed_during_mfa_challenge.yml index 67546ddaf4..c36c5802a2 100644 --- a/detections/application/okta_authentication_failed_during_mfa_challenge.yml +++ b/detections/application/okta_authentication_failed_during_mfa_challenge.yml @@ -1,7 +1,7 @@ name: Okta Authentication Failed During MFA Challenge id: e2b99e7d-d956-411a-a120-2b14adfdde93 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk data_source: - Okta diff --git a/detections/application/okta_idp_lifecycle_modifications.yml b/detections/application/okta_idp_lifecycle_modifications.yml index aaaf5d028c..ed4433b81c 100644 --- a/detections/application/okta_idp_lifecycle_modifications.yml +++ b/detections/application/okta_idp_lifecycle_modifications.yml @@ -1,7 +1,7 @@ name: Okta IDP Lifecycle Modifications id: e0be2c83-5526-4219-a14f-c3db2e763d15 -version: 4 -date: '2025-01-21' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk data_source: - Okta diff --git a/detections/application/okta_mfa_exhaustion_hunt.yml b/detections/application/okta_mfa_exhaustion_hunt.yml index 44e343d505..9e0fe3e7ea 100644 --- a/detections/application/okta_mfa_exhaustion_hunt.yml +++ b/detections/application/okta_mfa_exhaustion_hunt.yml @@ -1,7 +1,7 @@ name: Okta MFA Exhaustion Hunt id: 97e2fe57-3740-402c-988a-76b64ce04b8d -version: 5 -date: '2025-01-21' +version: 6 +date: '2025-05-02' author: Michael Haag, Marissa Bower, Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml index 5b2d38b889..d26df5d05b 100644 --- a/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml +++ b/detections/application/okta_mismatch_between_source_and_response_for_verify_push_request.yml @@ -1,7 +1,7 @@ name: Okta Mismatch Between Source and Response for Verify Push Request id: 8085b79b-9b85-4e67-ad63-351c9e9a5e9a -version: 5 -date: '2025-01-21' +version: 6 +date: '2025-05-02' author: John Murphy and Jordan Ruocco, Okta, Michael Haag, Bhavin Patel, Splunk type: TTP status: production diff --git a/detections/application/okta_multi_factor_authentication_disabled.yml b/detections/application/okta_multi_factor_authentication_disabled.yml index 1f00b30af6..c2c7415c72 100644 --- a/detections/application/okta_multi_factor_authentication_disabled.yml +++ b/detections/application/okta_multi_factor_authentication_disabled.yml @@ -1,7 +1,7 @@ name: Okta Multi-Factor Authentication Disabled id: 7c0348ce-bdf9-45f6-8a57-c18b5976f00a -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Okta diff --git a/detections/application/okta_multiple_accounts_locked_out.yml b/detections/application/okta_multiple_accounts_locked_out.yml index 75c71fe9a2..34a3dd331a 100644 --- a/detections/application/okta_multiple_accounts_locked_out.yml +++ b/detections/application/okta_multiple_accounts_locked_out.yml @@ -1,7 +1,7 @@ name: Okta Multiple Accounts Locked Out id: a511426e-184f-4de6-8711-cfd2af29d1e1 -version: 5 -date: '2025-01-21' +version: 6 +date: '2025-05-02' author: Michael Haag, Mauricio Velazco, Splunk data_source: - Okta diff --git a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml index 480bfba483..9939d26212 100644 --- a/detections/application/okta_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/okta_multiple_failed_mfa_requests_for_user.yml @@ -1,7 +1,7 @@ name: Okta Multiple Failed MFA Requests For User id: 826dbaae-a1e6-4c8c-b384-d16898956e73 -version: 6 -date: '2025-01-21' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Okta diff --git a/detections/application/okta_multiple_failed_requests_to_access_applications.yml b/detections/application/okta_multiple_failed_requests_to_access_applications.yml index 66af928a39..d7fd44601a 100644 --- a/detections/application/okta_multiple_failed_requests_to_access_applications.yml +++ b/detections/application/okta_multiple_failed_requests_to_access_applications.yml @@ -1,7 +1,7 @@ name: Okta Multiple Failed Requests to Access Applications id: 1c21fed1-7000-4a2e-9105-5aaafa437247 -version: 4 -date: '2025-01-21' +version: 5 +date: '2025-05-02' author: John Murphy, Okta, Michael Haag, Splunk type: Hunting status: experimental diff --git a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml index 7a9dd565c7..e27356b59a 100644 --- a/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/application/okta_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: Okta Multiple Users Failing To Authenticate From Ip id: de365ffa-42f5-46b5-b43f-fa72290b8218 -version: 6 -date: '2025-01-21' +version: 7 +date: '2025-05-02' author: Michael Haag, Mauricio Velazco, Splunk data_source: - Okta diff --git a/detections/application/okta_new_api_token_created.yml b/detections/application/okta_new_api_token_created.yml index a99f98dad1..b2554e1072 100644 --- a/detections/application/okta_new_api_token_created.yml +++ b/detections/application/okta_new_api_token_created.yml @@ -1,7 +1,7 @@ name: Okta New API Token Created id: c3d22720-35d3-4da4-bd0a-740d37192bd4 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/application/okta_new_device_enrolled_on_account.yml b/detections/application/okta_new_device_enrolled_on_account.yml index 6522437728..19f5754c17 100644 --- a/detections/application/okta_new_device_enrolled_on_account.yml +++ b/detections/application/okta_new_device_enrolled_on_account.yml @@ -1,7 +1,7 @@ name: Okta New Device Enrolled on Account id: bb27cbce-d4de-432c-932f-2e206e9130fb -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml index f2fe0f1b3c..dc4ff78883 100644 --- a/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml +++ b/detections/application/okta_phishing_detection_with_fastpass_origin_check.yml @@ -1,7 +1,7 @@ name: Okta Phishing Detection with FastPass Origin Check id: f4ca0057-cbf3-44f8-82ea-4e330ee901d3 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Okta, Inc, Michael Haag, Splunk type: TTP status: experimental diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml index b7bda27c7f..be36a2e2ab 100644 --- a/detections/application/okta_risk_threshold_exceeded.yml +++ b/detections/application/okta_risk_threshold_exceeded.yml @@ -1,7 +1,7 @@ name: Okta Risk Threshold Exceeded id: d8b967dd-657f-4d88-93b5-c588bcd7218c -version: 6 -date: '2025-04-16' +version: 7 +date: '2025-05-02' author: Michael Haag, Bhavin Patel, Splunk status: production type: Correlation diff --git a/detections/application/okta_successful_single_factor_authentication.yml b/detections/application/okta_successful_single_factor_authentication.yml index b3e64eb591..59d7298489 100644 --- a/detections/application/okta_successful_single_factor_authentication.yml +++ b/detections/application/okta_successful_single_factor_authentication.yml @@ -1,7 +1,7 @@ name: Okta Successful Single Factor Authentication id: 98f6ad4f-4325-4096-9d69-45dc8e638e82 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk data_source: - Okta diff --git a/detections/application/okta_suspicious_activity_reported.yml b/detections/application/okta_suspicious_activity_reported.yml index ebd37b322f..837cc7c959 100644 --- a/detections/application/okta_suspicious_activity_reported.yml +++ b/detections/application/okta_suspicious_activity_reported.yml @@ -1,7 +1,7 @@ name: Okta Suspicious Activity Reported id: bfc840f5-c9c6-454c-aa13-b46fd0bf1e79 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/application/okta_suspicious_use_of_a_session_cookie.yml b/detections/application/okta_suspicious_use_of_a_session_cookie.yml index 1eaa45a784..5bc3f434c1 100644 --- a/detections/application/okta_suspicious_use_of_a_session_cookie.yml +++ b/detections/application/okta_suspicious_use_of_a_session_cookie.yml @@ -1,7 +1,7 @@ name: Okta Suspicious Use of a Session Cookie id: 71ad47d1-d6bd-4e0a-b35c-020ad9a6959e -version: 6 -date: '2025-01-21' +version: 7 +date: '2025-05-02' author: Scott Dermott, Felicity Robson, Okta, Michael Haag, Bhavin Patel, Splunk type: Anomaly status: production diff --git a/detections/application/okta_threatinsight_threat_detected.yml b/detections/application/okta_threatinsight_threat_detected.yml index 5b74baf959..3da7031739 100644 --- a/detections/application/okta_threatinsight_threat_detected.yml +++ b/detections/application/okta_threatinsight_threat_detected.yml @@ -1,7 +1,7 @@ name: Okta ThreatInsight Threat Detected id: 140504ae-5fe2-4d65-b2bc-a211813fbca6 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Mauricio Velazco, Splunk status: production type: Anomaly diff --git a/detections/application/okta_unauthorized_access_to_application.yml b/detections/application/okta_unauthorized_access_to_application.yml index 256136edbc..1f5c8285fc 100644 --- a/detections/application/okta_unauthorized_access_to_application.yml +++ b/detections/application/okta_unauthorized_access_to_application.yml @@ -1,7 +1,7 @@ name: Okta Unauthorized Access to Application id: 5f661629-9750-4cb9-897c-1f05d6db8727 -version: 5 -date: '2025-01-21' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk data_source: - Okta diff --git a/detections/application/okta_user_logins_from_multiple_cities.yml b/detections/application/okta_user_logins_from_multiple_cities.yml index 46695a6647..a068a40a44 100644 --- a/detections/application/okta_user_logins_from_multiple_cities.yml +++ b/detections/application/okta_user_logins_from_multiple_cities.yml @@ -1,7 +1,7 @@ name: Okta User Logins from Multiple Cities id: a3d1df37-c2a9-41d0-aa8f-59f82d6192a8 -version: 4 -date: '2025-01-21' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk data_source: - Okta diff --git a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml index 17e059d927..f755801856 100644 --- a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml +++ b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml @@ -1,7 +1,7 @@ name: PingID Mismatch Auth Source and Verification Response id: 15b0694e-caa2-4009-8d83-a1f98b86d086 -version: 5 -date: '2025-01-21' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml index cc54651de5..5e1c89e279 100644 --- a/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml +++ b/detections/application/pingid_multiple_failed_mfa_requests_for_user.yml @@ -1,7 +1,7 @@ name: PingID Multiple Failed MFA Requests For User id: c1bc706a-0025-4814-ad30-288f38865036 -version: 4 -date: '2025-01-21' +version: 5 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/application/pingid_new_mfa_method_after_credential_reset.yml b/detections/application/pingid_new_mfa_method_after_credential_reset.yml index b8edaa08af..78fe69218b 100644 --- a/detections/application/pingid_new_mfa_method_after_credential_reset.yml +++ b/detections/application/pingid_new_mfa_method_after_credential_reset.yml @@ -1,7 +1,7 @@ name: PingID New MFA Method After Credential Reset id: 2fcbce12-cffa-4c84-b70c-192604d201d0 -version: 4 -date: '2025-01-21' +version: 5 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/application/pingid_new_mfa_method_registered_for_user.yml b/detections/application/pingid_new_mfa_method_registered_for_user.yml index 0547d0d3b2..1df693343b 100644 --- a/detections/application/pingid_new_mfa_method_registered_for_user.yml +++ b/detections/application/pingid_new_mfa_method_registered_for_user.yml @@ -1,7 +1,7 @@ name: PingID New MFA Method Registered For User id: 892dfeaf-461d-4a78-aac8-b07e185c9bce -version: 4 -date: '2025-01-21' +version: 5 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/application/suspicious_email_attachment_extensions.yml b/detections/application/suspicious_email_attachment_extensions.yml index f557b97bca..8c7f948a93 100644 --- a/detections/application/suspicious_email_attachment_extensions.yml +++ b/detections/application/suspicious_email_attachment_extensions.yml @@ -1,7 +1,7 @@ name: Suspicious Email Attachment Extensions id: 473bd65f-06ca-4dfe-a2b8-ba04ab4a0084 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/application/suspicious_java_classes.yml b/detections/application/suspicious_java_classes.yml index d97372c093..dfc58111a2 100644 --- a/detections/application/suspicious_java_classes.yml +++ b/detections/application/suspicious_java_classes.yml @@ -1,7 +1,7 @@ name: Suspicious Java Classes id: 6ed33786-5e87-4f55-b62c-cb5f1168b831 -version: 4 -date: '2025-01-21' +version: 5 +date: '2025-05-02' author: Jose Hernandez, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml index 6581d23fca..1cb782e976 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_infrastructure_api_calls.yml @@ -1,7 +1,7 @@ name: Abnormally High Number Of Cloud Infrastructure API Calls id: 0840ddf1-8c89-46ff-b730-c8d6722478c0 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml index e9bcb75db0..1d36071ca8 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_destroyed.yml @@ -1,7 +1,7 @@ name: Abnormally High Number Of Cloud Instances Destroyed id: ef629fc9-1583-4590-b62a-f2247fbf7bbf -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml index 9edf6d5b9a..93d678f8de 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_instances_launched.yml @@ -1,7 +1,7 @@ name: Abnormally High Number Of Cloud Instances Launched id: f2361e9f-3928-496c-a556-120cd4223a65 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml index 761e9de23d..f5b6dd1720 100644 --- a/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml +++ b/detections/cloud/abnormally_high_number_of_cloud_security_group_api_calls.yml @@ -1,7 +1,7 @@ name: Abnormally High Number Of Cloud Security Group API Calls id: d4dfb7f3-7a37-498a-b5df-f19334e871af -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml b/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml index 2f2bc30292..7627be4597 100644 --- a/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml +++ b/detections/cloud/amazon_eks_kubernetes_cluster_scan_detection.yml @@ -1,7 +1,7 @@ name: Amazon EKS Kubernetes cluster scan detection id: 294c4686-63dd-4fe6-93a2-ca807626704a -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Rod Soto, Splunk status: experimental type: Hunting diff --git a/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml b/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml index 3467645f6f..ec18b64d6d 100644 --- a/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml +++ b/detections/cloud/amazon_eks_kubernetes_pod_scan_detection.yml @@ -1,7 +1,7 @@ name: Amazon EKS Kubernetes Pod scan detection id: dbfca1dd-b8e5-4ba4-be0e-e565e5d62002 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Rod Soto, Splunk status: experimental type: Hunting diff --git a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml index eaf8027900..5ba631bff4 100644 --- a/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/asl_aws_concurrent_sessions_from_different_ips.yml @@ -1,7 +1,7 @@ name: ASL AWS Concurrent Sessions From Different Ips id: b3424bbe-3204-4469-887b-ec144483a336 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/asl_aws_create_access_key.yml b/detections/cloud/asl_aws_create_access_key.yml index fbe7451376..280efa3f0b 100644 --- a/detections/cloud/asl_aws_create_access_key.yml +++ b/detections/cloud/asl_aws_create_access_key.yml @@ -1,7 +1,7 @@ name: ASL AWS Create Access Key id: 81a9f2fe-1697-473c-af1d-086b0d8b63c8 -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Hunting diff --git a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml index ebc5717631..f85c9a6a2a 100644 --- a/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/asl_aws_create_policy_version_to_allow_all_resources.yml @@ -1,7 +1,7 @@ name: ASL AWS Create Policy Version to allow all resources id: 22cc7a62-3884-48c4-82da-592b8199b72f -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/asl_aws_credential_access_getpassworddata.yml b/detections/cloud/asl_aws_credential_access_getpassworddata.yml index e97f64423a..7cb825a6c1 100644 --- a/detections/cloud/asl_aws_credential_access_getpassworddata.yml +++ b/detections/cloud/asl_aws_credential_access_getpassworddata.yml @@ -1,7 +1,7 @@ name: ASL AWS Credential Access GetPasswordData id: a79b607a-50cc-4704-bb9d-eff280cb78c2 -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml index 7105538b78..20f90cc812 100644 --- a/detections/cloud/asl_aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/asl_aws_credential_access_rds_password_reset.yml @@ -1,7 +1,7 @@ name: ASL AWS Credential Access RDS Password reset id: d15e9bd9-ef64-4d84-bc04-f62955a9fee8 -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml index 0caed90b62..2bcb849df2 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudtrail.yml @@ -1,7 +1,7 @@ name: ASL AWS Defense Evasion Delete Cloudtrail id: 1f0b47e5-0134-43eb-851c-e3258638945e -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml index f13418270d..6eb746b6f9 100644 --- a/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/asl_aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -1,7 +1,7 @@ name: ASL AWS Defense Evasion Delete CloudWatch Log Group id: 0f701b38-a0fb-43fd-a83d-d12265f71f33 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml index 5234ae230b..016c455114 100644 --- a/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/asl_aws_defense_evasion_impair_security_services.yml @@ -1,7 +1,7 @@ name: ASL AWS Defense Evasion Impair Security Services id: 5029b681-0462-47b7-82e7-f7e3d37f5a2d -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Patrick Bareiss, Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production type: Hunting diff --git a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml index ce16123a06..d90ecd24e1 100644 --- a/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/asl_aws_defense_evasion_putbucketlifecycle.yml @@ -1,7 +1,7 @@ name: ASL AWS Defense Evasion PutBucketLifecycle id: 986565a2-7707-48ea-9590-37929cebc938 -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Hunting diff --git a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml index 8182273cb2..7a6ac5dd90 100644 --- a/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_stop_logging_cloudtrail.yml @@ -1,7 +1,7 @@ name: ASL AWS Defense Evasion Stop Logging Cloudtrail id: 0b78a8f9-1d31-4d23-85c8-56ad13d5b4c1 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml index 5a1208fb76..4fe0ecd639 100644 --- a/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/asl_aws_defense_evasion_update_cloudtrail.yml @@ -1,7 +1,7 @@ name: ASL AWS Defense Evasion Update Cloudtrail id: f3eb471c-16d0-404d-897c-7653f0a78cba -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 9ad002d4d2..4c45c4ec50 100644 --- a/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/asl_aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -1,7 +1,7 @@ name: ASL AWS Detect Users creating keys with encrypt policy without MFA id: 16ae9076-d1d5-411c-8fdd-457504b33dac -version: 2 -date: '2024-12-16' +version: 3 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/asl_aws_disable_bucket_versioning.yml b/detections/cloud/asl_aws_disable_bucket_versioning.yml index 658ec386de..a62ed822f7 100644 --- a/detections/cloud/asl_aws_disable_bucket_versioning.yml +++ b/detections/cloud/asl_aws_disable_bucket_versioning.yml @@ -1,7 +1,7 @@ name: ASL AWS Disable Bucket Versioning id: f32598bb-fa5f-4afd-8ab3-0263cc28efbc -version: 2 -date: '2024-12-16' +version: 3 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml index ddd4f088e5..b93f7e5a47 100644 --- a/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/asl_aws_ec2_snapshot_shared_externally.yml @@ -1,7 +1,7 @@ name: ASL AWS EC2 Snapshot Shared Externally id: 00af8f7f-e004-446b-9bba-2732f717ae27 -version: 2 -date: '2024-12-17' +version: 3 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml index a65cf4ea32..fe6eeadf82 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_outside_business_hours.yml @@ -1,7 +1,7 @@ name: ASL AWS ECR Container Upload Outside Business Hours id: 739ed682-27e9-4ba0-80e5-a91b97698213 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml index dcd5166378..a825a7f7d3 100644 --- a/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/asl_aws_ecr_container_upload_unknown_user.yml @@ -1,7 +1,7 @@ name: ASL AWS ECR Container Upload Unknown User id: 886a8f46-d7e2-4439-b9ba-aec238e31732 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml index 8108ed6e5b..16aeb0108e 100644 --- a/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/asl_aws_iam_accessdenied_discovery_events.yml @@ -1,7 +1,7 @@ name: ASL AWS IAM AccessDenied Discovery Events id: a4f39755-b1e2-40bb-b2dc-4449c45b0bf2 -version: 2 -date: '2025-01-08' +version: 3 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml index 760ec5d535..f404137078 100644 --- a/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/asl_aws_iam_assume_role_policy_brute_force.yml @@ -1,7 +1,7 @@ name: ASL AWS IAM Assume Role Policy Brute Force id: 726959fe-316d-445c-a584-fa187d64e295 -version: 2 -date: '2025-01-08' +version: 3 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/asl_aws_iam_delete_policy.yml b/detections/cloud/asl_aws_iam_delete_policy.yml index 8e9d87425b..14cced498e 100644 --- a/detections/cloud/asl_aws_iam_delete_policy.yml +++ b/detections/cloud/asl_aws_iam_delete_policy.yml @@ -1,7 +1,7 @@ name: ASL AWS IAM Delete Policy id: 609ced68-d420-4ff7-8164-ae98b4b4018c -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Hunting diff --git a/detections/cloud/asl_aws_iam_failure_group_deletion.yml b/detections/cloud/asl_aws_iam_failure_group_deletion.yml index f84ecec18c..cfd00fe292 100644 --- a/detections/cloud/asl_aws_iam_failure_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_failure_group_deletion.yml @@ -1,7 +1,7 @@ name: ASL AWS IAM Failure Group Deletion id: 8d12f268-c567-4557-9813-f8389e235c06 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/asl_aws_iam_successful_group_deletion.yml b/detections/cloud/asl_aws_iam_successful_group_deletion.yml index 48f44b30d1..5200b8b723 100644 --- a/detections/cloud/asl_aws_iam_successful_group_deletion.yml +++ b/detections/cloud/asl_aws_iam_successful_group_deletion.yml @@ -1,7 +1,7 @@ name: ASL AWS IAM Successful Group Deletion id: 1bbe54f1-93d7-4764-8a01-ddaa12ece7ac -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Hunting diff --git a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml index 916df22a3a..fb038964af 100644 --- a/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/asl_aws_multi_factor_authentication_disabled.yml @@ -1,7 +1,7 @@ name: ASL AWS Multi-Factor Authentication Disabled id: 4d2df5e0-1092-4817-88a8-79c7fa054668 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml index 88579f1f17..717b7c44c5 100644 --- a/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/asl_aws_network_access_control_list_created_with_all_open_ports.yml @@ -1,7 +1,7 @@ name: ASL AWS Network Access Control List Created with All Open Ports id: a2625034-c2de-44fc-b45c-7bac9c4a7974 -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/asl_aws_network_access_control_list_deleted.yml b/detections/cloud/asl_aws_network_access_control_list_deleted.yml index 59d4c8101d..dfb48a3e39 100644 --- a/detections/cloud/asl_aws_network_access_control_list_deleted.yml +++ b/detections/cloud/asl_aws_network_access_control_list_deleted.yml @@ -1,7 +1,7 @@ name: ASL AWS Network Access Control List Deleted id: e010ddf5-e9a5-44e5-bdd6-0c919ba8fc8b -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml index 1412490475..ce1c37b80f 100644 --- a/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/asl_aws_new_mfa_method_registered_for_user.yml @@ -1,7 +1,7 @@ name: ASL AWS New MFA Method Registered For User id: 33ae0931-2a03-456b-b1d7-b016c5557fbd -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: experimental type: TTP diff --git a/detections/cloud/asl_aws_saml_update_identity_provider.yml b/detections/cloud/asl_aws_saml_update_identity_provider.yml index 4c0e69b93e..6e52ca5ddd 100644 --- a/detections/cloud/asl_aws_saml_update_identity_provider.yml +++ b/detections/cloud/asl_aws_saml_update_identity_provider.yml @@ -1,7 +1,7 @@ name: ASL AWS SAML Update identity provider id: 635c26cc-0fd1-4098-8ec9-824bf9544b11 -version: 2 -date: '2025-01-09' +version: 3 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/asl_aws_updateloginprofile.yml b/detections/cloud/asl_aws_updateloginprofile.yml index 43dab5c0cd..5aa2494e32 100644 --- a/detections/cloud/asl_aws_updateloginprofile.yml +++ b/detections/cloud/asl_aws_updateloginprofile.yml @@ -1,7 +1,7 @@ name: ASL AWS UpdateLoginProfile id: 5b3f63a3-865b-4637-9941-f98bd1a50c0d -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml index 040277bda5..959c72fa58 100644 --- a/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml +++ b/detections/cloud/aws_ami_attribute_modification_for_exfiltration.yml @@ -1,7 +1,7 @@ name: AWS AMI Attribute Modification for Exfiltration id: f2132d74-cf81-4c5e-8799-ab069e67dc9f -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_bedrock_delete_guardrails.yml b/detections/cloud/aws_bedrock_delete_guardrails.yml index 0b8a20b96b..c7facad576 100644 --- a/detections/cloud/aws_bedrock_delete_guardrails.yml +++ b/detections/cloud/aws_bedrock_delete_guardrails.yml @@ -1,7 +1,7 @@ name: AWS Bedrock Delete GuardRails id: 7a5e3d62-f743-11ee-9f6e-acde48001122 -version: 1 -date: '2024-12-05' +version: 2 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_bedrock_delete_knowledge_base.yml b/detections/cloud/aws_bedrock_delete_knowledge_base.yml index da7190e8b1..9e8a6492f1 100644 --- a/detections/cloud/aws_bedrock_delete_knowledge_base.yml +++ b/detections/cloud/aws_bedrock_delete_knowledge_base.yml @@ -1,7 +1,7 @@ name: AWS Bedrock Delete Knowledge Base id: 8b4e3d62-f743-11ee-9f6e-acde48001123 -version: 1 -date: '2024-12-05' +version: 2 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_bedrock_delete_model_invocation_logging_configuration.yml b/detections/cloud/aws_bedrock_delete_model_invocation_logging_configuration.yml index 4b7b827861..da40c19310 100644 --- a/detections/cloud/aws_bedrock_delete_model_invocation_logging_configuration.yml +++ b/detections/cloud/aws_bedrock_delete_model_invocation_logging_configuration.yml @@ -1,7 +1,7 @@ name: AWS Bedrock Delete Model Invocation Logging Configuration id: 9c5e3d62-f743-11ee-9f6e-acde48001124 -version: 1 -date: '2024-12-05' +version: 2 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_bedrock_high_number_list_foundation_model_failures.yml b/detections/cloud/aws_bedrock_high_number_list_foundation_model_failures.yml index a01000d0fd..a85328f951 100644 --- a/detections/cloud/aws_bedrock_high_number_list_foundation_model_failures.yml +++ b/detections/cloud/aws_bedrock_high_number_list_foundation_model_failures.yml @@ -1,7 +1,7 @@ name: AWS Bedrock High Number List Foundation Model Failures id: e84b3c74-f742-11ee-9f6e-acde48001122 -version: 1 -date: '2024-12-05' +version: 2 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_bedrock_invoke_model_access_denied.yml b/detections/cloud/aws_bedrock_invoke_model_access_denied.yml index 1ca8d2354a..3beab4027c 100644 --- a/detections/cloud/aws_bedrock_invoke_model_access_denied.yml +++ b/detections/cloud/aws_bedrock_invoke_model_access_denied.yml @@ -1,7 +1,7 @@ name: AWS Bedrock Invoke Model Access Denied id: c53a8e62-f741-11ee-9f6e-acde48001122 -version: 1 -date: '2024-12-05' +version: 2 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml index 694f2a2989..8c0cefd9fd 100644 --- a/detections/cloud/aws_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/aws_concurrent_sessions_from_different_ips.yml @@ -1,7 +1,7 @@ name: AWS Concurrent Sessions From Different Ips id: 51c04fdb-2746-465a-b86e-b413a09c9085 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml index 0f5a179514..abc75ca68d 100644 --- a/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml +++ b/detections/cloud/aws_console_login_failed_during_mfa_challenge.yml @@ -1,7 +1,7 @@ name: AWS Console Login Failed During MFA Challenge id: 55349868-5583-466f-98ab-d3beb321961e -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml index 68f5e47739..5fd5b33b14 100644 --- a/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml +++ b/detections/cloud/aws_create_policy_version_to_allow_all_resources.yml @@ -1,7 +1,7 @@ name: AWS Create Policy Version to allow all resources id: 2a9b80d3-6340-4345-b5ad-212bf3d0dac4 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_createaccesskey.yml b/detections/cloud/aws_createaccesskey.yml index f549bef8e2..c071cb232d 100644 --- a/detections/cloud/aws_createaccesskey.yml +++ b/detections/cloud/aws_createaccesskey.yml @@ -1,7 +1,7 @@ name: AWS CreateAccessKey id: 2a9b80d3-6340-4345-11ad-212bf3d0d111 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Hunting diff --git a/detections/cloud/aws_createloginprofile.yml b/detections/cloud/aws_createloginprofile.yml index aa3455544e..a65525b09c 100644 --- a/detections/cloud/aws_createloginprofile.yml +++ b/detections/cloud/aws_createloginprofile.yml @@ -1,7 +1,7 @@ name: AWS CreateLoginProfile id: 2a9b80d3-6340-4345-11ad-212bf444d111 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_credential_access_failed_login.yml b/detections/cloud/aws_credential_access_failed_login.yml index 8ca873ae73..7050bb6adf 100644 --- a/detections/cloud/aws_credential_access_failed_login.yml +++ b/detections/cloud/aws_credential_access_failed_login.yml @@ -1,7 +1,7 @@ name: AWS Credential Access Failed Login id: a19b354d-0d7f-47f3-8ea6-1a7c36434968 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Gowthamaraj Rajendran, Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_credential_access_getpassworddata.yml b/detections/cloud/aws_credential_access_getpassworddata.yml index 280f2fd046..1f8ac9d46d 100644 --- a/detections/cloud/aws_credential_access_getpassworddata.yml +++ b/detections/cloud/aws_credential_access_getpassworddata.yml @@ -1,7 +1,7 @@ name: AWS Credential Access GetPasswordData id: 4d347c4a-306e-41db-8d10-b46baf71b3e2 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_credential_access_rds_password_reset.yml b/detections/cloud/aws_credential_access_rds_password_reset.yml index ce23361a3d..c127a71b8f 100644 --- a/detections/cloud/aws_credential_access_rds_password_reset.yml +++ b/detections/cloud/aws_credential_access_rds_password_reset.yml @@ -1,7 +1,7 @@ name: AWS Credential Access RDS Password reset id: 6153c5ea-ed30-4878-81e6-21ecdb198189 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml index a5d6a1069a..0885be912c 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudtrail.yml @@ -1,7 +1,7 @@ name: AWS Defense Evasion Delete Cloudtrail id: 82092925-9ca1-4e06-98b8-85a2d3889552 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml index 289229b26d..4f88a19133 100644 --- a/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml +++ b/detections/cloud/aws_defense_evasion_delete_cloudwatch_log_group.yml @@ -1,7 +1,7 @@ name: AWS Defense Evasion Delete CloudWatch Log Group id: d308b0f1-edb7-4a62-a614-af321160710f -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/aws_defense_evasion_impair_security_services.yml b/detections/cloud/aws_defense_evasion_impair_security_services.yml index ba0d646ecb..ed7bf57ca8 100644 --- a/detections/cloud/aws_defense_evasion_impair_security_services.yml +++ b/detections/cloud/aws_defense_evasion_impair_security_services.yml @@ -1,7 +1,7 @@ name: AWS Defense Evasion Impair Security Services id: b28c4957-96a6-47e0-a965-6c767aac1458 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Gowthamaraj Rajendran, Splunk status: production type: Hunting diff --git a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml index 89a5e96ddd..1a93dee6c8 100644 --- a/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml +++ b/detections/cloud/aws_defense_evasion_putbucketlifecycle.yml @@ -1,7 +1,7 @@ name: AWS Defense Evasion PutBucketLifecycle id: ce1c0e2b-9303-4903-818b-0d9002fc6ea4 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel status: production type: Hunting diff --git a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml index cdc2bf356b..96c3c66794 100644 --- a/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_stop_logging_cloudtrail.yml @@ -1,7 +1,7 @@ name: AWS Defense Evasion Stop Logging Cloudtrail id: 8a2f3ca2-4eb5-4389-a549-14063882e537 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml index 8959939a27..9bc009d59b 100644 --- a/detections/cloud/aws_defense_evasion_update_cloudtrail.yml +++ b/detections/cloud/aws_defense_evasion_update_cloudtrail.yml @@ -1,7 +1,7 @@ name: AWS Defense Evasion Update Cloudtrail id: 7c921d28-ef48-4f1b-85b3-0af8af7697db -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml index 64417b6060..c429c55da2 100644 --- a/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml +++ b/detections/cloud/aws_detect_users_creating_keys_with_encrypt_policy_without_mfa.yml @@ -1,7 +1,7 @@ name: AWS Detect Users creating keys with encrypt policy without MFA id: c79c164f-4b21-4847-98f9-cf6a9f49179e -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Rod Soto, Patrick Bareiss Splunk status: production type: TTP diff --git a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml index 519597fbdc..b75bb2fdca 100644 --- a/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml +++ b/detections/cloud/aws_detect_users_with_kms_keys_performing_encryption_s3.yml @@ -1,7 +1,7 @@ name: AWS Detect Users with KMS keys performing encryption S3 id: 884a5f59-eec7-4f4a-948b-dbde18225fdc -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Rod Soto, Patrick Bareiss Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_disable_bucket_versioning.yml b/detections/cloud/aws_disable_bucket_versioning.yml index 9cf1b782c4..3f983f4cd3 100644 --- a/detections/cloud/aws_disable_bucket_versioning.yml +++ b/detections/cloud/aws_disable_bucket_versioning.yml @@ -1,7 +1,7 @@ name: AWS Disable Bucket Versioning id: 657902a9-987d-4879-a1b2-e7a65512824b -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_ec2_snapshot_shared_externally.yml b/detections/cloud/aws_ec2_snapshot_shared_externally.yml index 359d152a38..3e92fa83c1 100644 --- a/detections/cloud/aws_ec2_snapshot_shared_externally.yml +++ b/detections/cloud/aws_ec2_snapshot_shared_externally.yml @@ -1,7 +1,7 @@ name: AWS EC2 Snapshot Shared Externally id: 2a9b80d3-6340-4345-b5ad-290bf3d222c4 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_ecr_container_scanning_findings_high.yml b/detections/cloud/aws_ecr_container_scanning_findings_high.yml index fd84cd5a47..d83663a6df 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_high.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_high.yml @@ -1,7 +1,7 @@ name: AWS ECR Container Scanning Findings High id: 30a0e9f8-f1dd-4f9d-8fc2-c622461d781c -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml index c2a4626cf0..bd25c59656 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_low_informational_unknown.yml @@ -1,7 +1,7 @@ name: AWS ECR Container Scanning Findings Low Informational Unknown id: cbc95e44-7c22-443f-88fd-0424478f5589 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Patrick Bareiss, Eric McGinnis Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml index 4bc30f42d7..32f9e8ff71 100644 --- a/detections/cloud/aws_ecr_container_scanning_findings_medium.yml +++ b/detections/cloud/aws_ecr_container_scanning_findings_medium.yml @@ -1,7 +1,7 @@ name: AWS ECR Container Scanning Findings Medium id: 0b80e2c8-c746-4ddb-89eb-9efd892220cf -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml index 06ffc02b79..d519eb08ae 100644 --- a/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml +++ b/detections/cloud/aws_ecr_container_upload_outside_business_hours.yml @@ -1,7 +1,7 @@ name: AWS ECR Container Upload Outside Business Hours id: d4c4d4eb-3994-41ca-a25e-a82d64e125bb -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_ecr_container_upload_unknown_user.yml b/detections/cloud/aws_ecr_container_upload_unknown_user.yml index 6efff0d27f..3907d01a5f 100644 --- a/detections/cloud/aws_ecr_container_upload_unknown_user.yml +++ b/detections/cloud/aws_ecr_container_upload_unknown_user.yml @@ -1,7 +1,7 @@ name: AWS ECR Container Upload Unknown User id: 300688e4-365c-4486-a065-7c884462b31d -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_excessive_security_scanning.yml b/detections/cloud/aws_excessive_security_scanning.yml index 437210a221..3be5cf8b6e 100644 --- a/detections/cloud/aws_excessive_security_scanning.yml +++ b/detections/cloud/aws_excessive_security_scanning.yml @@ -1,7 +1,7 @@ name: AWS Excessive Security Scanning id: 1fdd164a-def8-4762-83a9-9ffe24e74d5a -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml index 7a7a3777b1..5b2f33f01f 100644 --- a/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml +++ b/detections/cloud/aws_exfiltration_via_anomalous_getobject_api_activity.yml @@ -1,7 +1,7 @@ name: AWS Exfiltration via Anomalous GetObject API Activity id: e4384bbf-5835-4831-8d85-694de6ad2cc6 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_exfiltration_via_batch_service.yml b/detections/cloud/aws_exfiltration_via_batch_service.yml index b8d5a7fbd1..b9f2f66813 100644 --- a/detections/cloud/aws_exfiltration_via_batch_service.yml +++ b/detections/cloud/aws_exfiltration_via_batch_service.yml @@ -1,7 +1,7 @@ name: AWS Exfiltration via Batch Service id: 04455dd3-ced7-480f-b8e6-5469b99e98e2 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_exfiltration_via_bucket_replication.yml b/detections/cloud/aws_exfiltration_via_bucket_replication.yml index 4b51afcc02..c75bc306c0 100644 --- a/detections/cloud/aws_exfiltration_via_bucket_replication.yml +++ b/detections/cloud/aws_exfiltration_via_bucket_replication.yml @@ -1,7 +1,7 @@ name: AWS Exfiltration via Bucket Replication id: eeb432d6-2212-43b6-9e89-fcd753f7da4c -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_exfiltration_via_datasync_task.yml b/detections/cloud/aws_exfiltration_via_datasync_task.yml index 7d959dccfb..d937feb01e 100644 --- a/detections/cloud/aws_exfiltration_via_datasync_task.yml +++ b/detections/cloud/aws_exfiltration_via_datasync_task.yml @@ -1,7 +1,7 @@ name: AWS Exfiltration via DataSync Task id: 05c4b09f-ea28-4c7c-a7aa-a246f665c8a2 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml index 5b182eaf4b..4383fc9d22 100644 --- a/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml +++ b/detections/cloud/aws_exfiltration_via_ec2_snapshot.yml @@ -1,7 +1,7 @@ name: AWS Exfiltration via EC2 Snapshot id: ac90b339-13fc-4f29-a18c-4abbba1f2171 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml index a522509486..77ac7eec8f 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_for_user.yml @@ -1,7 +1,7 @@ name: AWS High Number Of Failed Authentications For User id: e3236f49-daf3-4b70-b808-9290912ac64d -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml index ead873137d..b824ef463b 100644 --- a/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_high_number_of_failed_authentications_from_ip.yml @@ -1,7 +1,7 @@ name: AWS High Number Of Failed Authentications From Ip id: f75b7f1a-b8eb-4975-a214-ff3e0a944757 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_iam_accessdenied_discovery_events.yml b/detections/cloud/aws_iam_accessdenied_discovery_events.yml index 32ebb2a3f9..54b120c778 100644 --- a/detections/cloud/aws_iam_accessdenied_discovery_events.yml +++ b/detections/cloud/aws_iam_accessdenied_discovery_events.yml @@ -1,7 +1,7 @@ name: AWS IAM AccessDenied Discovery Events id: 3e1f1568-9633-11eb-a69c-acde48001122 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml index 59362ff946..29a69badee 100644 --- a/detections/cloud/aws_iam_assume_role_policy_brute_force.yml +++ b/detections/cloud/aws_iam_assume_role_policy_brute_force.yml @@ -1,7 +1,7 @@ name: AWS IAM Assume Role Policy Brute Force id: f19e09b0-9308-11eb-b7ec-acde48001122 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/cloud/aws_iam_delete_policy.yml b/detections/cloud/aws_iam_delete_policy.yml index 1144a49768..462ea66cf5 100644 --- a/detections/cloud/aws_iam_delete_policy.yml +++ b/detections/cloud/aws_iam_delete_policy.yml @@ -1,7 +1,7 @@ name: AWS IAM Delete Policy id: ec3a9362-92fe-11eb-99d0-acde48001122 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/cloud/aws_iam_failure_group_deletion.yml b/detections/cloud/aws_iam_failure_group_deletion.yml index 72960b4c4d..c18d632265 100644 --- a/detections/cloud/aws_iam_failure_group_deletion.yml +++ b/detections/cloud/aws_iam_failure_group_deletion.yml @@ -1,7 +1,7 @@ name: AWS IAM Failure Group Deletion id: 723b861a-92eb-11eb-93b8-acde48001122 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_iam_successful_group_deletion.yml b/detections/cloud/aws_iam_successful_group_deletion.yml index 665e28a8f0..f3a0cff040 100644 --- a/detections/cloud/aws_iam_successful_group_deletion.yml +++ b/detections/cloud/aws_iam_successful_group_deletion.yml @@ -1,7 +1,7 @@ name: AWS IAM Successful Group Deletion id: e776d06c-9267-11eb-819b-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/cloud/aws_lambda_updatefunctioncode.yml b/detections/cloud/aws_lambda_updatefunctioncode.yml index 41391682b0..3572007fe2 100644 --- a/detections/cloud/aws_lambda_updatefunctioncode.yml +++ b/detections/cloud/aws_lambda_updatefunctioncode.yml @@ -1,7 +1,7 @@ name: AWS Lambda UpdateFunctionCode id: 211b80d3-6340-4345-11ad-212bf3d0d111 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Hunting diff --git a/detections/cloud/aws_multi_factor_authentication_disabled.yml b/detections/cloud/aws_multi_factor_authentication_disabled.yml index 20be3ffafa..a88a8982f0 100644 --- a/detections/cloud/aws_multi_factor_authentication_disabled.yml +++ b/detections/cloud/aws_multi_factor_authentication_disabled.yml @@ -1,7 +1,7 @@ name: AWS Multi-Factor Authentication Disabled id: 374832b1-3603-420c-b456-b373e24d34c0 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml index 258579585e..8b71e6186a 100644 --- a/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/aws_multiple_failed_mfa_requests_for_user.yml @@ -1,7 +1,7 @@ name: AWS Multiple Failed MFA Requests For User id: 1fece617-e614-4329-9e61-3ba228c0f353 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel status: production type: Anomaly diff --git a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml index 4ab70632ac..b5363e8f73 100644 --- a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: AWS Multiple Users Failing To Authenticate From Ip id: 71e1fb89-dd5f-4691-8523-575420de4630 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel status: production type: Anomaly diff --git a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml index 65b3e082ec..789d0680a5 100644 --- a/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml +++ b/detections/cloud/aws_network_access_control_list_created_with_all_open_ports.yml @@ -1,7 +1,7 @@ name: AWS Network Access Control List Created with All Open Ports id: ada0f478-84a8-4641-a3f1-d82362d6bd75 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Bhavin Patel, Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/aws_network_access_control_list_deleted.yml b/detections/cloud/aws_network_access_control_list_deleted.yml index 0fa6db478b..b6a9ed4904 100644 --- a/detections/cloud/aws_network_access_control_list_deleted.yml +++ b/detections/cloud/aws_network_access_control_list_deleted.yml @@ -1,7 +1,7 @@ name: AWS Network Access Control List Deleted id: ada0f478-84a8-4641-a3f1-d82362d6fd75 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Bhavin Patel, Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml index b7c524e1b0..c95ec1d221 100644 --- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml @@ -1,7 +1,7 @@ name: AWS New MFA Method Registered For User id: 4e3c26f2-4fb9-4bd7-ab46-1b76ffa2a23b -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_password_policy_changes.yml b/detections/cloud/aws_password_policy_changes.yml index 4795411501..734856119d 100644 --- a/detections/cloud/aws_password_policy_changes.yml +++ b/detections/cloud/aws_password_policy_changes.yml @@ -1,7 +1,7 @@ name: AWS Password Policy Changes id: aee4a575-7064-4e60-b511-246f9baf9895 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Hunting diff --git a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml index b7c77231ba..eb82d957c2 100644 --- a/detections/cloud/aws_s3_exfiltration_behavior_identified.yml +++ b/detections/cloud/aws_s3_exfiltration_behavior_identified.yml @@ -1,7 +1,7 @@ name: AWS S3 Exfiltration Behavior Identified id: 85096389-a443-42df-b89d-200efbb1b560 -version: 6 -date: '2025-04-16' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Correlation diff --git a/detections/cloud/aws_saml_update_identity_provider.yml b/detections/cloud/aws_saml_update_identity_provider.yml index b75e51fa8b..c606eb1532 100644 --- a/detections/cloud/aws_saml_update_identity_provider.yml +++ b/detections/cloud/aws_saml_update_identity_provider.yml @@ -1,7 +1,7 @@ name: AWS SAML Update identity provider id: 2f0604c6-6030-11eb-ae93-0242ac130002 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Rod Soto, Splunk status: production type: TTP diff --git a/detections/cloud/aws_setdefaultpolicyversion.yml b/detections/cloud/aws_setdefaultpolicyversion.yml index 6d5fb033e9..e2ce1660e1 100644 --- a/detections/cloud/aws_setdefaultpolicyversion.yml +++ b/detections/cloud/aws_setdefaultpolicyversion.yml @@ -1,7 +1,7 @@ name: AWS SetDefaultPolicyVersion id: 2a9b80d3-6340-4345-11ad-212bf3d0dac4 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml index d7ec66df03..59eb9a1914 100644 --- a/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml +++ b/detections/cloud/aws_successful_console_authentication_from_multiple_ips.yml @@ -1,7 +1,7 @@ name: AWS Successful Console Authentication From Multiple IPs id: 395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_successful_single_factor_authentication.yml b/detections/cloud/aws_successful_single_factor_authentication.yml index 798789c6c7..7a2a49d184 100644 --- a/detections/cloud/aws_successful_single_factor_authentication.yml +++ b/detections/cloud/aws_successful_single_factor_authentication.yml @@ -1,7 +1,7 @@ name: AWS Successful Single-Factor Authentication id: a520b1fe-cc9e-4f56-b762-18354594c52f -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml index 03a31cc626..70c96282f1 100644 --- a/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/aws_unusual_number_of_failed_authentications_from_ip.yml @@ -1,7 +1,7 @@ name: AWS Unusual Number of Failed Authentications From Ip id: 0b5c9c2b-e2cb-4831-b4f1-af125ceb1386 -version: 10 -date: '2025-03-27' +version: 11 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/aws_updateloginprofile.yml b/detections/cloud/aws_updateloginprofile.yml index 50948031d0..c430f55af6 100644 --- a/detections/cloud/aws_updateloginprofile.yml +++ b/detections/cloud/aws_updateloginprofile.yml @@ -1,7 +1,7 @@ name: AWS UpdateLoginProfile id: 2a9b80d3-6a40-4115-11ad-212bf3d0d111 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml index 946bf35da7..7d1c997ae7 100644 --- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml +++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml @@ -1,7 +1,7 @@ name: Azure Active Directory High Risk Sign-in id: 1ecff169-26d7-4161-9a7b-2ac4c8e61bea -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml index 91d9869037..72582792d7 100644 --- a/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/azure_ad_admin_consent_bypassed_by_service_principal.yml @@ -1,7 +1,7 @@ name: Azure AD Admin Consent Bypassed by Service Principal id: 9d4fea43-9182-4c5a-ada8-13701fd5615d -version: 8 -date: '2024-11-14' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Add app role assignment to service principal diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index 149d5e90dd..f34ffee863 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -1,7 +1,7 @@ name: Azure AD Application Administrator Role Assigned id: eac4de87-7a56-4538-a21b-277897af6d8d -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml index 75620c8a81..ee7da5b832 100644 --- a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml @@ -1,7 +1,7 @@ name: Azure AD Authentication Failed During MFA Challenge id: e62c9c2e-bf51-4719-906c-3074618fcc1c -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk, 0xC0FFEEEE status: production type: TTP diff --git a/detections/cloud/azure_ad_azurehound_useragent_detected.yml b/detections/cloud/azure_ad_azurehound_useragent_detected.yml index bfc3823502..59c0827d81 100644 --- a/detections/cloud/azure_ad_azurehound_useragent_detected.yml +++ b/detections/cloud/azure_ad_azurehound_useragent_detected.yml @@ -1,7 +1,7 @@ name: Azure AD AzureHound UserAgent Detected id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3 -version: 3 -date: '2025-01-06' +version: 4 +date: '2025-05-02' author: Dean Luxton data_source: - Azure Active Directory NonInteractiveUserSignInLogs diff --git a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml index 27c5b5c2e9..68225aba17 100644 --- a/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml +++ b/detections/cloud/azure_ad_block_user_consent_for_risky_apps_disabled.yml @@ -1,7 +1,7 @@ name: Azure AD Block User Consent For Risky Apps Disabled id: 875de3d7-09bc-4916-8c0a-0929f4ced3d8 -version: 8 -date: '2024-11-14' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml index efc90a2d31..4dfa7e66d9 100644 --- a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml @@ -1,7 +1,7 @@ name: Azure AD Concurrent Sessions From Different Ips id: a9126f73-9a9b-493d-96ec-0dd06695490d -version: 9 -date: '2024-11-14' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_device_code_authentication.yml b/detections/cloud/azure_ad_device_code_authentication.yml index b836e6615a..48e20d7c7b 100644 --- a/detections/cloud/azure_ad_device_code_authentication.yml +++ b/detections/cloud/azure_ad_device_code_authentication.yml @@ -1,7 +1,7 @@ name: Azure AD Device Code Authentication id: d68d8732-6f7e-4ee5-a6eb-737f2b990b91 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_external_guest_user_invited.yml b/detections/cloud/azure_ad_external_guest_user_invited.yml index 21ce0ab0cd..d6141d9911 100644 --- a/detections/cloud/azure_ad_external_guest_user_invited.yml +++ b/detections/cloud/azure_ad_external_guest_user_invited.yml @@ -1,7 +1,7 @@ name: Azure AD External Guest User Invited id: c1fb4edb-cab1-4359-9b40-925ffd797fb5 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml index ea0c631883..d8edd0b228 100644 --- a/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml +++ b/detections/cloud/azure_ad_fullaccessasapp_permission_assigned.yml @@ -1,7 +1,7 @@ name: Azure AD FullAccessAsApp Permission Assigned id: ae286126-f2ad-421c-b240-4ea83bd1c43a -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml index e9ba0309c9..b5355f2fa5 100644 --- a/detections/cloud/azure_ad_global_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_global_administrator_role_assigned.yml @@ -1,7 +1,7 @@ name: Azure AD Global Administrator Role Assigned id: 825fed20-309d-4fd1-8aaf-cd49c1bb093c -version: 9 -date: '2024-11-14' +version: 10 +date: '2025-05-02' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml index fc03e34916..0a2181d19a 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml @@ -1,7 +1,7 @@ name: Azure AD High Number Of Failed Authentications For User id: 630b1694-210a-48ee-a450-6f79e7679f2c -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml index d6d13dd698..9c42a9106e 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml @@ -1,7 +1,7 @@ name: Azure AD High Number Of Failed Authentications From Ip id: e5ab41bf-745d-4f72-a393-2611151afd8e -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml index dbd24cce4a..f4534edaa8 100644 --- a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml +++ b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml @@ -1,7 +1,7 @@ name: Azure AD Multi-Factor Authentication Disabled id: 482dd42a-acfa-486b-a0bb-d6fcda27318e -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml index 1768e457fd..1872920cc5 100644 --- a/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/azure_ad_multi_source_failed_authentications_spike.yml @@ -1,7 +1,7 @@ name: Azure AD Multi-Source Failed Authentications Spike id: 116e11a9-63ea-41eb-a66a-6a13bdc7d2c7 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml index 98a8a677ce..00a97b06bf 100644 --- a/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/azure_ad_multiple_appids_and_useragents_authentication_spike.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple AppIDs and UserAgents Authentication Spike id: 5d8bb1f0-f65a-4b4e-af2e-fcdb88276314 -version: 9 -date: '2024-11-14' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Anomaly diff --git a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml index 1248b975e3..064ebd1617 100644 --- a/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_denied_mfa_requests_for_user.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple Denied MFA Requests For User id: d0895c20-de71-4fd2-b56c-3fcdb888eba1 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index 9047057c43..92db4fb368 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple Failed MFA Requests For User id: 264ea131-ab1f-41b8-90e0-33ad1a1888ea -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml index d73be6308a..545051b829 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_sp.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple Service Principals Created by SP id: 66cb378f-234d-4fe1-bb4c-e7878ff6b017 -version: 8 -date: '2024-11-14' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Add service principal diff --git a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml index e7d87f1133..3fcae05cb4 100644 --- a/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/azure_ad_multiple_service_principals_created_by_user.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple Service Principals Created by User id: 32880707-f512-414e-bd7f-204c0c85b758 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Add service principal diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index 66bae9f4f6..d402795b29 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: Azure AD Multiple Users Failing To Authenticate From Ip id: 94481a6a-8f59-4c86-957f-55a71e3612a6 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/cloud/azure_ad_new_custom_domain_added.yml b/detections/cloud/azure_ad_new_custom_domain_added.yml index 38205b4467..652f4d3550 100644 --- a/detections/cloud/azure_ad_new_custom_domain_added.yml +++ b/detections/cloud/azure_ad_new_custom_domain_added.yml @@ -1,7 +1,7 @@ name: Azure AD New Custom Domain Added id: 30c47f45-dd6a-4720-9963-0bca6c8686ef -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_new_federated_domain_added.yml b/detections/cloud/azure_ad_new_federated_domain_added.yml index 64aa8c74e4..9586d08f86 100644 --- a/detections/cloud/azure_ad_new_federated_domain_added.yml +++ b/detections/cloud/azure_ad_new_federated_domain_added.yml @@ -1,7 +1,7 @@ name: Azure AD New Federated Domain Added id: a87cd633-076d-4ab2-9047-977751a3c1a0 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_new_mfa_method_registered.yml b/detections/cloud/azure_ad_new_mfa_method_registered.yml index cda0404384..b4c9b68edb 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered.yml @@ -1,7 +1,7 @@ name: Azure AD New MFA Method Registered id: 0488e814-eb81-42c3-9f1f-b2244973e3a3 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml index b78fa2c2c5..292e33d127 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml @@ -1,7 +1,7 @@ name: Azure AD New MFA Method Registered For User id: 2628b087-4189-403f-9044-87403f777a1b -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml index 83736fe7c8..cc0d42bfdd 100644 --- a/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml +++ b/detections/cloud/azure_ad_oauth_application_consent_granted_by_user.yml @@ -1,7 +1,7 @@ name: Azure AD OAuth Application Consent Granted By User id: 10ec9031-015b-4617-b453-c0c1ab729007 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_pim_role_assigned.yml b/detections/cloud/azure_ad_pim_role_assigned.yml index d859885280..71fea79394 100644 --- a/detections/cloud/azure_ad_pim_role_assigned.yml +++ b/detections/cloud/azure_ad_pim_role_assigned.yml @@ -1,7 +1,7 @@ name: Azure AD PIM Role Assigned id: fcd6dfeb-191c-46a0-a29c-c306382145ab -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_pim_role_assignment_activated.yml b/detections/cloud/azure_ad_pim_role_assignment_activated.yml index a68e2ad4c1..e2e1f28163 100644 --- a/detections/cloud/azure_ad_pim_role_assignment_activated.yml +++ b/detections/cloud/azure_ad_pim_role_assignment_activated.yml @@ -1,7 +1,7 @@ name: Azure AD PIM Role Assignment Activated id: 952e80d0-e343-439b-83f4-808c3e6fbf2e -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index a1b3a4c2ef..19150b7768 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -1,7 +1,7 @@ name: Azure AD Privileged Authentication Administrator Role Assigned id: a7da845d-6fae-41cf-b823-6c0b8c55814a -version: 8 -date: '2024-11-14' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml index 9a555584e2..3237af4b11 100644 --- a/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml +++ b/detections/cloud/azure_ad_privileged_graph_api_permission_assigned.yml @@ -1,7 +1,7 @@ name: Azure AD Privileged Graph API Permission Assigned id: 5521f8c5-1aa3-473c-9eb7-853701924a06 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 1067499333..1c754f439d 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -1,7 +1,7 @@ name: Azure AD Privileged Role Assigned id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml index af9596d64a..1990faa76b 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned_to_service_principal.yml @@ -1,7 +1,7 @@ name: Azure AD Privileged Role Assigned to Service Principal id: 5dfaa3d3-e2e4-4053-8252-16d9ee528c41 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_service_principal_authentication.yml b/detections/cloud/azure_ad_service_principal_authentication.yml index b20987e94d..c5fca95f12 100644 --- a/detections/cloud/azure_ad_service_principal_authentication.yml +++ b/detections/cloud/azure_ad_service_principal_authentication.yml @@ -1,7 +1,7 @@ name: Azure AD Service Principal Authentication id: 5a2ec401-60bb-474e-b936-1e66e7aa4060 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Azure Active Directory Sign-in activity diff --git a/detections/cloud/azure_ad_service_principal_created.yml b/detections/cloud/azure_ad_service_principal_created.yml index 10b6d499fd..932365f405 100644 --- a/detections/cloud/azure_ad_service_principal_created.yml +++ b/detections/cloud/azure_ad_service_principal_created.yml @@ -1,7 +1,7 @@ name: Azure AD Service Principal Created id: f8ba49e7-ffd3-4b53-8f61-e73974583c5d -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_service_principal_enumeration.yml b/detections/cloud/azure_ad_service_principal_enumeration.yml index 19278987bd..9b6767852a 100644 --- a/detections/cloud/azure_ad_service_principal_enumeration.yml +++ b/detections/cloud/azure_ad_service_principal_enumeration.yml @@ -1,7 +1,7 @@ name: Azure AD Service Principal Enumeration id: 3f0647ce-add5-4436-8039-cbd1abe74563 -version: 3 -date: '2025-01-06' +version: 4 +date: '2025-05-02' author: Dean Luxton data_source: - Azure Active Directory MicrosoftGraphActivityLogs diff --git a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml index b794a26c3a..af05a9034e 100644 --- a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml +++ b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml @@ -1,7 +1,7 @@ name: Azure AD Service Principal New Client Credentials id: e3adc0d3-9e4b-4b5d-b662-12cec1adff2a -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml index 10c1322bd7..c804bed006 100644 --- a/detections/cloud/azure_ad_service_principal_owner_added.yml +++ b/detections/cloud/azure_ad_service_principal_owner_added.yml @@ -1,7 +1,7 @@ name: Azure AD Service Principal Owner Added id: 7ddf2084-6cf3-4a44-be83-474f7b73c701 -version: 9 -date: '2024-11-14' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml index 517d70575b..f8e2141c78 100644 --- a/detections/cloud/azure_ad_service_principal_privilege_escalation.yml +++ b/detections/cloud/azure_ad_service_principal_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Azure AD Service Principal Privilege Escalation id: 29eb39d3-2bc8-49cc-99b3-35593191a588 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-05-02' author: Dean Luxton data_source: - Azure Active Directory Add app role assignment to service principal diff --git a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml index 1f56a1c8c9..182ed0f811 100644 --- a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml +++ b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml @@ -1,7 +1,7 @@ name: Azure AD Successful Authentication From Different Ips id: be6d868d-33b6-4aaa-912e-724fb555b11a -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_successful_powershell_authentication.yml b/detections/cloud/azure_ad_successful_powershell_authentication.yml index a429a6944f..e1cab3297b 100644 --- a/detections/cloud/azure_ad_successful_powershell_authentication.yml +++ b/detections/cloud/azure_ad_successful_powershell_authentication.yml @@ -1,7 +1,7 @@ name: Azure AD Successful PowerShell Authentication id: 62f10052-d7b3-4e48-b57b-56f8e3ac7ceb -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_successful_single_factor_authentication.yml b/detections/cloud/azure_ad_successful_single_factor_authentication.yml index 3441687c6f..17ffe9f75b 100644 --- a/detections/cloud/azure_ad_successful_single_factor_authentication.yml +++ b/detections/cloud/azure_ad_successful_single_factor_authentication.yml @@ -1,7 +1,7 @@ name: Azure AD Successful Single-Factor Authentication id: a560e7f6-1711-4353-885b-40be53101fcd -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml index faf2d30de8..1338fb486b 100644 --- a/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/azure_ad_tenant_wide_admin_consent_granted.yml @@ -1,7 +1,7 @@ name: Azure AD Tenant Wide Admin Consent Granted id: dc02c0ee-6ac0-4c7f-87ba-8ce43a4e4418 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index 3f6b648bcd..760ce19083 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -1,7 +1,7 @@ name: Azure AD Unusual Number of Failed Authentications From Ip id: 3d8d3a36-93b8-42d7-8d91-c5f24cec223d -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml index ffc349d4e9..006ae6ec4b 100644 --- a/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/azure_ad_user_consent_blocked_for_risky_application.yml @@ -1,7 +1,7 @@ name: Azure AD User Consent Blocked for Risky Application id: 06b8ec9a-d3b5-4882-8f16-04b4d10f5eab -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml index 3df8673124..0ab61b6d06 100644 --- a/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/azure_ad_user_consent_denied_for_oauth_application.yml @@ -1,7 +1,7 @@ name: Azure AD User Consent Denied for OAuth Application id: bb093c30-d860-4858-a56e-cd0895d5b49c -version: 9 -date: '2024-11-14' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index 2ee99532aa..fce3518b6f 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -1,7 +1,7 @@ name: Azure AD User Enabled And Password Reset id: 1347b9e8-2daa-4a6f-be73-b421d3d9e268 -version: 8 -date: '2024-11-14' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml index 1872937a15..1b37dd9610 100644 --- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml +++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml @@ -1,7 +1,7 @@ name: Azure AD User ImmutableId Attribute Updated id: 0c0badad-4536-4a84-a561-5ff760f3c00e -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/cloud/azure_automation_account_created.yml b/detections/cloud/azure_automation_account_created.yml index 91e63d2c61..d6b2768640 100644 --- a/detections/cloud/azure_automation_account_created.yml +++ b/detections/cloud/azure_automation_account_created.yml @@ -1,7 +1,7 @@ name: Azure Automation Account Created id: 860902fd-2e76-46b3-b050-ba548dab576c -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_automation_runbook_created.yml b/detections/cloud/azure_automation_runbook_created.yml index 13b00981d1..adef214395 100644 --- a/detections/cloud/azure_automation_runbook_created.yml +++ b/detections/cloud/azure_automation_runbook_created.yml @@ -1,7 +1,7 @@ name: Azure Automation Runbook Created id: 178d696d-6dc6-4ee8-9d25-93fee34eaf5b -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/azure_runbook_webhook_created.yml b/detections/cloud/azure_runbook_webhook_created.yml index 6c9b40798d..d380235860 100644 --- a/detections/cloud/azure_runbook_webhook_created.yml +++ b/detections/cloud/azure_runbook_webhook_created.yml @@ -1,7 +1,7 @@ name: Azure Runbook Webhook Created id: e98944a9-92e4-443c-81b8-a322e33ce75a -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/circle_ci_disable_security_job.yml b/detections/cloud/circle_ci_disable_security_job.yml index 94550f371d..d753dfbba6 100644 --- a/detections/cloud/circle_ci_disable_security_job.yml +++ b/detections/cloud/circle_ci_disable_security_job.yml @@ -1,7 +1,7 @@ name: Circle CI Disable Security Job id: 4a2fdd41-c578-4cd4-9ef7-980e352517f2 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/circle_ci_disable_security_step.yml b/detections/cloud/circle_ci_disable_security_step.yml index 8e6270b71e..68a4d47183 100644 --- a/detections/cloud/circle_ci_disable_security_step.yml +++ b/detections/cloud/circle_ci_disable_security_step.yml @@ -1,7 +1,7 @@ name: Circle CI Disable Security Step id: 72cb9de9-e98b-4ac9-80b2-5331bba6ea97 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml index 8f06d84364..2bbef6b52c 100644 --- a/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml +++ b/detections/cloud/cloud_api_calls_from_previously_unseen_user_roles.yml @@ -1,7 +1,7 @@ name: Cloud API Calls From Previously Unseen User Roles id: 2181ad1f-1e73-4d0c-9780-e8880482a08f -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml index 67198da281..93a2f0a935 100644 --- a/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml +++ b/detections/cloud/cloud_compute_instance_created_by_previously_unseen_user.yml @@ -1,7 +1,7 @@ name: Cloud Compute Instance Created By Previously Unseen User id: 37a0ec8d-827e-4d6d-8025-cedf31f3a149 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Rico Valdez, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml index 253542b0e7..70e143c452 100644 --- a/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml +++ b/detections/cloud/cloud_compute_instance_created_in_previously_unused_region.yml @@ -1,7 +1,7 @@ name: Cloud Compute Instance Created In Previously Unused Region id: fa4089e2-50e3-40f7-8469-d2cc1564ca59 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml index 7ec7ee2a3f..a46dfe5e97 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_image.yml @@ -1,7 +1,7 @@ name: Cloud Compute Instance Created With Previously Unseen Image id: bc24922d-987c-4645-b288-f8c73ec194c4 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml index 011eeb6a29..ec757c3bc0 100644 --- a/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml +++ b/detections/cloud/cloud_compute_instance_created_with_previously_unseen_instance_type.yml @@ -1,7 +1,7 @@ name: Cloud Compute Instance Created With Previously Unseen Instance Type id: c6ddbf53-9715-49f3-bb4c-fb2e8a309cda -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml index ffe314acbf..9bdfbd1a0e 100644 --- a/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml +++ b/detections/cloud/cloud_instance_modified_by_previously_unseen_user.yml @@ -1,7 +1,7 @@ name: Cloud Instance Modified By Previously Unseen User id: 7fb15084-b14e-405a-bd61-a6de15a40722 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Rico Valdez, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml index d4d135b466..dca2820a0c 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_city.yml @@ -1,7 +1,7 @@ name: Cloud Provisioning Activity From Previously Unseen City id: e7ecc5e0-88df-48b9-91af-51104c68f02f -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Rico Valdez, Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml index ce1258983e..0ce1acbec8 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_country.yml @@ -1,7 +1,7 @@ name: Cloud Provisioning Activity From Previously Unseen Country id: 94994255-3acf-4213-9b3f-0494df03bb31 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Rico Valdez, Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml index a8abf1856b..ac493e3a2f 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_ip_address.yml @@ -1,7 +1,7 @@ name: Cloud Provisioning Activity From Previously Unseen IP Address id: f86a8ec9-b042-45eb-92f4-e9ed1d781078 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Rico Valdez, Splunk status: production type: Anomaly diff --git a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml index cfa4bfdf65..606514f917 100644 --- a/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml +++ b/detections/cloud/cloud_provisioning_activity_from_previously_unseen_region.yml @@ -1,7 +1,7 @@ name: Cloud Provisioning Activity From Previously Unseen Region id: 5aba1860-9617-4af9-b19d-aecac16fe4f2 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Rico Valdez, Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/cloud_security_groups_modifications_by_user.yml b/detections/cloud/cloud_security_groups_modifications_by_user.yml index 0f94dcf4fc..d75189d0a0 100644 --- a/detections/cloud/cloud_security_groups_modifications_by_user.yml +++ b/detections/cloud/cloud_security_groups_modifications_by_user.yml @@ -1,7 +1,7 @@ name: Cloud Security Groups Modifications by User id: cfe7cca7-2746-4bdf-b712-b01ed819b9de -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk data_source: - AWS CloudTrail diff --git a/detections/cloud/detect_aws_console_login_by_new_user.yml b/detections/cloud/detect_aws_console_login_by_new_user.yml index 135b7f9126..c938b3e9bb 100644 --- a/detections/cloud/detect_aws_console_login_by_new_user.yml +++ b/detections/cloud/detect_aws_console_login_by_new_user.yml @@ -1,7 +1,7 @@ name: Detect AWS Console Login by New User id: bc91a8cd-35e7-4bb2-6140-e756cc46fd71 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Rico Valdez, Splunk status: experimental type: Hunting diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml index 041ef49278..fe2c7e70e8 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_city.yml @@ -1,7 +1,7 @@ name: Detect AWS Console Login by User from New City id: 121b0b11-f8ac-4ed6-a132-3800ca4fc07a -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Eric McGinnis Splunk status: production type: Hunting diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml index 11effae0f4..4d609dbfb4 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_country.yml @@ -1,7 +1,7 @@ name: Detect AWS Console Login by User from New Country id: 67bd3def-c41c-4bf6-837b-ae196b4257c6 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Eric McGinnis Splunk status: production type: Hunting diff --git a/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml b/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml index 9fc447b49b..dfebaa206c 100644 --- a/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml +++ b/detections/cloud/detect_aws_console_login_by_user_from_new_region.yml @@ -1,7 +1,7 @@ name: Detect AWS Console Login by User from New Region id: 9f31aa8e-e37c-46bc-bce1-8b3be646d026 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Eric McGinnis Splunk status: production type: Hunting diff --git a/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml b/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml index 52db64a537..84b759ab07 100644 --- a/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml +++ b/detections/cloud/detect_gcp_storage_access_from_a_new_ip.yml @@ -1,7 +1,7 @@ name: Detect GCP Storage access from a new IP id: ccc3246a-daa1-11ea-87d0-0242ac130022 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Shannon Davis, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/detect_new_open_gcp_storage_buckets.yml b/detections/cloud/detect_new_open_gcp_storage_buckets.yml index 5e131f80a9..0b199f7ab6 100644 --- a/detections/cloud/detect_new_open_gcp_storage_buckets.yml +++ b/detections/cloud/detect_new_open_gcp_storage_buckets.yml @@ -1,7 +1,7 @@ name: Detect New Open GCP Storage Buckets id: f6ea3466-d6bb-11ea-87d0-0242ac130003 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Shannon Davis, Splunk status: experimental type: TTP diff --git a/detections/cloud/detect_new_open_s3_buckets.yml b/detections/cloud/detect_new_open_s3_buckets.yml index bb7d4f8d9d..393fb2a550 100644 --- a/detections/cloud/detect_new_open_s3_buckets.yml +++ b/detections/cloud/detect_new_open_s3_buckets.yml @@ -1,7 +1,7 @@ name: Detect New Open S3 buckets id: 2a9b80d3-6340-4345-b5ad-290bf3d0dac4 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml index 809b7631c1..93c78f022c 100644 --- a/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml +++ b/detections/cloud/detect_new_open_s3_buckets_over_aws_cli.yml @@ -1,7 +1,7 @@ name: Detect New Open S3 Buckets over AWS CLI id: 39c61d09-8b30-4154-922b-2d0a694ecc22 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/detect_s3_access_from_a_new_ip.yml b/detections/cloud/detect_s3_access_from_a_new_ip.yml index 7bde386ddb..7e69c035a5 100644 --- a/detections/cloud/detect_s3_access_from_a_new_ip.yml +++ b/detections/cloud/detect_s3_access_from_a_new_ip.yml @@ -1,7 +1,7 @@ name: Detect S3 access from a new IP id: e6f1bb1b-f441-492b-9126-902acda217da -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml index 1772e2c65c..e451e23682 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_ec2_instance.yml @@ -1,7 +1,7 @@ name: Detect Spike in AWS Security Hub Alerts for EC2 Instance id: 2a9b80d3-6340-4345-b5ad-290bf5d0d222 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml index 8a73d68bdb..f1aa5b57fc 100644 --- a/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml +++ b/detections/cloud/detect_spike_in_aws_security_hub_alerts_for_user.yml @@ -1,7 +1,7 @@ name: Detect Spike in AWS Security Hub Alerts for User id: 2a9b80d3-6220-4345-b5ad-290bf5d0d222 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml index 9421b46f24..4cced2797f 100644 --- a/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml +++ b/detections/cloud/detect_spike_in_blocked_outbound_traffic_from_your_aws.yml @@ -1,7 +1,7 @@ name: Detect Spike in blocked Outbound Traffic from your AWS id: d3fffa37-492f-487b-a35d-c60fcb2acf01 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml index c85b9a241f..ac2dbf96d4 100644 --- a/detections/cloud/detect_spike_in_s3_bucket_deletion.yml +++ b/detections/cloud/detect_spike_in_s3_bucket_deletion.yml @@ -1,7 +1,7 @@ name: Detect Spike in S3 Bucket deletion id: e733a326-59d2-446d-b8db-14a17151aa68 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml index be2a129f28..5839551708 100644 --- a/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/gcp_authentication_failed_during_mfa_challenge.yml @@ -1,7 +1,7 @@ name: GCP Authentication Failed During MFA Challenge id: 345f7e1d-a3fe-4158-abd8-e630f9878323 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/gcp_detect_gcploit_framework.yml b/detections/cloud/gcp_detect_gcploit_framework.yml index f7ec51e659..2669be4814 100644 --- a/detections/cloud/gcp_detect_gcploit_framework.yml +++ b/detections/cloud/gcp_detect_gcploit_framework.yml @@ -1,7 +1,7 @@ name: GCP Detect gcploit framework id: a1c5a85e-a162-410c-a5d9-99ff639e5a52 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Rod Soto, Splunk status: experimental type: TTP diff --git a/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml b/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml index 703798c90b..82c8f6ec01 100644 --- a/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml +++ b/detections/cloud/gcp_kubernetes_cluster_pod_scan_detection.yml @@ -1,7 +1,7 @@ name: GCP Kubernetes cluster pod scan detection id: 19b53215-4a16-405b-8087-9e6acf619842 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Rod Soto, Splunk status: experimental type: Hunting diff --git a/detections/cloud/gcp_multi_factor_authentication_disabled.yml b/detections/cloud/gcp_multi_factor_authentication_disabled.yml index 8cd3aaa3f2..cdc9880ec5 100644 --- a/detections/cloud/gcp_multi_factor_authentication_disabled.yml +++ b/detections/cloud/gcp_multi_factor_authentication_disabled.yml @@ -1,7 +1,7 @@ name: GCP Multi-Factor Authentication Disabled id: b9bc5513-6fc1-4821-85a3-e1d81e451c83 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml index 5cf8cb4f76..d1c11caaaa 100644 --- a/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/gcp_multiple_failed_mfa_requests_for_user.yml @@ -1,7 +1,7 @@ name: GCP Multiple Failed MFA Requests For User id: cbb3cb84-c06f-4393-adcc-5cb6195621f1 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml index e28b5c9779..fb91acee35 100644 --- a/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/gcp_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: GCP Multiple Users Failing To Authenticate From Ip id: da20828e-d6fb-4ee5-afb7-d0ac200923d5 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/gcp_successful_single_factor_authentication.yml b/detections/cloud/gcp_successful_single_factor_authentication.yml index 7d02f819bc..cdb30399aa 100644 --- a/detections/cloud/gcp_successful_single_factor_authentication.yml +++ b/detections/cloud/gcp_successful_single_factor_authentication.yml @@ -1,7 +1,7 @@ name: GCP Successful Single-Factor Authentication id: 40e17d88-87da-414e-b253-8dc1e4f9555b -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml index ebf130022f..f3739e61cf 100644 --- a/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/gcp_unusual_number_of_failed_authentications_from_ip.yml @@ -1,7 +1,7 @@ name: GCP Unusual Number of Failed Authentications From Ip id: bd8097ed-958a-4873-87d9-44f2b4d85705 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/cloud/gdrive_suspicious_file_sharing.yml b/detections/cloud/gdrive_suspicious_file_sharing.yml index 028c0bee24..04aebf5d18 100644 --- a/detections/cloud/gdrive_suspicious_file_sharing.yml +++ b/detections/cloud/gdrive_suspicious_file_sharing.yml @@ -1,7 +1,7 @@ name: Gdrive suspicious file sharing id: a7131dae-34e3-11ec-a2de-acde48001122 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Rod Soto, Teoderick Contreras status: experimental type: Hunting diff --git a/detections/cloud/github_enterprise_delete_branch_ruleset.yml b/detections/cloud/github_enterprise_delete_branch_ruleset.yml index 08ba104de9..c43755b1f5 100644 --- a/detections/cloud/github_enterprise_delete_branch_ruleset.yml +++ b/detections/cloud/github_enterprise_delete_branch_ruleset.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Delete Branch Ruleset id: 6169ea23-3719-439f-957a-0ea5174b70e2 -version: 1 -date: '2025-01-17' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_enterprise_disable_2fa_requirement.yml b/detections/cloud/github_enterprise_disable_2fa_requirement.yml index 3e6106cd8e..3950156018 100644 --- a/detections/cloud/github_enterprise_disable_2fa_requirement.yml +++ b/detections/cloud/github_enterprise_disable_2fa_requirement.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Disable 2FA Requirement id: 5a773226-ebd7-480c-a819-fccacfeddcd9 -version: 1 -date: '2025-01-17' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml b/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml index eedfe2739c..f070a0c40b 100644 --- a/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml +++ b/detections/cloud/github_enterprise_disable_audit_log_event_stream.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Disable Audit Log Event Stream id: 7bc111cc-7f1b-4be7-99fa-50cf8d2e7564 -version: 1 -date: '2025-01-16' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml b/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml index ff2d4d96e9..03353babec 100644 --- a/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml +++ b/detections/cloud/github_enterprise_disable_classic_branch_protection_rule.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Disable Classic Branch Protection Rule id: 372176ba-450c-4abd-9b86-419bb44c1b76 -version: 1 -date: '2025-01-17' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_enterprise_disable_dependabot.yml b/detections/cloud/github_enterprise_disable_dependabot.yml index ad9f8b33cf..f13117fbe0 100644 --- a/detections/cloud/github_enterprise_disable_dependabot.yml +++ b/detections/cloud/github_enterprise_disable_dependabot.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Disable Dependabot id: 787dd1c1-eb3a-4a31-8e8c-2ad24b214bc8 -version: 1 -date: '2025-01-14' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_enterprise_disable_ip_allow_list.yml b/detections/cloud/github_enterprise_disable_ip_allow_list.yml index 5c10d09e24..0800fd9e37 100644 --- a/detections/cloud/github_enterprise_disable_ip_allow_list.yml +++ b/detections/cloud/github_enterprise_disable_ip_allow_list.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Disable IP Allow List id: afed020e-edcd-4913-a675-cebedf81d4fb -version: 1 -date: '2025-01-20' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml b/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml index 9ee5436d09..793124930d 100644 --- a/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml +++ b/detections/cloud/github_enterprise_modify_audit_log_event_stream.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Modify Audit Log Event Stream id: 99abf2e1-863c-4ec6-82f8-714391590a4c -version: 1 -date: '2025-01-16' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml b/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml index 7490703412..4d4eca6f31 100644 --- a/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml +++ b/detections/cloud/github_enterprise_pause_audit_log_event_stream.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Pause Audit Log Event Stream id: 21083dcb-276d-4ef9-8f7e-2113ca5e8094 -version: 1 -date: '2025-01-16' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_enterprise_register_self_hosted_runner.yml b/detections/cloud/github_enterprise_register_self_hosted_runner.yml index bb1a3bd5b6..ba5296221b 100644 --- a/detections/cloud/github_enterprise_register_self_hosted_runner.yml +++ b/detections/cloud/github_enterprise_register_self_hosted_runner.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Register Self Hosted Runner id: b27685a2-8826-4123-ab78-2d9d0d419ed0 -version: 1 -date: '2025-01-20' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_enterprise_remove_organization.yml b/detections/cloud/github_enterprise_remove_organization.yml index 7fbf54a930..d88cb4f974 100644 --- a/detections/cloud/github_enterprise_remove_organization.yml +++ b/detections/cloud/github_enterprise_remove_organization.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Remove Organization id: 94cb89aa-aec1-4585-91b1-affcdacf357e -version: 1 -date: '2025-01-16' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_enterprise_repository_archived.yml b/detections/cloud/github_enterprise_repository_archived.yml index d607300ccc..eedd8ddc57 100644 --- a/detections/cloud/github_enterprise_repository_archived.yml +++ b/detections/cloud/github_enterprise_repository_archived.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Repository Archived id: 8367cb99-bae1-4748-ae3b-0927bb381424 -version: 1 -date: '2025-01-17' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_enterprise_repository_deleted.yml b/detections/cloud/github_enterprise_repository_deleted.yml index 04d644a411..c750166921 100644 --- a/detections/cloud/github_enterprise_repository_deleted.yml +++ b/detections/cloud/github_enterprise_repository_deleted.yml @@ -1,7 +1,7 @@ name: GitHub Enterprise Repository Deleted id: f709e736-3e6c-492f-b865-bc7696cc24a7 -version: 1 -date: '2025-01-16' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_organizations_delete_branch_ruleset.yml b/detections/cloud/github_organizations_delete_branch_ruleset.yml index e5343ffd83..32bb76326c 100644 --- a/detections/cloud/github_organizations_delete_branch_ruleset.yml +++ b/detections/cloud/github_organizations_delete_branch_ruleset.yml @@ -1,7 +1,7 @@ name: GitHub Organizations Delete Branch Ruleset id: 8e454f64-4bd6-45e6-8a94-1b482593d721 -version: 1 -date: '2025-01-17' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_organizations_disable_2fa_requirement.yml b/detections/cloud/github_organizations_disable_2fa_requirement.yml index acf936e1f6..4e3948a26f 100644 --- a/detections/cloud/github_organizations_disable_2fa_requirement.yml +++ b/detections/cloud/github_organizations_disable_2fa_requirement.yml @@ -1,7 +1,7 @@ name: GitHub Organizations Disable 2FA Requirement id: 3ed0d6ba-4791-4fa8-a1ef-403e438c7033 -version: 1 -date: '2025-01-17' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml b/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml index 85a13e1d3c..2daa960aac 100644 --- a/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml +++ b/detections/cloud/github_organizations_disable_classic_branch_protection_rule.yml @@ -1,7 +1,7 @@ name: GitHub Organizations Disable Classic Branch Protection Rule id: 33cffee0-41ee-402e-a238-d37825f2d788 -version: 1 -date: '2025-01-17' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_organizations_disable_dependabot.yml b/detections/cloud/github_organizations_disable_dependabot.yml index 9214c34f7f..4061c06123 100644 --- a/detections/cloud/github_organizations_disable_dependabot.yml +++ b/detections/cloud/github_organizations_disable_dependabot.yml @@ -1,7 +1,7 @@ name: GitHub Organizations Disable Dependabot id: 69078d8c-0de6-45de-bb00-14e78e042fd6 -version: 1 -date: '2025-01-14' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_organizations_repository_archived.yml b/detections/cloud/github_organizations_repository_archived.yml index 29d5afd295..15b44fd3cd 100644 --- a/detections/cloud/github_organizations_repository_archived.yml +++ b/detections/cloud/github_organizations_repository_archived.yml @@ -1,7 +1,7 @@ name: GitHub Organizations Repository Archived id: 4f568a0e-896f-4d94-a2f7-fa6d82ab1f77 -version: 1 -date: '2025-01-17' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/github_organizations_repository_deleted.yml b/detections/cloud/github_organizations_repository_deleted.yml index 5caf128858..ea33e2c3c5 100644 --- a/detections/cloud/github_organizations_repository_deleted.yml +++ b/detections/cloud/github_organizations_repository_deleted.yml @@ -1,7 +1,7 @@ name: GitHub Organizations Repository Deleted id: 9ff4ca95-fdae-4eea-9ffa-6d8e1c202a71 -version: 1 -date: '2025-01-17' +version: 2 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml index 0ad1ce1463..5feb24a18f 100644 --- a/detections/cloud/gsuite_drive_share_in_external_email.yml +++ b/detections/cloud/gsuite_drive_share_in_external_email.yml @@ -1,7 +1,7 @@ name: Gsuite Drive Share In External Email id: f6ee02d6-fea0-11eb-b2c2-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/gsuite_email_suspicious_attachment.yml b/detections/cloud/gsuite_email_suspicious_attachment.yml index 36963d2120..8ba3827168 100644 --- a/detections/cloud/gsuite_email_suspicious_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_attachment.yml @@ -1,7 +1,7 @@ name: GSuite Email Suspicious Attachment id: 6d663014-fe92-11eb-ab07-acde48001122 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml index 014b621125..c425fd4243 100644 --- a/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml +++ b/detections/cloud/gsuite_email_suspicious_subject_with_attachment.yml @@ -1,7 +1,7 @@ name: Gsuite Email Suspicious Subject With Attachment id: 8ef3971e-00f2-11ec-b54f-acde48001122 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml index 6d4f09108b..9036cd6794 100644 --- a/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml +++ b/detections/cloud/gsuite_email_with_known_abuse_web_service_link.yml @@ -1,7 +1,7 @@ name: Gsuite Email With Known Abuse Web Service Link id: 8630aa22-042b-11ec-af39-acde48001122 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml b/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml index 196839b387..c61a11d2e3 100644 --- a/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml +++ b/detections/cloud/gsuite_outbound_email_with_attachment_to_external_domain.yml @@ -1,7 +1,7 @@ name: Gsuite Outbound Email With Attachment To External Domain id: dc4dc3a8-ff54-11eb-8bf7-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Stanislav Miskovic, Splunk status: production type: Hunting diff --git a/detections/cloud/gsuite_suspicious_calendar_invite.yml b/detections/cloud/gsuite_suspicious_calendar_invite.yml index 07a34f409a..896b94e6be 100644 --- a/detections/cloud/gsuite_suspicious_calendar_invite.yml +++ b/detections/cloud/gsuite_suspicious_calendar_invite.yml @@ -1,7 +1,7 @@ name: Gsuite suspicious calendar invite id: 03cdd68a-34fb-11ec-9bd3-acde48001122 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Rod Soto, Teoderick Contreras status: experimental type: Hunting diff --git a/detections/cloud/gsuite_suspicious_shared_file_name.yml b/detections/cloud/gsuite_suspicious_shared_file_name.yml index a660e05c8c..118b230684 100644 --- a/detections/cloud/gsuite_suspicious_shared_file_name.yml +++ b/detections/cloud/gsuite_suspicious_shared_file_name.yml @@ -1,7 +1,7 @@ name: Gsuite Suspicious Shared File Name id: 07eed200-03f5-11ec-98fb-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml index 86b213d85a..05813d8213 100644 --- a/detections/cloud/high_number_of_login_failures_from_a_single_source.yml +++ b/detections/cloud/high_number_of_login_failures_from_a_single_source.yml @@ -1,7 +1,7 @@ name: High Number of Login Failures from a single source id: 7f398cfb-918d-41f4-8db8-2e2474e02222 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml index 39721c6b12..1211d7c422 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_location.yml @@ -1,7 +1,7 @@ name: Kubernetes Abuse of Secret by Unusual Location id: 40a064c1-4ec1-4381-9e35-61192ba8ef82 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml index 78129f9a70..9d024286fa 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_agent.yml @@ -1,7 +1,7 @@ name: Kubernetes Abuse of Secret by Unusual User Agent id: 096ab390-05ca-462c-884e-343acd5b9240 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml index 012d36f2bd..e93dd81f09 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_group.yml @@ -1,7 +1,7 @@ name: Kubernetes Abuse of Secret by Unusual User Group id: b6f45bbc-4ea9-4068-b3bc-0477f6997ae2 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml index 942b5cccdd..4301b1b2a9 100644 --- a/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml +++ b/detections/cloud/kubernetes_abuse_of_secret_by_unusual_user_name.yml @@ -1,7 +1,7 @@ name: Kubernetes Abuse of Secret by Unusual User Name id: df6e9cae-5257-4a34-8f3a-df49fa0f5c46 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_access_scanning.yml b/detections/cloud/kubernetes_access_scanning.yml index bea29f7af3..d5d1423c07 100644 --- a/detections/cloud/kubernetes_access_scanning.yml +++ b/detections/cloud/kubernetes_access_scanning.yml @@ -1,7 +1,7 @@ name: Kubernetes Access Scanning id: 2f4abe6d-5991-464d-8216-f90f42999764 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml index 8f317e2b2a..709ec00535 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_network_activity_from_process.yml @@ -1,7 +1,7 @@ name: Kubernetes Anomalous Inbound Network Activity from Process id: 10442d8b-0701-4c25-911d-d67b906e713c -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml index ea8dec6fb9..1ba40f029f 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_outbound_network_io.yml @@ -1,7 +1,7 @@ name: Kubernetes Anomalous Inbound Outbound Network IO id: 4f3b0c97-657e-4547-a89a-9a50c656e3cd -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml index a599e3bc87..5e2587771b 100644 --- a/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml +++ b/detections/cloud/kubernetes_anomalous_inbound_to_outbound_network_io_ratio.yml @@ -1,7 +1,7 @@ name: Kubernetes Anomalous Inbound to Outbound Network IO Ratio id: 9d8f6e3f-39df-46d8-a9d4-96173edc501f -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml index 68a3d00d76..31f4dddcd9 100644 --- a/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml +++ b/detections/cloud/kubernetes_anomalous_outbound_network_activity_from_process.yml @@ -1,7 +1,7 @@ name: Kubernetes Anomalous Outbound Network Activity from Process id: dd6afee6-e0a3-4028-a089-f47dd2842c22 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml index 866e0d177b..c21784a03d 100644 --- a/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml +++ b/detections/cloud/kubernetes_anomalous_traffic_on_network_edge.yml @@ -1,7 +1,7 @@ name: Kubernetes Anomalous Traffic on Network Edge id: 886c7e51-2ea1-425d-8705-faaca5a64cc6 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml index b7e9367380..ce7354b9d4 100644 --- a/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml +++ b/detections/cloud/kubernetes_aws_detect_suspicious_kubectl_calls.yml @@ -1,7 +1,7 @@ name: Kubernetes AWS detect suspicious kubectl calls id: 042a3d32-8318-4763-9679-09db2644a8f2 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Rod Soto, Patrick Bareiss, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml index 84dc9bb782..48223001be 100644 --- a/detections/cloud/kubernetes_create_or_update_privileged_pod.yml +++ b/detections/cloud/kubernetes_create_or_update_privileged_pod.yml @@ -1,7 +1,7 @@ name: Kubernetes Create or Update Privileged Pod id: 3c6bd734-334d-4818-ae7c-5234313fc5da -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_cron_job_creation.yml b/detections/cloud/kubernetes_cron_job_creation.yml index c1e6ebd4dd..9005d51fe2 100644 --- a/detections/cloud/kubernetes_cron_job_creation.yml +++ b/detections/cloud/kubernetes_cron_job_creation.yml @@ -1,7 +1,7 @@ name: Kubernetes Cron Job Creation id: 5984dbe8-572f-47d7-9251-3dff6c3f0c0d -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_daemonset_deployed.yml b/detections/cloud/kubernetes_daemonset_deployed.yml index 306972a79a..0f49d36820 100644 --- a/detections/cloud/kubernetes_daemonset_deployed.yml +++ b/detections/cloud/kubernetes_daemonset_deployed.yml @@ -1,7 +1,7 @@ name: Kubernetes DaemonSet Deployed id: bf39c3a3-b191-4d42-8738-9d9797bd0c3a -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_falco_shell_spawned.yml b/detections/cloud/kubernetes_falco_shell_spawned.yml index f8bb7f8eda..66f40cb5b7 100644 --- a/detections/cloud/kubernetes_falco_shell_spawned.yml +++ b/detections/cloud/kubernetes_falco_shell_spawned.yml @@ -1,7 +1,7 @@ name: Kubernetes Falco Shell Spawned id: d2feef92-d54a-4a19-8306-b47c6ceba5b2 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml index 35973950d4..cce02eb247 100644 --- a/detections/cloud/kubernetes_newly_seen_tcp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_tcp_edge.yml @@ -1,7 +1,7 @@ name: Kubernetes newly seen TCP edge id: 13f081d6-7052-428a-bbb0-892c79ca7c65 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_newly_seen_udp_edge.yml b/detections/cloud/kubernetes_newly_seen_udp_edge.yml index f8a84004f6..20ce5c0ffe 100644 --- a/detections/cloud/kubernetes_newly_seen_udp_edge.yml +++ b/detections/cloud/kubernetes_newly_seen_udp_edge.yml @@ -1,7 +1,7 @@ name: Kubernetes newly seen UDP edge id: 49b7daca-4e3c-4899-ba15-9a175e056fa9 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_nginx_ingress_lfi.yml b/detections/cloud/kubernetes_nginx_ingress_lfi.yml index ab82e870f5..02cb1a4d2f 100644 --- a/detections/cloud/kubernetes_nginx_ingress_lfi.yml +++ b/detections/cloud/kubernetes_nginx_ingress_lfi.yml @@ -1,7 +1,7 @@ name: Kubernetes Nginx Ingress LFI id: 0f83244b-425b-4528-83db-7a88c5f66e48 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/kubernetes_nginx_ingress_rfi.yml b/detections/cloud/kubernetes_nginx_ingress_rfi.yml index 262d24b178..a26b4b2be6 100644 --- a/detections/cloud/kubernetes_nginx_ingress_rfi.yml +++ b/detections/cloud/kubernetes_nginx_ingress_rfi.yml @@ -1,7 +1,7 @@ name: Kubernetes Nginx Ingress RFI id: fc5531ae-62fd-4de6-9c36-b4afdae8ca95 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/kubernetes_node_port_creation.yml b/detections/cloud/kubernetes_node_port_creation.yml index ae8cfb1471..66f0121b67 100644 --- a/detections/cloud/kubernetes_node_port_creation.yml +++ b/detections/cloud/kubernetes_node_port_creation.yml @@ -1,7 +1,7 @@ name: Kubernetes Node Port Creation id: d7fc865e-b8a1-4029-a960-cf4403b821b6 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml index 568f222e74..05c5492f80 100644 --- a/detections/cloud/kubernetes_pod_created_in_default_namespace.yml +++ b/detections/cloud/kubernetes_pod_created_in_default_namespace.yml @@ -1,7 +1,7 @@ name: Kubernetes Pod Created in Default Namespace id: 3d6b1a81-367b-42d5-a925-6ef90b6b9f1e -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml index 00d8ea9856..dc0f54fdf0 100644 --- a/detections/cloud/kubernetes_pod_with_host_network_attachment.yml +++ b/detections/cloud/kubernetes_pod_with_host_network_attachment.yml @@ -1,7 +1,7 @@ name: Kubernetes Pod With Host Network Attachment id: cce357cf-43a4-494a-814b-67cea90fe990 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml index 31f9462fcb..cd811ccebb 100644 --- a/detections/cloud/kubernetes_previously_unseen_container_image_name.yml +++ b/detections/cloud/kubernetes_previously_unseen_container_image_name.yml @@ -1,7 +1,7 @@ name: Kubernetes Previously Unseen Container Image Name id: fea515a4-b1d8-4cd6-80d6-e0d71397b891 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_previously_unseen_process.yml b/detections/cloud/kubernetes_previously_unseen_process.yml index 2c15a3ef5a..b002d50f67 100644 --- a/detections/cloud/kubernetes_previously_unseen_process.yml +++ b/detections/cloud/kubernetes_previously_unseen_process.yml @@ -1,7 +1,7 @@ name: Kubernetes Previously Unseen Process id: c8119b2f-d7f7-40be-940a-1c582870e8e2 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_process_running_from_new_path.yml b/detections/cloud/kubernetes_process_running_from_new_path.yml index efaabebe09..a69036655c 100644 --- a/detections/cloud/kubernetes_process_running_from_new_path.yml +++ b/detections/cloud/kubernetes_process_running_from_new_path.yml @@ -1,7 +1,7 @@ name: Kubernetes Process Running From New Path id: 454076fb-0e9e-4adf-b93a-da132621c5e6 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml index 9aeec13966..d3bc0b5ac4 100644 --- a/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml +++ b/detections/cloud/kubernetes_process_with_anomalous_resource_utilisation.yml @@ -1,7 +1,7 @@ name: Kubernetes Process with Anomalous Resource Utilisation id: 25ca9594-7a0d-4a95-a5e5-3228d7398ec8 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml index 8c0b0f808b..2d0bc474fe 100644 --- a/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml +++ b/detections/cloud/kubernetes_process_with_resource_ratio_anomalies.yml @@ -1,7 +1,7 @@ name: Kubernetes Process with Resource Ratio Anomalies id: 0d42b295-0f1f-4183-b75e-377975f47c65 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_scanner_image_pulling.yml b/detections/cloud/kubernetes_scanner_image_pulling.yml index 4a13f7d3ae..757c9f0947 100644 --- a/detections/cloud/kubernetes_scanner_image_pulling.yml +++ b/detections/cloud/kubernetes_scanner_image_pulling.yml @@ -1,7 +1,7 @@ name: Kubernetes Scanner Image Pulling id: 4890cd6b-0112-4974-a272-c5c153aee551 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml index 96670070b9..93db2a6b07 100644 --- a/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml +++ b/detections/cloud/kubernetes_scanning_by_unauthenticated_ip_address.yml @@ -1,7 +1,7 @@ name: Kubernetes Scanning by Unauthenticated IP Address id: f9cadf4e-df22-4f4e-a08f-9d3344c2165d -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node.yml b/detections/cloud/kubernetes_shell_running_on_worker_node.yml index 2eace1935d..859a8a3936 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node.yml @@ -1,7 +1,7 @@ name: Kubernetes Shell Running on Worker Node id: efebf0c4-dcf4-496f-85a2-5ab7ad8fa876 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml index 9fc02d8dba..e2b791f51e 100644 --- a/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml +++ b/detections/cloud/kubernetes_shell_running_on_worker_node_with_cpu_activity.yml @@ -1,7 +1,7 @@ name: Kubernetes Shell Running on Worker Node with CPU Activity id: cc1448e3-cc7a-4518-bc9f-2fa48f61a22b -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Matthew Moore, Splunk status: experimental type: Anomaly diff --git a/detections/cloud/kubernetes_suspicious_image_pulling.yml b/detections/cloud/kubernetes_suspicious_image_pulling.yml index aecafbb426..c9c66bc0ba 100644 --- a/detections/cloud/kubernetes_suspicious_image_pulling.yml +++ b/detections/cloud/kubernetes_suspicious_image_pulling.yml @@ -1,7 +1,7 @@ name: Kubernetes Suspicious Image Pulling id: 4d3a17b3-0a6d-4ae0-9421-46623a69c122 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/kubernetes_unauthorized_access.yml b/detections/cloud/kubernetes_unauthorized_access.yml index 4028bac07e..41c7cae27f 100644 --- a/detections/cloud/kubernetes_unauthorized_access.yml +++ b/detections/cloud/kubernetes_unauthorized_access.yml @@ -1,7 +1,7 @@ name: Kubernetes Unauthorized Access id: 9b5f1832-e8b9-453f-93df-07a3d6a72a45 -version: 4 -date: '2024-11-14' +version: 5 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: Anomaly diff --git a/detections/cloud/microsoft_intune_device_health_scripts.yml b/detections/cloud/microsoft_intune_device_health_scripts.yml index 26a8429bfa..9f0894d6d5 100644 --- a/detections/cloud/microsoft_intune_device_health_scripts.yml +++ b/detections/cloud/microsoft_intune_device_health_scripts.yml @@ -1,7 +1,7 @@ name: Microsoft Intune Device Health Scripts id: 6fe42e07-15b1-4caa-b547-7885666cb1bd -version: 1 -date: '2025-01-06' +version: 2 +date: '2025-05-02' author: Dean Luxton data_source: - Azure Monitor Activity diff --git a/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml b/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml index 4e8114911d..7661bd8b78 100644 --- a/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml +++ b/detections/cloud/microsoft_intune_devicemanagementconfigurationpolicies.yml @@ -1,7 +1,7 @@ name: Microsoft Intune DeviceManagementConfigurationPolicies id: 3c49e5ed-625c-408c-a2c7-8e2b524efb2c -version: 1 -date: '2025-01-07' +version: 2 +date: '2025-05-02' author: Dean Luxton data_source: - Azure Monitor Activity diff --git a/detections/cloud/microsoft_intune_manual_device_management.yml b/detections/cloud/microsoft_intune_manual_device_management.yml index d152bb5d9d..fa87da6255 100644 --- a/detections/cloud/microsoft_intune_manual_device_management.yml +++ b/detections/cloud/microsoft_intune_manual_device_management.yml @@ -1,7 +1,7 @@ name: Microsoft Intune Manual Device Management id: 5ca7ebee-4ee7-4cf2-b3be-0ea26a00d822 -version: 1 -date: '2025-01-07' +version: 2 +date: '2025-05-02' author: Dean Luxton data_source: - Azure Monitor Activity diff --git a/detections/cloud/microsoft_intune_mobile_apps.yml b/detections/cloud/microsoft_intune_mobile_apps.yml index 807c515f26..8aba1fb42b 100644 --- a/detections/cloud/microsoft_intune_mobile_apps.yml +++ b/detections/cloud/microsoft_intune_mobile_apps.yml @@ -1,7 +1,7 @@ name: Microsoft Intune Mobile Apps id: 98e6b389-2806-4426-a580-8a92cb0d9710 -version: 1 -date: '2025-01-07' +version: 2 +date: '2025-05-02' author: Dean Luxton data_source: - Azure Monitor Activity diff --git a/detections/cloud/o365_add_app_role_assignment_grant_user.yml b/detections/cloud/o365_add_app_role_assignment_grant_user.yml index a42e32f5c6..08b2f980d9 100644 --- a/detections/cloud/o365_add_app_role_assignment_grant_user.yml +++ b/detections/cloud/o365_add_app_role_assignment_grant_user.yml @@ -1,7 +1,7 @@ name: O365 Add App Role Assignment Grant User id: b2c81cc6-6040-11eb-ae93-0242ac130002 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Rod Soto, Splunk status: production type: TTP diff --git a/detections/cloud/o365_added_service_principal.yml b/detections/cloud/o365_added_service_principal.yml index 4d59e18a3c..317f562445 100644 --- a/detections/cloud/o365_added_service_principal.yml +++ b/detections/cloud/o365_added_service_principal.yml @@ -1,7 +1,7 @@ name: O365 Added Service Principal id: 1668812a-6047-11eb-ae93-0242ac130002 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Rod Soto, Splunk status: production type: TTP diff --git a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml index 8f8fccb35f..5e3fe47396 100644 --- a/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml +++ b/detections/cloud/o365_admin_consent_bypassed_by_service_principal.yml @@ -1,7 +1,7 @@ name: O365 Admin Consent Bypassed by Service Principal id: 8a1b22eb-50ce-4e26-a691-97ff52349569 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - O365 Add app role assignment to service principal. diff --git a/detections/cloud/o365_advanced_audit_disabled.yml b/detections/cloud/o365_advanced_audit_disabled.yml index fb35aed091..6e1f718431 100644 --- a/detections/cloud/o365_advanced_audit_disabled.yml +++ b/detections/cloud/o365_advanced_audit_disabled.yml @@ -1,7 +1,7 @@ name: O365 Advanced Audit Disabled id: 49862dd4-9cb2-4c48-a542-8c8a588d9361 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP diff --git a/detections/cloud/o365_application_available_to_other_tenants.yml b/detections/cloud/o365_application_available_to_other_tenants.yml index 580d7b31f2..140f1d2833 100644 --- a/detections/cloud/o365_application_available_to_other_tenants.yml +++ b/detections/cloud/o365_application_available_to_other_tenants.yml @@ -1,7 +1,7 @@ name: O365 Application Available To Other Tenants id: 942548a3-0273-47a4-8dbd-e5202437395c -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_application_registration_owner_added.yml b/detections/cloud/o365_application_registration_owner_added.yml index d5b5599246..7f9426b56c 100644 --- a/detections/cloud/o365_application_registration_owner_added.yml +++ b/detections/cloud/o365_application_registration_owner_added.yml @@ -1,7 +1,7 @@ name: O365 Application Registration Owner Added id: c068d53f-6aaa-4558-8011-3734df878266 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_applicationimpersonation_role_assigned.yml b/detections/cloud/o365_applicationimpersonation_role_assigned.yml index de5277200c..7645fdddd2 100644 --- a/detections/cloud/o365_applicationimpersonation_role_assigned.yml +++ b/detections/cloud/o365_applicationimpersonation_role_assigned.yml @@ -1,7 +1,7 @@ name: O365 ApplicationImpersonation Role Assigned id: 49cdce75-f814-4d56-a7a4-c64ec3a481f2 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_bec_email_hiding_rule_created.yml b/detections/cloud/o365_bec_email_hiding_rule_created.yml index 51e7cd1c9a..c12a647529 100644 --- a/detections/cloud/o365_bec_email_hiding_rule_created.yml +++ b/detections/cloud/o365_bec_email_hiding_rule_created.yml @@ -1,7 +1,7 @@ name: O365 BEC Email Hiding Rule Created id: 603ebac2-f157-4df7-a6ac-34e8d0350f86 -version: 1 -date: '2025-02-14' +version: 2 +date: '2025-05-02' author: '0xC0FFEEEE, Github Community' type: TTP status: production diff --git a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml index 82eae1c519..32bd533069 100644 --- a/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml +++ b/detections/cloud/o365_block_user_consent_for_risky_apps_disabled.yml @@ -1,7 +1,7 @@ name: O365 Block User Consent For Risky Apps Disabled id: 12a23592-e3da-4344-8545-205d3290647c -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml index 5921cb5fd1..8ab46388c3 100644 --- a/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml +++ b/detections/cloud/o365_bypass_mfa_via_trusted_ip.yml @@ -1,7 +1,7 @@ name: O365 Bypass MFA via Trusted IP id: c783dd98-c703-4252-9e8a-f19d9f66949e -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_compliance_content_search_exported.yml b/detections/cloud/o365_compliance_content_search_exported.yml index d8ef313ffa..4a634e82f9 100644 --- a/detections/cloud/o365_compliance_content_search_exported.yml +++ b/detections/cloud/o365_compliance_content_search_exported.yml @@ -1,7 +1,7 @@ name: O365 Compliance Content Search Exported id: 2ce9f31d-ab4f-4179-b2b7-c77a9652e1d8 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: [] type: TTP diff --git a/detections/cloud/o365_compliance_content_search_started.yml b/detections/cloud/o365_compliance_content_search_started.yml index e4c07c7bf2..b650b90948 100644 --- a/detections/cloud/o365_compliance_content_search_started.yml +++ b/detections/cloud/o365_compliance_content_search_started.yml @@ -1,7 +1,7 @@ name: O365 Compliance Content Search Started id: f4cabbc7-c19a-4e41-8be5-98daeaccbb50 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: [] type: TTP diff --git a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml index f7b0e7fa7f..b81d0873b0 100644 --- a/detections/cloud/o365_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/o365_concurrent_sessions_from_different_ips.yml @@ -1,7 +1,7 @@ name: O365 Concurrent Sessions From Different Ips id: 58e034de-1f87-4812-9dc3-a4f68c7db930 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_cross_tenant_access_change.yml b/detections/cloud/o365_cross_tenant_access_change.yml index 94d4591586..5cb8ef819c 100644 --- a/detections/cloud/o365_cross_tenant_access_change.yml +++ b/detections/cloud/o365_cross_tenant_access_change.yml @@ -1,7 +1,7 @@ name: O365 Cross-Tenant Access Change id: 7c0fa490-12b0-4d0b-b9f5-e101d1e0e06f -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_disable_mfa.yml b/detections/cloud/o365_disable_mfa.yml index b74ac1f443..b4ba5a2d6b 100644 --- a/detections/cloud/o365_disable_mfa.yml +++ b/detections/cloud/o365_disable_mfa.yml @@ -1,7 +1,7 @@ name: O365 Disable MFA id: c783dd98-c703-4252-9e8a-f19d9f5c949e -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Rod Soto, Splunk status: production type: TTP diff --git a/detections/cloud/o365_dlp_rule_triggered.yml b/detections/cloud/o365_dlp_rule_triggered.yml index 9a467c3e8a..678fe40c47 100644 --- a/detections/cloud/o365_dlp_rule_triggered.yml +++ b/detections/cloud/o365_dlp_rule_triggered.yml @@ -1,7 +1,7 @@ name: O365 DLP Rule Triggered id: 63a8a537-36fd-4aac-a3ea-1a96afd2c871 -version: 6 -date: '2025-03-25' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml index a2f2b47938..f8320800d5 100644 --- a/detections/cloud/o365_elevated_mailbox_permission_assigned.yml +++ b/detections/cloud/o365_elevated_mailbox_permission_assigned.yml @@ -1,7 +1,7 @@ name: O365 Elevated Mailbox Permission Assigned id: 2246c142-a678-45f8-8546-aaed7e0efd30 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Patrick Bareiss, Mauricio Velazco, Splunk data_source: [] type: TTP diff --git a/detections/cloud/o365_email_access_by_security_administrator.yml b/detections/cloud/o365_email_access_by_security_administrator.yml index 90eaaf8a92..826044f6d1 100644 --- a/detections/cloud/o365_email_access_by_security_administrator.yml +++ b/detections/cloud/o365_email_access_by_security_administrator.yml @@ -1,7 +1,7 @@ name: O365 Email Access By Security Administrator id: c6998a30-fef4-4e89-97ac-3bb0123719b4 -version: 6 -date: '2025-03-25' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_email_hard_delete_excessive_volume.yml b/detections/cloud/o365_email_hard_delete_excessive_volume.yml index 8b1c6f407e..622d0405a4 100644 --- a/detections/cloud/o365_email_hard_delete_excessive_volume.yml +++ b/detections/cloud/o365_email_hard_delete_excessive_volume.yml @@ -1,67 +1,67 @@ -name: O365 Email Hard Delete Excessive Volume -id: c7fe0949-348a-41ce-8f17-a09a7fe5fd7d -version: 1 -date: '2025-01-20' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic identifies when an O365 email account hard deletes an excessive number of emails within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to permanently purge a large amount of items from the mailbox. Threat actors may attempt to remove evidence of their activity by purging items from the compromised mailbox. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. -data_source: -- Office 365 Universal Audit Log -search: |- - `o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) - | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) - | bin _time span=1hr - | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, latest(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(subject) as count by _time,user - | where count > 50 OR file_size > 10 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_email_hard_delete_excessive_volume_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. -references: -- https://attack.mitre.org/techniques/T1114/ -- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf -- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate Email for $user$ - search: '`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ deleted an excessing number of emails [$count$] within a short timeframe - risk_objects: - - field: user - type: user - score: 25 - threat_objects: - - field: src - type: ip_address -tags: - analytic_story: - - Office 365 Account Takeover - - Suspicious Emails - - Data Destruction - asset_type: O365 Tenant - mitre_attack_id: - - T1070.008 - - T1485 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log - source: o365 - sourcetype: o365:management:activity +name: O365 Email Hard Delete Excessive Volume +id: c7fe0949-348a-41ce-8f17-a09a7fe5fd7d +version: 2 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email account hard deletes an excessive number of emails within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to permanently purge a large amount of items from the mailbox. Threat actors may attempt to remove evidence of their activity by purging items from the compromised mailbox. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) + | bin _time span=1hr + | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, latest(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(subject) as count by _time,user + | where count > 50 OR file_size > 10 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_hard_delete_excessive_volume_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_management_activity` Workload=Exchange (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ deleted an excessing number of emails [$count$] within a short timeframe + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Office 365 Account Takeover + - Suspicious Emails + - Data Destruction + asset_type: O365 Tenant + mitre_attack_id: + - T1070.008 + - T1485 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_email_new_inbox_rule_created.yml b/detections/cloud/o365_email_new_inbox_rule_created.yml index 07a601a58b..e5d98fd968 100644 --- a/detections/cloud/o365_email_new_inbox_rule_created.yml +++ b/detections/cloud/o365_email_new_inbox_rule_created.yml @@ -1,64 +1,64 @@ -name: O365 Email New Inbox Rule Created -id: 449f525a-7b42-47be-96a7-d9724e336c19 -version: 1 -date: '2025-01-20' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic identifies the creation of new email inbox rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters that may indicate mail forwarding, removal, or obfuscation. Inbox rule creation is a typical end-user activity however attackers also leverage this technique for multiple reasons. -data_source: -- Office 365 Universal Audit Log -search: |- - `o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) Parameters{}.Name IN (SoftDeleteMessage,DeleteMessage,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,CopyToFolder) - | eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = if(match(ClientIP, "^\["), ltrim(mvindex(split(ClientIP, "]:"), 0), "["), mvindex(split(ClientIP,":"),0)), desc = Name, action = 'Parameters{}.Name' - - | stats values(action) as action, values(src) as src, values(recipient) as recipient, values(file_path) as file_path, count, min(_time) as firstTime, max(_time) as lastTime by user, signature, desc - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_email_new_inbox_rule_created_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Users may create email rules for legitimate purposes. Filter as needed. -references: -- https://attack.mitre.org/techniques/T1114/ -- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf -- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate Inbox Rules for $user$ - search: '`o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) AND UserId = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: A new email inbox rule was created for $user$ - risk_objects: - - field: user - type: user - score: 10 - threat_objects: - - field: desc - type: signature -tags: - analytic_story: - - Office 365 Collection Techniques - asset_type: O365 Tenant - mitre_attack_id: - - T1114.003 - - T1564.008 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: audit -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log - source: o365 - sourcetype: o365:management:activity +name: O365 Email New Inbox Rule Created +id: 449f525a-7b42-47be-96a7-d9724e336c19 +version: 2 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies the creation of new email inbox rules in an Office 365 environment. It detects events logged under New-InboxRule and Set-InboxRule operations within the o365_management_activity data source, focusing on parameters that may indicate mail forwarding, removal, or obfuscation. Inbox rule creation is a typical end-user activity however attackers also leverage this technique for multiple reasons. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) Parameters{}.Name IN (SoftDeleteMessage,DeleteMessage,ForwardTo,ForwardAsAttachmentTo,RedirectTo,MoveToFolder,CopyToFolder) + | eval file_path = mvappend(MoveToFolder,CopyToFolder), recipient=mvappend(ForwardTo, ForwardAsAttachmentTo, RedirectTo), user = lower(UserId), signature = Operation, src = if(match(ClientIP, "^\["), ltrim(mvindex(split(ClientIP, "]:"), 0), "["), mvindex(split(ClientIP,":"),0)), desc = Name, action = 'Parameters{}.Name' + + | stats values(action) as action, values(src) as src, values(recipient) as recipient, values(file_path) as file_path, count, min(_time) as firstTime, max(_time) as lastTime by user, signature, desc + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_new_inbox_rule_created_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Users may create email rules for legitimate purposes. Filter as needed. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Inbox Rules for $user$ + search: '`o365_management_activity` Workload=Exchange AND (Operation=New-InboxRule OR Operation=Set-InboxRule) AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A new email inbox rule was created for $user$ + risk_objects: + - field: user + type: user + score: 10 + threat_objects: + - field: desc + type: signature +tags: + analytic_story: + - Office 365 Collection Techniques + asset_type: O365 Tenant + mitre_attack_id: + - T1114.003 + - T1564.008 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml index d0558c2d93..e72fd4555a 100644 --- a/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml +++ b/detections/cloud/o365_email_password_and_payroll_compromise_behavior.yml @@ -1,86 +1,86 @@ -name: O365 Email Password and Payroll Compromise Behavior -id: e36de71a-6bdc-4002-98ff-e3e51b0d8f96 -version: 1 -date: '2025-01-20' -author: Steven Dick -status: production -type: TTP -description: The following analytic identifies when an O365 email recipient receives and then deletes emails for the combination of both password and banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account. -data_source: -- Office 365 Universal Audit Log -- Office 365 Reporting Message Trace -search: |- - `o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") - | eval mailtime = _time - | bin _time span=4hr - | eval user = lower(RecipientAddress) - | eval InternetMessageId = lower(MessageId) - | join InternetMessageId, user max=0 - [ - | search `o365_management_activity` Workload=Exchange Operation IN ("SoftDelete","HardDelete") - | spath path=AffectedItems{} output=AffectedItemSplit - | fields _time,ClientIP,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit - | mvexpand AffectedItemSplit | spath input=AffectedItemSplit - | search Subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") - | eval deltime = _time - | bin _time span=4hr - | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId) - ] - | stats values(ClientInfoString) as http_user_agent, values(ClientIP) as src, values(Subject) as subject, dc(Subject) as subject_count, values(Operation) as action, values(ResultStatus) as result, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,_time - | search subject IN ("*banking*","*direct deposit*","*pay-to*") AND subject IN ("*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_email_password_and_payroll_compromise_behavior_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. -known_false_positives: Unknown, unlikely. -references: -- https://attack.mitre.org/techniques/T1114/ -- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf -- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate Email for $user$ - search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*password*","*passcode*") RecipientAddress = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ received and deleted password and payroll change emails within a short timeframe - risk_objects: - - field: user - type: user - score: 90 - threat_objects: - - field: src - type: ip_address -tags: - analytic_story: - - Office 365 Account Takeover - - Office 365 Collection Techniques - - Suspicious Emails - - Data Destruction - asset_type: O365 Tenant - mitre_attack_id: - - T1070.008 - - T1485 - - T1114.001 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log - source: o365 - sourcetype: o365:management:activity - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log - source: o365_messagetrace - sourcetype: o365:reporting:messagetrace +name: O365 Email Password and Payroll Compromise Behavior +id: e36de71a-6bdc-4002-98ff-e3e51b0d8f96 +version: 2 +date: '2025-05-02' +author: Steven Dick +status: production +type: TTP +description: The following analytic identifies when an O365 email recipient receives and then deletes emails for the combination of both password and banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account. +data_source: +- Office 365 Universal Audit Log +- Office 365 Reporting Message Trace +search: |- + `o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | eval mailtime = _time + | bin _time span=4hr + | eval user = lower(RecipientAddress) + | eval InternetMessageId = lower(MessageId) + | join InternetMessageId, user max=0 + [ + | search `o365_management_activity` Workload=Exchange Operation IN ("SoftDelete","HardDelete") + | spath path=AffectedItems{} output=AffectedItemSplit + | fields _time,ClientIP,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit + | mvexpand AffectedItemSplit | spath input=AffectedItemSplit + | search Subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | eval deltime = _time + | bin _time span=4hr + | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId) + ] + | stats values(ClientInfoString) as http_user_agent, values(ClientIP) as src, values(Subject) as subject, dc(Subject) as subject_count, values(Operation) as action, values(ResultStatus) as result, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,_time + | search subject IN ("*banking*","*direct deposit*","*pay-to*") AND subject IN ("*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_password_and_payroll_compromise_behavior_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. +known_false_positives: Unknown, unlikely. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*password*","*passcode*") RecipientAddress = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ received and deleted password and payroll change emails within a short timeframe + risk_objects: + - field: user + type: user + score: 90 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Suspicious Emails + - Data Destruction + asset_type: O365 Tenant + mitre_attack_id: + - T1070.008 + - T1485 + - T1114.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + source: o365_messagetrace + sourcetype: o365:reporting:messagetrace diff --git a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml index 7390f3ef76..8246169862 100644 --- a/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml +++ b/detections/cloud/o365_email_receive_and_hard_delete_takeover_behavior.yml @@ -1,87 +1,87 @@ -name: O365 Email Receive and Hard Delete Takeover Behavior -id: b66aeaa4-586f-428b-8a2b-c4fd3039d8d3 -version: 1 -date: '2025-01-20' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic identifies when an O365 email recipient receives and then deletes emails related to password or banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account. -data_source: -- Office 365 Universal Audit Log -- Office 365 Reporting Message Trace -search: |- - `o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") - | eval mailtime = _time - | bin _time span=4hr - | eval user = lower(RecipientAddress) - | eval InternetMessageId = lower(MessageId) - | join InternetMessageId, user max=0 - [ - | search `o365_management_activity` Workload=Exchange Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions") - | spath path=AffectedItems{} output=AffectedItemSplit - | fields _time,ClientProcessName,ClientIPAddress,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit,Folder.Path - | mvexpand AffectedItemSplit | spath input=AffectedItemSplit - | search Subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") - | eval deltime = _time - | bin _time span=4hr - | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId), subject = Subject - ] - | stats values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Folder.Path) as file_path, values(Operation) as signature, values(ResultStatus) as result, values(InternetMessageId) as signature_id, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,subject - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_email_receive_and_hard_delete_takeover_behavior_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. -known_false_positives: Possible new user/account onboarding processes. -references: -- https://attack.mitre.org/techniques/T1114/ -- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf -- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate Email for $user$ - search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") AND RecipientAddress = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ received and deleted an email within a short timeframe titled [$subject$] which may contain password or banking information - risk_objects: - - field: user - type: user - score: 80 - threat_objects: - - field: subject - type: email_subject - - field: src - type: ip_address -tags: - analytic_story: - - Office 365 Account Takeover - - Office 365 Collection Techniques - - Suspicious Emails - - Data Destruction - asset_type: O365 Tenant - mitre_attack_id: - - T1070.008 - - T1485 - - T1114.001 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log - source: o365 - sourcetype: o365:management:activity - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log - source: o365_messagetrace - sourcetype: o365:reporting:messagetrace +name: O365 Email Receive and Hard Delete Takeover Behavior +id: b66aeaa4-586f-428b-8a2b-c4fd3039d8d3 +version: 2 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email recipient receives and then deletes emails related to password or banking/payroll changes within a short period. This behavior may indicate a compromised account where the threat actor is attempting to redirect the victims payroll to an attacker controlled bank account. +data_source: +- Office 365 Universal Audit Log +- Office 365 Reporting Message Trace +search: |- + `o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | eval mailtime = _time + | bin _time span=4hr + | eval user = lower(RecipientAddress) + | eval InternetMessageId = lower(MessageId) + | join InternetMessageId, user max=0 + [ + | search `o365_management_activity` Workload=Exchange Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions") + | spath path=AffectedItems{} output=AffectedItemSplit + | fields _time,ClientProcessName,ClientIPAddress,ClientInfoString,UserId,Operation,ResultStatus,MailboxOwnerUPN,AffectedItemSplit,Folder.Path + | mvexpand AffectedItemSplit | spath input=AffectedItemSplit + | search Subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") + | eval deltime = _time + | bin _time span=4hr + | eval InternetMessageId = lower(InternetMessageId), user = lower(UserId), subject = Subject + ] + | stats values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Folder.Path) as file_path, values(Operation) as signature, values(ResultStatus) as result, values(InternetMessageId) as signature_id, count, min(mailtime) as firstTime, max(deltime) as lastTime by user,subject + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_receive_and_hard_delete_takeover_behavior_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. +known_false_positives: Possible new user/account onboarding processes. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_messagetrace` subject IN ("*banking*","*direct deposit*","*pay-to*","*password *","*passcode *","*OTP *","*MFA *","*Account Recovery*") AND RecipientAddress = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ received and deleted an email within a short timeframe titled [$subject$] which may contain password or banking information + risk_objects: + - field: user + type: user + score: 80 + threat_objects: + - field: subject + type: email_subject + - field: src + type: ip_address +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Suspicious Emails + - Data Destruction + asset_type: O365 Tenant + mitre_attack_id: + - T1070.008 + - T1485 + - T1114.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + source: o365_messagetrace + sourcetype: o365:reporting:messagetrace diff --git a/detections/cloud/o365_email_reported_by_admin_found_malicious.yml b/detections/cloud/o365_email_reported_by_admin_found_malicious.yml index bdc52427d8..d258d91941 100644 --- a/detections/cloud/o365_email_reported_by_admin_found_malicious.yml +++ b/detections/cloud/o365_email_reported_by_admin_found_malicious.yml @@ -1,7 +1,7 @@ name: O365 Email Reported By Admin Found Malicious id: 94396c3e-7728-422a-9956-e4b77b53dbdf -version: 6 -date: '2025-03-25' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_email_reported_by_user_found_malicious.yml b/detections/cloud/o365_email_reported_by_user_found_malicious.yml index 4ee61718c7..a82938ef45 100644 --- a/detections/cloud/o365_email_reported_by_user_found_malicious.yml +++ b/detections/cloud/o365_email_reported_by_user_found_malicious.yml @@ -1,7 +1,7 @@ name: O365 Email Reported By User Found Malicious id: 7698b945-238e-4bb9-b172-81f5ca1685a1 -version: 6 -date: '2025-03-25' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_email_security_feature_changed.yml b/detections/cloud/o365_email_security_feature_changed.yml index f5348676c3..39902b1bc3 100644 --- a/detections/cloud/o365_email_security_feature_changed.yml +++ b/detections/cloud/o365_email_security_feature_changed.yml @@ -1,7 +1,7 @@ name: O365 Email Security Feature Changed id: 4d28013d-3a0f-4d65-a33f-4e8009fee0ae -version: 6 -date: '2025-03-25' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml index 1680afe5af..56ce1f4716 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_exfiltration_behavior.yml @@ -1,89 +1,89 @@ -name: O365 Email Send and Hard Delete Exfiltration Behavior -id: dd7798cf-c4f5-4114-ad0f-beacd9a33708 -version: 1 -date: '2025-01-20' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic identifies when an O365 email account sends and then hard deletes an email to an external recipient within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to remove forensic artifacts or evidence of exfiltration activity. This behavior is often seen when threat actors want to reduce the probability of detection by the compromised account owner. -data_source: -- Office 365 Universal Audit Log -- Office 365 Reporting Message Trace -search: |- - `o365_messagetrace` Status=Delivered - | eval mailtime = _time - | bin _time span=1hr - | eval user = lower(SenderAddress), recipient = lower(RecipientAddress) - | eval InternetMessageId = lower(MessageId) - | join InternetMessageId, user, max=0 - [ - | search `o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) - | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') - | eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) - | eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) - | bin _time span=1hr - | stats values(sender) as sender, values(ClientInfoString) as http_user_agent, values(InternetMessageId) as InternetMessageId, values(file_name) as file_name, sum(file_size) as file_size, values(sendtime) as firstTime, values(deltime) as lastTime values(Operation) as signature, dc(Operation) as opcount, count by _time,subject,user - | where opcount > 1 AND firstTime < lastTime - ] - | stats values(sender) as sender, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, sum(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime count by subject,user,recipient,Organization - | eval externalRecipient = if(match(lower(recipient),mvindex(split(lower(Organization),"."),0)),0,1) - | where externalRecipient = 1 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_email_send_and_hard_delete_exfiltration_behavior_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. -known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. -references: -- https://attack.mitre.org/techniques/T1114/ -- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf -- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate Email for $user$ - search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ sent and hard deleted an email to an external recipient [$recipient$] within a short timeframe - risk_objects: - - field: user - type: user - score: 40 - - field: recipient - type: user - score: 40 - threat_objects: - - field: subject - type: email_subject -tags: - analytic_story: - - Office 365 Account Takeover - - Office 365 Collection Techniques - - Suspicious Emails - - Data Destruction - asset_type: O365 Tenant - mitre_attack_id: - - T1114.001 - - T1070.008 - - T1485 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log - source: o365 - sourcetype: o365:management:activity - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log - source: o365_messagetrace - sourcetype: o365:reporting:messagetrace +name: O365 Email Send and Hard Delete Exfiltration Behavior +id: dd7798cf-c4f5-4114-ad0f-beacd9a33708 +version: 2 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email account sends and then hard deletes an email to an external recipient within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to remove forensic artifacts or evidence of exfiltration activity. This behavior is often seen when threat actors want to reduce the probability of detection by the compromised account owner. +data_source: +- Office 365 Universal Audit Log +- Office 365 Reporting Message Trace +search: |- + `o365_messagetrace` Status=Delivered + | eval mailtime = _time + | bin _time span=1hr + | eval user = lower(SenderAddress), recipient = lower(RecipientAddress) + | eval InternetMessageId = lower(MessageId) + | join InternetMessageId, user, max=0 + [ + | search `o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') + | eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) + | eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) + | bin _time span=1hr + | stats values(sender) as sender, values(ClientInfoString) as http_user_agent, values(InternetMessageId) as InternetMessageId, values(file_name) as file_name, sum(file_size) as file_size, values(sendtime) as firstTime, values(deltime) as lastTime values(Operation) as signature, dc(Operation) as opcount, count by _time,subject,user + | where opcount > 1 AND firstTime < lastTime + ] + | stats values(sender) as sender, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, sum(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime count by subject,user,recipient,Organization + | eval externalRecipient = if(match(lower(recipient),mvindex(split(lower(Organization),"."),0)),0,1) + | where externalRecipient = 1 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_send_and_hard_delete_exfiltration_behavior_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. +known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ sent and hard deleted an email to an external recipient [$recipient$] within a short timeframe + risk_objects: + - field: user + type: user + score: 40 + - field: recipient + type: user + score: 40 + threat_objects: + - field: subject + type: email_subject +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Suspicious Emails + - Data Destruction + asset_type: O365 Tenant + mitre_attack_id: + - T1114.001 + - T1070.008 + - T1485 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + source: o365_messagetrace + sourcetype: o365:reporting:messagetrace diff --git a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml index a2ff074eea..56a7c26e0f 100644 --- a/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml +++ b/detections/cloud/o365_email_send_and_hard_delete_suspicious_behavior.yml @@ -1,73 +1,73 @@ -name: O365 Email Send and Hard Delete Suspicious Behavior -id: c97b3d72-0a47-46f9-b742-b89f1cc2d551 -version: 1 -date: '2025-01-20' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic identifies when an O365 email account sends and then hard deletes email with within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to remove forensic artifacts or evidence of activity. Threat actors often use this technique to prevent defenders and victims from knowing the account has been compromised. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. -data_source: -- Office 365 Universal Audit Log -search: |- - `o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) - | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) - | eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) - | eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) - | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(sendtime) as firstTime, max(deltime) as lastTime, dc(Operation) as opcount, count by subject,user - | eval timediff = tonumber(lastTime) - tonumber(firstTime) - | where opcount > 1 AND firstTime < lastTime AND timediff < 3600 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_email_send_and_hard_delete_suspicious_behavior_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. -references: -- https://attack.mitre.org/techniques/T1114/ -- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf -- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search [CHANGEME_FIELD] = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate Email for $user$ - search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$" AND "$subject$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ sent and hard deleted an email within a short timeframe - risk_objects: - - field: user - type: user - score: 20 - threat_objects: - - field: src - type: ip_address - - field: subject - type: email_subject -tags: - analytic_story: - - Office 365 Account Takeover - - Office 365 Collection Techniques - - Suspicious Emails - - Data Destruction - asset_type: O365 Tenant - mitre_attack_id: - - T1114.001 - - T1070.008 - - T1485 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log - source: o365 - sourcetype: o365:management:activity +name: O365 Email Send and Hard Delete Suspicious Behavior +id: c97b3d72-0a47-46f9-b742-b89f1cc2d551 +version: 2 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email account sends and then hard deletes email with within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to remove forensic artifacts or evidence of activity. Threat actors often use this technique to prevent defenders and victims from knowing the account has been compromised. --- Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; ")), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)) + | eval sendtime = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),_time) + | eval deltime = CASE(Operation IN ("SoftDelete","HardDelete"),_time) + | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(sendtime) as firstTime, max(deltime) as lastTime, dc(Operation) as opcount, count by subject,user + | eval timediff = tonumber(lastTime) - tonumber(firstTime) + | where opcount > 1 AND firstTime < lastTime AND timediff < 3600 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_send_and_hard_delete_suspicious_behavior_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Users that habitually/proactively cleaning the recoverable items folder may trigger this alert. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search [CHANGEME_FIELD] = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) OR (Operation IN ("HardDelete") AND Folder.Path IN ("\\Sent Items","\\Recoverable Items\\Deletions")) AND UserId = "$user$" AND "$subject$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ sent and hard deleted an email within a short timeframe + risk_objects: + - field: user + type: user + score: 20 + threat_objects: + - field: src + type: ip_address + - field: subject + type: email_subject +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Suspicious Emails + - Data Destruction + asset_type: O365 Tenant + mitre_attack_id: + - T1114.001 + - T1070.008 + - T1485 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_email_send_attachments_excessive_volume.yml b/detections/cloud/o365_email_send_attachments_excessive_volume.yml index edcedcc498..ee0a87ae54 100644 --- a/detections/cloud/o365_email_send_attachments_excessive_volume.yml +++ b/detections/cloud/o365_email_send_attachments_excessive_volume.yml @@ -1,84 +1,84 @@ -name: O365 Email Send Attachments Excessive Volume -id: 70a050a2-8537-488a-a628-b60a9558d96a -version: 1 -date: '2025-01-20' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. -data_source: -- Office 365 Universal Audit Log -search: |- - `o365_messagetrace` Status=Delivered - | eval mailtime = _time - | bin _time span=1hr - | eval user = lower(SenderAddress), recipient = lower(RecipientAddress) - | eval InternetMessageId = lower(MessageId) - | join InternetMessageId, user, _time max=0 - [ - | search `o365_management_activity` Workload=Exchange Operation IN ("Send","SendAs","SendOnBehalf") - | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; "))), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') - | bin _time span=1hr - | eval file_name = mvfilter(NOT match(file_name, "\.jpg |\.png |\.jpeg |\.gif ")) - | search file_name=* - | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(file_name) as count by _time,user,InternetMessageId - | where count > 25 - | eval file_name = mvjoin(file_name,"||") - ] - | eval file_name = split(file_name,"||") - | stats values(sender) as sender, values(recipient) as recipient, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, max(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime max(count) as count by subject,user,Organization,InternetMessageId - | eval recipient = mvmap(recipient, if(match(mvindex(split(lower(recipient),"@"),1),mvindex(split(lower(user),"@"),1)), null(),recipient)) - | search recipient = * - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_email_send_attachments_excessive_volume_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. -known_false_positives: Users or processes that are send a large number of attachments may trigger this alert, adjust thresholds accordingly. -references: -- https://attack.mitre.org/techniques/T1114/ -- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf -- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate Email for $user$ - search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) AND Item.Attachments=* AND UserId = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ sent an excessive number of email attachments [$count$] to external recipient(s) within a short timeframe - risk_objects: - - field: user - type: user - score: 20 - threat_objects: - - field: recipient - type: email_address -tags: - analytic_story: - - Office 365 Account Takeover - - Suspicious Emails - asset_type: O365 Tenant - mitre_attack_id: - - T1070.008 - - T1485 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log - source: o365 - sourcetype: o365:management:activity - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log - source: o365_messagetrace - sourcetype: o365:reporting:messagetrace +name: O365 Email Send Attachments Excessive Volume +id: 70a050a2-8537-488a-a628-b60a9558d96a +version: 2 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when an O365 email account sends an excessive number of email attachments to external recipients within a short period (within 1 hour). This behavior may indicate a compromised account where the threat actor is attempting to exfiltrate data from the mailbox. Threat actors may attempt to transfer data through email as a simple means of exfiltration from the compromised mailbox. Some account owner legitimate behaviors can trigger this alert, however these actions may not be aligned with organizational expectations / best practice behaviors. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_messagetrace` Status=Delivered + | eval mailtime = _time + | bin _time span=1hr + | eval user = lower(SenderAddress), recipient = lower(RecipientAddress) + | eval InternetMessageId = lower(MessageId) + | join InternetMessageId, user, _time max=0 + [ + | search `o365_management_activity` Workload=Exchange Operation IN ("Send","SendAs","SendOnBehalf") + | eval user = lower(UserId), sender = lower(CASE(isnotnull(SendAsUserSmtp),SendAsUserSmtp,isnotnull(SendOnBehalfOfUserSmtp),SendOnBehalfOfUserSmtp,true(),MailboxOwnerUPN)), subject = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),'Item.Subject',Operation IN ("SoftDelete","HardDelete"),'AffectedItems{}.Subject')), -time = _time,file_name = trim(CASE(Operation IN ("Send","SendAs","SendOnBehalf"),split('Item.Attachments',"; "),Operation IN ("SoftDelete","HardDelete"),split('AffectedItems{}.Attachments',"; "))), file_size = CASE(Operation IN ("Send","SendAs","SendOnBehalf"),round(tonumber('Item.SizeInBytes')/1024/1024,2),true(),round(tonumber(replace(file_name, "(.+)\s\((\d+)(b\)$)", "\2"))/1024/1024,2)), InternetMessageId = lower('Item.InternetMessageId') + | bin _time span=1hr + | eval file_name = mvfilter(NOT match(file_name, "\.jpg |\.png |\.jpeg |\.gif ")) + | search file_name=* + | stats values(sender) as sender, values(ClientIPAddress) as src, values(ClientInfoString) as http_user_agent, values(Operation) as signature, values(file_name) as file_name, sum(file_size) as file_size, values(Folder.Path) as file_path, min(-time) as firstTime, max(-time) as lastTime, dc(file_name) as count by _time,user,InternetMessageId + | where count > 25 + | eval file_name = mvjoin(file_name,"||") + ] + | eval file_name = split(file_name,"||") + | stats values(sender) as sender, values(recipient) as recipient, values(http_user_agent) as http_user_agent, values(signature) as signature, values(file_name) as file_name, max(file_size) as file_size, min(firstTime) as firstTime, max(lastTime) as lastTime max(count) as count by subject,user,Organization,InternetMessageId + | eval recipient = mvmap(recipient, if(match(mvindex(split(lower(recipient),"@"),1),mvindex(split(lower(user),"@"),1)), null(),recipient)) + | search recipient = * + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_send_attachments_excessive_volume_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events AND Message Trace events. +known_false_positives: Users or processes that are send a large number of attachments may trigger this alert, adjust thresholds accordingly. +references: +- https://attack.mitre.org/techniques/T1114/ +- https://www.hhs.gov/sites/default/files/help-desk-social-engineering-sector-alert-tlpclear.pdf +- https://intelligence.abnormalsecurity.com/attack-library/threat-actor-convincingly-impersonates-employee-requesting-direct-deposit-update-in-likely-ai-generated-attack +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate Email for $user$ + search: '`o365_management_activity` Workload=Exchange (Operation IN ("Send*")) AND Item.Attachments=* AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ sent an excessive number of email attachments [$count$] to external recipient(s) within a short timeframe + risk_objects: + - field: user + type: user + score: 20 + threat_objects: + - field: recipient + type: email_address +tags: + analytic_story: + - Office 365 Account Takeover + - Suspicious Emails + asset_type: O365 Tenant + mitre_attack_id: + - T1070.008 + - T1485 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_exchange_suspect_events.log + source: o365 + sourcetype: o365:management:activity + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114/o365_suspect_email_actions/o365_messagetrace_suspect_events.log + source: o365_messagetrace + sourcetype: o365:reporting:messagetrace diff --git a/detections/cloud/o365_email_suspicious_behavior_alert.yml b/detections/cloud/o365_email_suspicious_behavior_alert.yml index d7dae2daba..5177aeb292 100644 --- a/detections/cloud/o365_email_suspicious_behavior_alert.yml +++ b/detections/cloud/o365_email_suspicious_behavior_alert.yml @@ -1,7 +1,7 @@ name: O365 Email Suspicious Behavior Alert id: 85c7555a-05af-4322-81aa-76b4ddf52baa -version: 6 -date: '2025-03-25' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_email_suspicious_search_behavior.yml b/detections/cloud/o365_email_suspicious_search_behavior.yml index f94970bf6b..0362975e07 100644 --- a/detections/cloud/o365_email_suspicious_search_behavior.yml +++ b/detections/cloud/o365_email_suspicious_search_behavior.yml @@ -1,70 +1,70 @@ -name: O365 Email Suspicious Search Behavior -id: 3b6e1d36-6916-4eec-a7d5-bc98953ba595 -version: 1 -date: '2025-02-27' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic identifies when Office 365 users search for suspicious keywords or have an excessive number of queries to a mailbox within a limited timeframe. This behavior may indicate that a malicious actor has gained control of a mailbox and is conducting discovery or enumeration activities. -data_source: -- Office 365 Universal Audit Log -search: |- - `o365_management_activity` Operation=SearchQueryInitiatedExchange - | eval command = case(Operation=="SearchQueryPerformed",SearchQueryText,true(),QueryText), UserId = lower(UserId), signature_id = CorrelationId, signature=Operation, src = ClientIP, user = lower(UserId), object_name=case(Operation=="SearchQueryPerformed",'EventData',true(),QuerySource), -time = _time, suspect_terms = case(match(command, `o365_suspect_search_terms_regex`),command,true(),null()) - | where command != "*" AND command != "(*)" - | bin _time span=1hr - | `o365_email_suspicious_search_behavior_filter` - | stats values(ScenarioName) as app, values(object_name) as object_name values(command) as command, values(suspect_terms) as suspect_terms, values(src) as src, dc(suspect_terms) as suspect_terms_count, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time - | where count > 20 OR suspect_terms_count >= 2 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. You must also enable SearchQueryInitiated category as part of your organizations mailbox audit logging policy. The thresholds and match terms set within the analytic are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -known_false_positives: Users searching excessively or possible false positives related to matching conditions. -references: -- https://learn.microsoft.com/en-us/purview/audit-get-started#step-3-enable-searchqueryinitiated-events -- https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a -- https://attack.mitre.org/techniques/T1114/002/ -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate search behavior by $user$ - search: '`o365_management_activity` AND Operation=SearchQueryInitiatedExchange AND UserId = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ searched email suspiciously, $count$ unique terms and $suspect_terms_count$ suspect terms were searched within a limited timeframe. - risk_objects: - - field: user - type: user - score: 35 - threat_objects: - - field: src - type: ip_address -tags: - analytic_story: - - Office 365 Account Takeover - - Office 365 Collection Techniques - - Compromised User Account - - CISA AA22-320A - asset_type: O365 Tenant - mitre_attack_id: - - T1114.002 - - T1552 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log - source: o365 - sourcetype: o365:management:activity +name: O365 Email Suspicious Search Behavior +id: 3b6e1d36-6916-4eec-a7d5-bc98953ba595 +version: 2 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when Office 365 users search for suspicious keywords or have an excessive number of queries to a mailbox within a limited timeframe. This behavior may indicate that a malicious actor has gained control of a mailbox and is conducting discovery or enumeration activities. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Operation=SearchQueryInitiatedExchange + | eval command = case(Operation=="SearchQueryPerformed",SearchQueryText,true(),QueryText), UserId = lower(UserId), signature_id = CorrelationId, signature=Operation, src = ClientIP, user = lower(UserId), object_name=case(Operation=="SearchQueryPerformed",'EventData',true(),QuerySource), -time = _time, suspect_terms = case(match(command, `o365_suspect_search_terms_regex`),command,true(),null()) + | where command != "*" AND command != "(*)" + | bin _time span=1hr + | `o365_email_suspicious_search_behavior_filter` + | stats values(ScenarioName) as app, values(object_name) as object_name values(command) as command, values(suspect_terms) as suspect_terms, values(src) as src, dc(suspect_terms) as suspect_terms_count, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time + | where count > 20 OR suspect_terms_count >= 2 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. You must also enable SearchQueryInitiated category as part of your organizations mailbox audit logging policy. The thresholds and match terms set within the analytic are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. +known_false_positives: Users searching excessively or possible false positives related to matching conditions. +references: +- https://learn.microsoft.com/en-us/purview/audit-get-started#step-3-enable-searchqueryinitiated-events +- https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://attack.mitre.org/techniques/T1114/002/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate search behavior by $user$ + search: '`o365_management_activity` AND Operation=SearchQueryInitiatedExchange AND UserId = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ searched email suspiciously, $count$ unique terms and $suspect_terms_count$ suspect terms were searched within a limited timeframe. + risk_objects: + - field: user + type: user + score: 35 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Compromised User Account + - CISA AA22-320A + asset_type: O365 Tenant + mitre_attack_id: + - T1114.002 + - T1552 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_email_transport_rule_changed.yml b/detections/cloud/o365_email_transport_rule_changed.yml index 0ed0b44614..22f5982610 100644 --- a/detections/cloud/o365_email_transport_rule_changed.yml +++ b/detections/cloud/o365_email_transport_rule_changed.yml @@ -1,67 +1,67 @@ -name: O365 Email Transport Rule Changed -id: 11ebb7c2-46bd-41c9-81e1-d0b4b34583a2 -version: 2 -date: '2025-01-15' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic identifies when a user with sufficient access to Exchange Online alters the mail flow/transport rule configuration of the organization. Transport rules are a set of rules that can be used by attackers to modify or delete emails based on specific conditions, this activity could indicate an attacker hiding or exfiltrated data. -data_source: -- Office 365 Universal Audit Log -search: |- - `o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule" - | eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId), object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id) - | stats values(object_name) as object_name, min(_time) as firstTime, max(_time) as lastTime, count by object_id, UserId, Operation, signature - | rename UserId as user - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_email_transport_rule_changed_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: Legitimate administrative changes for business needs. -references: -- https://attack.mitre.org/techniques/T1114/003/ -- https://cardinalops.com/blog/cardinalops-contributes-new-mitre-attck-techniques-related-to-abuse-of-mail-transport-rules/ -- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-OAuth-applications-used-to-compromise-email-servers-and-spread-spam/ -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate changes by $user$ - search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*Transport*" UserId=$user$' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user [$user$] altered the exchange transport rule id [$object_name$] - risk_objects: - - field: user - type: user - score: 25 - threat_objects: - - field: object_id - type: signature - - field: object_name - type: signature -tags: - analytic_story: - - Data Exfiltration - - Office 365 Account Takeover - asset_type: O365 Tenant - mitre_attack_id: - - T1114.003 - - T1564.008 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.log - source: o365 - sourcetype: o365:management:activity +name: O365 Email Transport Rule Changed +id: 11ebb7c2-46bd-41c9-81e1-d0b4b34583a2 +version: 3 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when a user with sufficient access to Exchange Online alters the mail flow/transport rule configuration of the organization. Transport rules are a set of rules that can be used by attackers to modify or delete emails based on specific conditions, this activity could indicate an attacker hiding or exfiltrated data. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*TransportRule" + | eval object_name = case('Parameters{}.Name'=="Name",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Name$")),true(),ObjectId), object_id = case('Parameters{}.Name'=="Identity",mvindex('Parameters{}.Value',mvfind('Parameters{}.Name',"^Identity$")),true(),Id) + | stats values(object_name) as object_name, min(_time) as firstTime, max(_time) as lastTime, count by object_id, UserId, Operation, signature + | rename UserId as user + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_email_transport_rule_changed_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: Legitimate administrative changes for business needs. +references: +- https://attack.mitre.org/techniques/T1114/003/ +- https://cardinalops.com/blog/cardinalops-contributes-new-mitre-attck-techniques-related-to-abuse-of-mail-transport-rules/ +- https://www.microsoft.com/en-us/security/blog/2022/09/22/malicious-OAuth-applications-used-to-compromise-email-servers-and-spread-spam/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate changes by $user$ + search: '`o365_management_activity` Workload=Exchange AND Operation IN ("Set-*","Disable-*","New-*","Remove-*") AND Operation="*Transport*" UserId=$user$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user [$user$] altered the exchange transport rule id [$object_name$] + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: object_id + type: signature + - field: object_name + type: signature +tags: + analytic_story: + - Data Exfiltration + - Office 365 Account Takeover + asset_type: O365 Tenant + mitre_attack_id: + - T1114.003 + - T1564.008 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1114.003/transport_rule_change/transport_rule_change.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_excessive_authentication_failures_alert.yml b/detections/cloud/o365_excessive_authentication_failures_alert.yml index e525cbffeb..249847b712 100644 --- a/detections/cloud/o365_excessive_authentication_failures_alert.yml +++ b/detections/cloud/o365_excessive_authentication_failures_alert.yml @@ -1,7 +1,7 @@ name: O365 Excessive Authentication Failures Alert id: d441364c-349c-453b-b55f-12eccab67cf9 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Rod Soto, Splunk status: production type: Anomaly diff --git a/detections/cloud/o365_excessive_sso_logon_errors.yml b/detections/cloud/o365_excessive_sso_logon_errors.yml index b839a28d7f..d821ef59f6 100644 --- a/detections/cloud/o365_excessive_sso_logon_errors.yml +++ b/detections/cloud/o365_excessive_sso_logon_errors.yml @@ -1,7 +1,7 @@ name: O365 Excessive SSO logon errors id: 8158ccc4-6038-11eb-ae93-0242ac130002 -version: 7 -date: '2024-11-14' +version: 8 +date: '2025-05-02' author: Rod Soto, Splunk status: production type: Anomaly diff --git a/detections/cloud/o365_exfiltration_via_file_access.yml b/detections/cloud/o365_exfiltration_via_file_access.yml index 7ad89f9c6f..0237e59cf2 100644 --- a/detections/cloud/o365_exfiltration_via_file_access.yml +++ b/detections/cloud/o365_exfiltration_via_file_access.yml @@ -1,68 +1,68 @@ -name: O365 Exfiltration via File Access -id: 80b44ae2-60ff-43f1-8e56-34beb49a340a -version: 1 -date: '2024-10-14' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the "open in app" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts. -data_source: -- Office 365 Universal Audit Log -search: |- - `o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg) - | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") - | where NOT match(SiteUrl,user_flat) - | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl - | eventstats avg(count) as avg stdev(count) as stdev by Workload - | rename SiteUrl as file_path,Workload as app - | where count > 50 AND count > (avg + (3*(stdev))) - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_exfiltration_via_file_access_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: It is possible that certain file access scenarios may trigger this alert, specifically OneDrive syncing and users accessing personal onedrives of other users. Adjust threshold and filtering as needed. -references: -- https://attack.mitre.org/techniques/T1567/exfil -- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data -- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate file access by $user$ - search: '`o365_management_activity` Operation IN ("fileaccessed") UserId="$UserId$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$ - risk_objects: - - field: user - type: user - score: 20 - threat_objects: - - field: src - type: ip_address -tags: - analytic_story: - - Data Exfiltration - - Office 365 Account Takeover - asset_type: O365 Tenant - mitre_attack_id: - - T1567 - - T1530 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log - source: o365 - sourcetype: o365:management:activity +name: O365 Exfiltration via File Access +id: 80b44ae2-60ff-43f1-8e56-34beb49a340a +version: 2 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an excessive number of files are access from o365 by the same user over a short period of time. A malicious actor may abuse the "open in app" functionality of SharePoint through scripted or Graph API based access to evade triggering the FileDownloaded Event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be take with any Azure Guest (#EXT#) accounts. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Operation IN ("fileaccessed") UserId!=app@sharepoint NOT SourceFileExtension IN (bmp,png,jpeg,jpg) + | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") + | where NOT match(SiteUrl,user_flat) + | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl + | eventstats avg(count) as avg stdev(count) as stdev by Workload + | rename SiteUrl as file_path,Workload as app + | where count > 50 AND count > (avg + (3*(stdev))) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_exfiltration_via_file_access_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: It is possible that certain file access scenarios may trigger this alert, specifically OneDrive syncing and users accessing personal onedrives of other users. Adjust threshold and filtering as needed. +references: +- https://attack.mitre.org/techniques/T1567/exfil +- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data +- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate file access by $user$ + search: '`o365_management_activity` Operation IN ("fileaccessed") UserId="$UserId$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ accessed an excessive number of files [$count$] from $file_path$ using $src$ + risk_objects: + - field: user + type: user + score: 20 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Data Exfiltration + - Office 365 Account Takeover + asset_type: O365 Tenant + mitre_attack_id: + - T1567 + - T1530 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_exfiltration_via_file_download.yml b/detections/cloud/o365_exfiltration_via_file_download.yml index a4b504d0d8..f3bde7110b 100644 --- a/detections/cloud/o365_exfiltration_via_file_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_download.yml @@ -1,66 +1,66 @@ -name: O365 Exfiltration via File Download -id: 06b23921-bfe2-4576-89dd-616f06e129da -version: 1 -date: '2024-10-14' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic detects when an excessive number of files are downloaded from o365 by the same user over a short period of time. O365 may bundle these files together as a ZIP file, however each file will have it's own download event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts. -data_source: -- Office 365 Universal Audit Log -search: |- - `o365_management_activity` Operation IN ("filedownloaded") - | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") - | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl - | rename SiteUrl as file_path,Workload as app - | where count > 50 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_exfiltration_via_file_download_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: It is possible that certain file download scenarios may trigger this alert, specifically OneDrive syncing. Adjust threshold and filtering as needed. -references: -- https://attack.mitre.org/techniques/T1567/exfil -- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data -- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate file downloads by $user$ - search: '`o365_management_activity` Operation IN ("filedownloaded") UserId="$UserId$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$ - risk_objects: - - field: user - type: user - score: 25 - threat_objects: - - field: src - type: ip_address -tags: - analytic_story: - - Data Exfiltration - - Office 365 Account Takeover - asset_type: O365 Tenant - mitre_attack_id: - - T1567 - - T1530 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log - source: o365 - sourcetype: o365:management:activity +name: O365 Exfiltration via File Download +id: 06b23921-bfe2-4576-89dd-616f06e129da +version: 2 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an excessive number of files are downloaded from o365 by the same user over a short period of time. O365 may bundle these files together as a ZIP file, however each file will have it's own download event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Operation IN ("filedownloaded") + | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") + | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl + | rename SiteUrl as file_path,Workload as app + | where count > 50 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_exfiltration_via_file_download_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: It is possible that certain file download scenarios may trigger this alert, specifically OneDrive syncing. Adjust threshold and filtering as needed. +references: +- https://attack.mitre.org/techniques/T1567/exfil +- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data +- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate file downloads by $user$ + search: '`o365_management_activity` Operation IN ("filedownloaded") UserId="$UserId$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ downloaded an excessive number of files [$count$] from $file_path$ using $src$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Data Exfiltration + - Office 365 Account Takeover + asset_type: O365 Tenant + mitre_attack_id: + - T1567 + - T1530 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_exfiltration_via_file_sync_download.yml b/detections/cloud/o365_exfiltration_via_file_sync_download.yml index 684ef625ec..51dcace086 100644 --- a/detections/cloud/o365_exfiltration_via_file_sync_download.yml +++ b/detections/cloud/o365_exfiltration_via_file_sync_download.yml @@ -1,67 +1,67 @@ -name: O365 Exfiltration via File Sync Download -id: 350837b5-13d3-4c06-b688-db07afbe5050 -version: 1 -date: '2024-10-14' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic detects when an excessive number of files are sync from o365 by the same user over a short period of time. A malicious actor abuse the user-agent string through GUI or API access to evade triggering the FileDownloaded event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts. -data_source: -- Office 365 Universal Audit Log -search: |- - `o365_management_activity` Operation IN ("filesyncdownload*") UserAgent="*SkyDriveSync*" - | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") - | where NOT match(SiteUrl,user_flat) - | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl - | rename SiteUrl as file_path,Workload as app - | where count > 50 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_exfiltration_via_file_sync_download_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. -known_false_positives: It is possible that certain file sync scenarios may trigger this alert, specifically OneNote. Adjust threshold and filtering as needed. -references: -- https://attack.mitre.org/techniques/T1567/exfil -- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data -- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate file sync downloads by $user$ - search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserId="$UserId$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ synced an excessive number of files [$count$] from $file_path$ using $src$ - risk_objects: - - field: user - type: user - score: 25 - threat_objects: - - field: src - type: ip_address -tags: - analytic_story: - - Data Exfiltration - - Office 365 Account Takeover - asset_type: O365 Tenant - mitre_attack_id: - - T1567 - - T1530 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log - source: o365 - sourcetype: o365:management:activity +name: O365 Exfiltration via File Sync Download +id: 350837b5-13d3-4c06-b688-db07afbe5050 +version: 2 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an excessive number of files are sync from o365 by the same user over a short period of time. A malicious actor abuse the user-agent string through GUI or API access to evade triggering the FileDownloaded event. This behavior may indicate an attacker staging data for exfiltration or an insider threat removing organizational data. Additional attention should be taken with any Azure Guest (#EXT#) accounts. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Operation IN ("filesyncdownload*") UserAgent="*SkyDriveSync*" + | eval user = replace(mvindex(split(lower(UserId),"#ext#"),0),"_","@"), user_flat = replace(UserId, "[^A-Za-z0-9]","_") + | where NOT match(SiteUrl,user_flat) + | stats values(user) as user, latest(ClientIP) as src values(ZipFileName) as file_name, values(Operation) as signature, values(UserAgent) as http_user_agent, dc(SourceFileName) as count, min(_time) as firstTime, max(_time) as lastTime by Workload,UserId,SiteUrl + | rename SiteUrl as file_path,Workload as app + | where count > 50 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_exfiltration_via_file_sync_download_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. +known_false_positives: It is possible that certain file sync scenarios may trigger this alert, specifically OneNote. Adjust threshold and filtering as needed. +references: +- https://attack.mitre.org/techniques/T1567/exfil +- https://www.varonis.com/blog/sidestepping-detection-while-exfiltrating-sharepoint-data +- https://thedfirjournal.com/posts/m365-data-exfiltration-rclone/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate file sync downloads by $user$ + search: '`o365_management_activity` Operation IN ("filesyncdownload*") UserId="$UserId$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ synced an excessive number of files [$count$] from $file_path$ using $src$ + risk_objects: + - field: user + type: user + score: 25 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Data Exfiltration + - Office 365 Account Takeover + asset_type: O365 Tenant + mitre_attack_id: + - T1567 + - T1530 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/o365_sus_file_activity/o365_sus_file_activity.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_external_guest_user_invited.yml b/detections/cloud/o365_external_guest_user_invited.yml index 76dd77493e..dcef99b70d 100644 --- a/detections/cloud/o365_external_guest_user_invited.yml +++ b/detections/cloud/o365_external_guest_user_invited.yml @@ -1,7 +1,7 @@ name: O365 External Guest User Invited id: 8c6d52ec-d5f2-4b2f-8ba1-f32c047a71fa -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_external_identity_policy_changed.yml b/detections/cloud/o365_external_identity_policy_changed.yml index b87c85479c..b330117596 100644 --- a/detections/cloud/o365_external_identity_policy_changed.yml +++ b/detections/cloud/o365_external_identity_policy_changed.yml @@ -1,7 +1,7 @@ name: O365 External Identity Policy Changed id: 29af1725-7a72-4d2d-8a18-e697e79a62d3 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml index 2df7f0c411..89badf917d 100644 --- a/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_file_permissioned_application_consent_granted_by_user.yml @@ -1,7 +1,7 @@ name: O365 File Permissioned Application Consent Granted by User id: 6c382336-22b8-4023-9b80-1689e799f21f -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml index cc4e2ddf0d..24e57ca3aa 100644 --- a/detections/cloud/o365_fullaccessasapp_permission_assigned.yml +++ b/detections/cloud/o365_fullaccessasapp_permission_assigned.yml @@ -1,7 +1,7 @@ name: O365 FullAccessAsApp Permission Assigned id: 01a510b3-a6ac-4d50-8812-7e8a3cde3d79 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml index f622c8d372..38d740db21 100644 --- a/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/o365_high_number_of_failed_authentications_for_user.yml @@ -1,7 +1,7 @@ name: O365 High Number Of Failed Authentications for User id: 31641378-2fa9-42b1-948e-25e281cb98f7 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_high_privilege_role_granted.yml b/detections/cloud/o365_high_privilege_role_granted.yml index e691520afc..b4dbd8cb3d 100644 --- a/detections/cloud/o365_high_privilege_role_granted.yml +++ b/detections/cloud/o365_high_privilege_role_granted.yml @@ -1,7 +1,7 @@ name: O365 High Privilege Role Granted id: e78a1037-4548-4072-bb1b-ad99ae416426 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml index 1c0c53d253..932d078d91 100644 --- a/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml +++ b/detections/cloud/o365_mail_permissioned_application_consent_granted_by_user.yml @@ -1,7 +1,7 @@ name: O365 Mail Permissioned Application Consent Granted by User id: fddad083-cdf5-419d-83c6-baa85e329595 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml index 16a0cc2c0c..6a89c3d8e8 100644 --- a/detections/cloud/o365_mailbox_email_forwarding_enabled.yml +++ b/detections/cloud/o365_mailbox_email_forwarding_enabled.yml @@ -1,7 +1,7 @@ name: O365 Mailbox Email Forwarding Enabled id: 0b6bc75c-05d1-4101-9fc3-97e706168f24 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Patrick Bareiss, Mauricio Velazco, Splunk data_source: [] type: TTP diff --git a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml index 8a6736ce8f..d7f5391ef7 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_assigned.yml @@ -1,7 +1,7 @@ name: O365 Mailbox Folder Read Permission Assigned id: 1435475e-2128-4417-a34f-59770733b0d5 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: [] type: TTP diff --git a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml index 28a54a9e8e..de21af4e3c 100644 --- a/detections/cloud/o365_mailbox_folder_read_permission_granted.yml +++ b/detections/cloud/o365_mailbox_folder_read_permission_granted.yml @@ -1,7 +1,7 @@ name: O365 Mailbox Folder Read Permission Granted id: cd15c0a8-470e-4b12-9517-046e4927db30 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: [] type: TTP diff --git a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml index 59112bafb7..d6830ccfca 100644 --- a/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml +++ b/detections/cloud/o365_mailbox_inbox_folder_shared_with_all_users.yml @@ -1,7 +1,7 @@ name: O365 Mailbox Inbox Folder Shared with All Users id: 21421896-a692-4594-9888-5faeb8a53106 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml index ad7a34b3b7..6b01377a87 100644 --- a/detections/cloud/o365_mailbox_read_access_granted_to_application.yml +++ b/detections/cloud/o365_mailbox_read_access_granted_to_application.yml @@ -1,7 +1,7 @@ name: O365 Mailbox Read Access Granted to Application id: 27ab61c5-f08a-438a-b4d3-325e666490b3 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_multi_source_failed_authentications_spike.yml b/detections/cloud/o365_multi_source_failed_authentications_spike.yml index 013cdf603f..ff4124d1ac 100644 --- a/detections/cloud/o365_multi_source_failed_authentications_spike.yml +++ b/detections/cloud/o365_multi_source_failed_authentications_spike.yml @@ -1,7 +1,7 @@ name: O365 Multi-Source Failed Authentications Spike id: ea4e2c41-dbfb-4f5f-a7b6-9ac1b7f104aa -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml index 8109ffc7df..9e2738eec1 100644 --- a/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml +++ b/detections/cloud/o365_multiple_appids_and_useragents_authentication_spike.yml @@ -1,7 +1,7 @@ name: O365 Multiple AppIDs and UserAgents Authentication Spike id: 66adc486-224d-45c1-8e4d-9e7eeaba988f -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Anomaly diff --git a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml index 93b6de4dc0..437fcde52e 100644 --- a/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/o365_multiple_failed_mfa_requests_for_user.yml @@ -1,7 +1,7 @@ name: O365 Multiple Failed MFA Requests For User id: fd22124e-dbac-4744-a8ce-be10d8ec3e26 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml index b312524492..f3e386ea6e 100644 --- a/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml +++ b/detections/cloud/o365_multiple_mailboxes_accessed_via_api.yml @@ -1,7 +1,7 @@ name: O365 Multiple Mailboxes Accessed via API id: 7cd853e9-d370-412f-965d-a2bcff2a2908 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - O365 MailItemsAccessed diff --git a/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml b/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml index 34d48156bd..d54c44fb1b 100644 --- a/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml +++ b/detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml @@ -1,67 +1,67 @@ -name: O365 Multiple OS Vendors Authenticating From User -id: 3451e58a-9457-4985-a600-b616b0cbfda1 -version: 2 -date: '2024-12-19' -author: Steven Dick -status: production -type: TTP -description: The following analytic identifies when multiple operating systems are used to authenticate to Azure/EntraID/Office 365 by the same user account over a short period of time. This activity could be indicative of attackers enumerating various logon capabilities of Azure/EntraID/Office 365 and attempting to discover weaknesses in the organizational MFA or conditional access configurations. Usage of the tools like "MFASweep" will trigger this detection. -data_source: -- Office 365 Universal Audit Log -search: |- - `o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn) - | eval -time = _time - | bin _time span=15m - | fillnull - | stats values(Operation) as signature, values(ErrorNumber) as signature_id, values(OS) as os_name, dc(OS) as os_count, count, min(-time) as firstTime, max(-time) as lastTime by ClientIP, UserId, _time, dest, vendor_account, vendor_product - | where os_count >= 4 - | eval src = ClientIP, user = UserId - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `o365_multiple_os_vendors_authenticating_from_user_filter` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique OS) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -known_false_positives: IP or users where the usage of multiple Operating systems is expected, filter accordingly. -references: -- https://attack.mitre.org/techniques/T1110 -- https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/ -- https://sra.io/blog/msspray-wait-how-many-endpoints-dont-have-mfa/ -- https://github.com/dafthack/MFASweep/tree/master -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate logons from $user$ - search: '`o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn) "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user account $user$ authenticated with $os_count$ unique operating system types over a short period from $src$. - risk_objects: - - field: user - type: user - score: 60 - threat_objects: - - field: src - type: ip_address -tags: - analytic_story: - - Office 365 Account Takeover - asset_type: O365 Tenant - mitre_attack_id: - - T1110 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log - source: o365 - sourcetype: o365:management:activity +name: O365 Multiple OS Vendors Authenticating From User +id: 3451e58a-9457-4985-a600-b616b0cbfda1 +version: 3 +date: '2025-05-02' +author: Steven Dick +status: production +type: TTP +description: The following analytic identifies when multiple operating systems are used to authenticate to Azure/EntraID/Office 365 by the same user account over a short period of time. This activity could be indicative of attackers enumerating various logon capabilities of Azure/EntraID/Office 365 and attempting to discover weaknesses in the organizational MFA or conditional access configurations. Usage of the tools like "MFASweep" will trigger this detection. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn) + | eval -time = _time + | bin _time span=15m + | fillnull + | stats values(Operation) as signature, values(ErrorNumber) as signature_id, values(OS) as os_name, dc(OS) as os_count, count, min(-time) as firstTime, max(-time) as lastTime by ClientIP, UserId, _time, dest, vendor_account, vendor_product + | where os_count >= 4 + | eval src = ClientIP, user = UserId + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `o365_multiple_os_vendors_authenticating_from_user_filter` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique OS) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. +known_false_positives: IP or users where the usage of multiple Operating systems is expected, filter accordingly. +references: +- https://attack.mitre.org/techniques/T1110 +- https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/ +- https://sra.io/blog/msspray-wait-how-many-endpoints-dont-have-mfa/ +- https://github.com/dafthack/MFASweep/tree/master +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate logons from $user$ + search: '`o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn) "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user account $user$ authenticated with $os_count$ unique operating system types over a short period from $src$. + risk_objects: + - field: user + type: user + score: 60 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Office 365 Account Takeover + asset_type: O365 Tenant + mitre_attack_id: + - T1110 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml index 2b978de6aa..30619e2736 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_sp.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_sp.yml @@ -1,7 +1,7 @@ name: O365 Multiple Service Principals Created by SP id: ef4c3f20-d1ad-4ad1-a3f4-d5f391c005fe -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - O365 Add service principal. diff --git a/detections/cloud/o365_multiple_service_principals_created_by_user.yml b/detections/cloud/o365_multiple_service_principals_created_by_user.yml index 32204c6542..c815b43344 100644 --- a/detections/cloud/o365_multiple_service_principals_created_by_user.yml +++ b/detections/cloud/o365_multiple_service_principals_created_by_user.yml @@ -1,7 +1,7 @@ name: O365 Multiple Service Principals Created by User id: a34e65d0-54de-4b02-9db8-5a04522067f6 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - O365 Add service principal. diff --git a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml index 394a7a7278..18f65e8cdb 100644 --- a/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/o365_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: O365 Multiple Users Failing To Authenticate From Ip id: 8d486e2e-3235-4cfe-ac35-0d042e24ecb4 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_new_email_forwarding_rule_created.yml b/detections/cloud/o365_new_email_forwarding_rule_created.yml index e8f5e3cada..b0d8fff6c2 100644 --- a/detections/cloud/o365_new_email_forwarding_rule_created.yml +++ b/detections/cloud/o365_new_email_forwarding_rule_created.yml @@ -1,7 +1,7 @@ name: O365 New Email Forwarding Rule Created id: 68469fd0-1315-44ba-b7e4-e92847bb76d6 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: [] type: TTP diff --git a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml index 04170b75f8..7d418ddcb4 100644 --- a/detections/cloud/o365_new_email_forwarding_rule_enabled.yml +++ b/detections/cloud/o365_new_email_forwarding_rule_enabled.yml @@ -1,7 +1,7 @@ name: O365 New Email Forwarding Rule Enabled id: ac7c4d0a-06a3-4278-aa59-88a5e537f981 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: [] type: TTP diff --git a/detections/cloud/o365_new_federated_domain_added.yml b/detections/cloud/o365_new_federated_domain_added.yml index f302f166cd..138e14e9cd 100644 --- a/detections/cloud/o365_new_federated_domain_added.yml +++ b/detections/cloud/o365_new_federated_domain_added.yml @@ -1,7 +1,7 @@ name: O365 New Federated Domain Added id: e155876a-6048-11eb-ae93-0242ac130002 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Rod Soto, Mauricio Velazco Splunk status: production type: TTP diff --git a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml index 65cfb7260a..bdcfcaf6fd 100644 --- a/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml +++ b/detections/cloud/o365_new_forwarding_mailflow_rule_created.yml @@ -1,7 +1,7 @@ name: O365 New Forwarding Mailflow Rule Created id: 289ed0a1-4c78-4a43-9321-44ea2e089c14 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: [] type: TTP diff --git a/detections/cloud/o365_new_mfa_method_registered.yml b/detections/cloud/o365_new_mfa_method_registered.yml index ef74201b99..5e79df1abe 100644 --- a/detections/cloud/o365_new_mfa_method_registered.yml +++ b/detections/cloud/o365_new_mfa_method_registered.yml @@ -1,7 +1,7 @@ name: O365 New MFA Method Registered id: 4e12db1f-f7c7-486d-8152-a221cad6ac2b -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml index e36aafd7d8..1ed4c88b22 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_ews.yml @@ -1,7 +1,7 @@ name: O365 OAuth App Mailbox Access via EWS id: e600cf1a-0bef-4426-b42e-00176d610a4d -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production data_source: diff --git a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml index 3c9624b3d0..e87f77f44b 100644 --- a/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml +++ b/detections/cloud/o365_oauth_app_mailbox_access_via_graph_api.yml @@ -1,7 +1,7 @@ name: O365 OAuth App Mailbox Access via Graph API id: 9db0d5b0-4058-4cb7-baaf-77d8143539a2 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production data_source: diff --git a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml index 84c35f4e88..a93d0245af 100644 --- a/detections/cloud/o365_privileged_graph_api_permission_assigned.yml +++ b/detections/cloud/o365_privileged_graph_api_permission_assigned.yml @@ -1,7 +1,7 @@ name: O365 Privileged Graph API Permission Assigned id: 868f3131-d5e1-4bf1-af5b-9b0fbaaaedbb -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_privileged_role_assigned.yml b/detections/cloud/o365_privileged_role_assigned.yml index e2acc821e4..26111d1247 100644 --- a/detections/cloud/o365_privileged_role_assigned.yml +++ b/detections/cloud/o365_privileged_role_assigned.yml @@ -1,7 +1,7 @@ name: O365 Privileged Role Assigned id: db435700-4ddc-4c23-892e-49e7525d7d39 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml index a88db27364..f3baaa5dc0 100644 --- a/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml +++ b/detections/cloud/o365_privileged_role_assigned_to_service_principal.yml @@ -1,7 +1,7 @@ name: O365 Privileged Role Assigned To Service Principal id: 80f3fc1b-705f-4080-bf08-f61bf013b900 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_pst_export_alert.yml b/detections/cloud/o365_pst_export_alert.yml index 40e83d72fa..3bbb1831d0 100644 --- a/detections/cloud/o365_pst_export_alert.yml +++ b/detections/cloud/o365_pst_export_alert.yml @@ -1,7 +1,7 @@ name: O365 PST export alert id: 5f694cc4-a678-4a60-9410-bffca1b647dc -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Rod Soto, Splunk status: production type: TTP diff --git a/detections/cloud/o365_safe_links_detection.yml b/detections/cloud/o365_safe_links_detection.yml index 628d5fbd71..b0f2fcae4a 100644 --- a/detections/cloud/o365_safe_links_detection.yml +++ b/detections/cloud/o365_safe_links_detection.yml @@ -1,7 +1,7 @@ name: O365 Safe Links Detection id: 711d9e8c-2cb0-45cf-8813-5f191ecb9b26 -version: 6 -date: '2025-03-25' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_security_and_compliance_alert_triggered.yml b/detections/cloud/o365_security_and_compliance_alert_triggered.yml index d147e80b23..e72df6dc06 100644 --- a/detections/cloud/o365_security_and_compliance_alert_triggered.yml +++ b/detections/cloud/o365_security_and_compliance_alert_triggered.yml @@ -1,7 +1,7 @@ name: O365 Security And Compliance Alert Triggered id: 5b367cdd-8dfc-49ac-a9b7-6406cf27f33e -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: [] type: TTP diff --git a/detections/cloud/o365_service_principal_new_client_credentials.yml b/detections/cloud/o365_service_principal_new_client_credentials.yml index f7ff2c9d10..b3ae75202e 100644 --- a/detections/cloud/o365_service_principal_new_client_credentials.yml +++ b/detections/cloud/o365_service_principal_new_client_credentials.yml @@ -1,7 +1,7 @@ name: O365 Service Principal New Client Credentials id: a1b229e9-d962-4222-8c62-905a8a010453 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_service_principal_privilege_escalation.yml b/detections/cloud/o365_service_principal_privilege_escalation.yml index 459f5c9522..c9f30a6833 100644 --- a/detections/cloud/o365_service_principal_privilege_escalation.yml +++ b/detections/cloud/o365_service_principal_privilege_escalation.yml @@ -1,7 +1,7 @@ name: O365 Service Principal Privilege Escalation id: b686d0bd-cca7-44ca-ae07-87f6465131d9 -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Dean Luxton data_source: - O365 Add app role assignment grant to user. diff --git a/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml b/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml index b2b4c92a4c..fd5567d08f 100644 --- a/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml +++ b/detections/cloud/o365_sharepoint_allowed_domains_policy_changed.yml @@ -1,7 +1,7 @@ name: O365 SharePoint Allowed Domains Policy Changed id: b0cc6fa8-39b1-49ac-a4fe-f2f2a668e06c -version: 7 -date: '2025-03-25' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_sharepoint_malware_detection.yml b/detections/cloud/o365_sharepoint_malware_detection.yml index 68e1cc5575..62b28d1454 100644 --- a/detections/cloud/o365_sharepoint_malware_detection.yml +++ b/detections/cloud/o365_sharepoint_malware_detection.yml @@ -1,7 +1,7 @@ name: O365 SharePoint Malware Detection id: 583c5de3-7709-44cb-abfc-0e828d301b59 -version: 6 -date: '2025-03-25' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml b/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml index 87ef5a4414..3299a145ef 100644 --- a/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml +++ b/detections/cloud/o365_sharepoint_suspicious_search_behavior.yml @@ -1,70 +1,70 @@ -name: O365 SharePoint Suspicious Search Behavior -id: 6ca919db-52f3-4c95-a4e9-7b189e8a043d -version: 2 -date: '2025-02-27' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic identifies when Office 365 users search for suspicious keywords or have an excessive number of queries to a SharePoint site within a limited timeframe. This behavior may indicate that a malicious actor has gained control of a user account and is conducting discovery or enumeration activities. -data_source: -- Office 365 Universal Audit Log -search: |- - `o365_management_activity` (Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search*) OR Operation=SearchQueryInitiatedSharepoint - | eval command = case(Operation=="SearchQueryPerformed",SearchQueryText,true(),QueryText), UserId = lower(UserId), signature_id = CorrelationId, signature=Operation, src = ClientIP, user = lower(UserId), object_name=case(Operation=="SearchQueryPerformed",'EventData',true(),QuerySource), -time = _time, suspect_terms = case(match(command, `o365_suspect_search_terms_regex`),command,true(),null()) - | where command != "*" AND command != "(*)" - | bin _time span=1hr - | `o365_sharepoint_suspicious_search_behavior_filter` - | stats values(ScenarioName) as app, values(object_name) as object_name values(command) as command, values(suspect_terms) as suspect_terms, values(src) as src, dc(suspect_terms) as suspect_terms_count, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time - | where count > 20 OR suspect_terms_count >= 2 - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` -how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds and match terms set within the analytic are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. -known_false_positives: Users searching excessively or possible false positives related to matching conditions. -references: -- https://learn.microsoft.com/en-us/purview/audit-get-started#step-3-enable-searchqueryinitiated-events -- https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf -- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a -- https://attack.mitre.org/techniques/T1213/002/ -drilldown_searches: -- name: View the detection results for - "$user$" - search: '%original_detection_search% | search user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate search behavior by $user$ - search: '`o365_management_activity` (Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search* AND UserId = "$user$") OR (OR Operation=SearchQueryInitiatedSharepoint AND UserId = "$user$")' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: The user $user$ searched SharePoint suspiciously, $count$ unique terms and $suspect_terms_count$ suspect terms were searched within a limited timeframe. - risk_objects: - - field: user - type: user - score: 35 - threat_objects: - - field: src - type: ip_address -tags: - analytic_story: - - Office 365 Account Takeover - - Office 365 Collection Techniques - - Compromised User Account - - CISA AA22-320A - asset_type: O365 Tenant - mitre_attack_id: - - T1213.002 - - T1552 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log - source: o365 - sourcetype: o365:management:activity +name: O365 SharePoint Suspicious Search Behavior +id: 6ca919db-52f3-4c95-a4e9-7b189e8a043d +version: 3 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic identifies when Office 365 users search for suspicious keywords or have an excessive number of queries to a SharePoint site within a limited timeframe. This behavior may indicate that a malicious actor has gained control of a user account and is conducting discovery or enumeration activities. +data_source: +- Office 365 Universal Audit Log +search: |- + `o365_management_activity` (Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search*) OR Operation=SearchQueryInitiatedSharepoint + | eval command = case(Operation=="SearchQueryPerformed",SearchQueryText,true(),QueryText), UserId = lower(UserId), signature_id = CorrelationId, signature=Operation, src = ClientIP, user = lower(UserId), object_name=case(Operation=="SearchQueryPerformed",'EventData',true(),QuerySource), -time = _time, suspect_terms = case(match(command, `o365_suspect_search_terms_regex`),command,true(),null()) + | where command != "*" AND command != "(*)" + | bin _time span=1hr + | `o365_sharepoint_suspicious_search_behavior_filter` + | stats values(ScenarioName) as app, values(object_name) as object_name values(command) as command, values(suspect_terms) as suspect_terms, values(src) as src, dc(suspect_terms) as suspect_terms_count, dc(command) as count, min(-time) as firstTime, max(-time) as lastTime by user,signature,_time + | where count > 20 OR suspect_terms_count >= 2 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` +how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds and match terms set within the analytic are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment. +known_false_positives: Users searching excessively or possible false positives related to matching conditions. +references: +- https://learn.microsoft.com/en-us/purview/audit-get-started#step-3-enable-searchqueryinitiated-events +- https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf +- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a +- https://attack.mitre.org/techniques/T1213/002/ +drilldown_searches: +- name: View the detection results for - "$user$" + search: '%original_detection_search% | search user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate search behavior by $user$ + search: '`o365_management_activity` (Workload=SharePoint Operation="SearchQueryPerformed" SearchQueryText=* EventData=*search* AND UserId = "$user$") OR (OR Operation=SearchQueryInitiatedSharepoint AND UserId = "$user$")' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: The user $user$ searched SharePoint suspiciously, $count$ unique terms and $suspect_terms_count$ suspect terms were searched within a limited timeframe. + risk_objects: + - field: user + type: user + score: 35 + threat_objects: + - field: src + type: ip_address +tags: + analytic_story: + - Office 365 Account Takeover + - Office 365 Collection Techniques + - Compromised User Account + - CISA AA22-320A + asset_type: O365 Tenant + mitre_attack_id: + - T1213.002 + - T1552 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1213.002/o365_sus_sharepoint_search/o365_sus_sharepoint_search.log + source: o365 + sourcetype: o365:management:activity diff --git a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml index 2b359ed608..0ce9daed4a 100644 --- a/detections/cloud/o365_tenant_wide_admin_consent_granted.yml +++ b/detections/cloud/o365_tenant_wide_admin_consent_granted.yml @@ -1,7 +1,7 @@ name: O365 Tenant Wide Admin Consent Granted id: 50eaabf8-5180-4e86-bfb2-011472c359fc -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml b/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml index acf7b120b3..fb3b583600 100644 --- a/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml +++ b/detections/cloud/o365_threat_intelligence_suspicious_email_delivered.yml @@ -1,7 +1,7 @@ name: O365 Threat Intelligence Suspicious Email Delivered id: 605cc93a-70e4-4ee3-9a3d-1a62e8c9b6c2 -version: 6 -date: '2025-03-25' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml b/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml index 26b3a91554..08b23e3e75 100644 --- a/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml +++ b/detections/cloud/o365_threat_intelligence_suspicious_file_detected.yml @@ -1,7 +1,7 @@ name: O365 Threat Intelligence Suspicious File Detected id: 00958c7b-35db-4e7a-ad13-31550a7a7c64 -version: 6 -date: '2025-03-25' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml index 4e35136596..4c44a4e162 100644 --- a/detections/cloud/o365_user_consent_blocked_for_risky_application.yml +++ b/detections/cloud/o365_user_consent_blocked_for_risky_application.yml @@ -1,7 +1,7 @@ name: O365 User Consent Blocked for Risky Application id: 242e4d30-cb59-4051-b0cf-58895e218f40 -version: 5 -date: '2024-11-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml index 9ff38e49ca..a6441d354d 100644 --- a/detections/cloud/o365_user_consent_denied_for_oauth_application.yml +++ b/detections/cloud/o365_user_consent_denied_for_oauth_application.yml @@ -1,7 +1,7 @@ name: O365 User Consent Denied for OAuth Application id: 2d8679ef-b075-46be-8059-c25116cb1072 -version: 6 -date: '2024-11-14' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/cloud/o365_zap_activity_detection.yml b/detections/cloud/o365_zap_activity_detection.yml index 7bbdaec115..e141ec04a3 100644 --- a/detections/cloud/o365_zap_activity_detection.yml +++ b/detections/cloud/o365_zap_activity_detection.yml @@ -1,7 +1,7 @@ name: O365 ZAP Activity Detection id: 4df275fd-a0e5-4246-8b92-d3201edaef7a -version: 6 -date: '2025-03-25' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml index 9b077a5c58..c3af8f213e 100644 --- a/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml +++ b/detections/cloud/risk_rule_for_dev_sec_ops_by_repository.yml @@ -1,7 +1,7 @@ name: Risk Rule for Dev Sec Ops by Repository id: 161bc0ca-4651-4c13-9c27-27770660cf67 -version: 7 -date: '2025-04-16' +version: 8 +date: '2025-05-02' author: Bhavin Patel status: production type: Correlation @@ -55,6 +55,7 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.log + - data: + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1204.003/risk_dataset/aws_ecr_risk_dataset.log source: aws_ecr_risk_dataset.log sourcetype: stash diff --git a/detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml b/detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml index 5faea2cb93..d302d6d44d 100644 --- a/detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/deprecated/certutil_download_with_urlcache_and_split_arguments.yml @@ -1,7 +1,7 @@ name: CertUtil Download With URLCache and Split Arguments id: 415b4306-8bfb-11eb-85c4-acde48001122 version: 13 -date: '2025-04-24' +date: '2025-05-02' author: Michael Haag, Splunk status: deprecated type: TTP diff --git a/detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml index aae4d4ca8b..fbfaa609e5 100644 --- a/detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/deprecated/certutil_download_with_verifyctl_and_split_arguments.yml @@ -1,7 +1,7 @@ name: CertUtil Download With VerifyCtl and Split Arguments id: 801ad9e4-8bfb-11eb-8b31-acde48001122 version: 13 -date: '2025-04-24' +date: '2025-05-02' author: Michael Haag, Splunk status: deprecated type: TTP diff --git a/detections/deprecated/detect_large_outbound_icmp_packets.yml b/detections/deprecated/detect_large_outbound_icmp_packets.yml index 0e81ba771f..f62ff92dd6 100644 --- a/detections/deprecated/detect_large_outbound_icmp_packets.yml +++ b/detections/deprecated/detect_large_outbound_icmp_packets.yml @@ -1,7 +1,7 @@ name: Detect Large Outbound ICMP Packets id: e9c102de-4d43-42a7-b1c8-8062ea297419 -version: '11' -date: '2025-03-27' +version: 12 +date: '2025-05-02' author: Rico Valdez, Dean Luxton, Bhavin Patel, Splunk status: deprecated type: TTP diff --git a/detections/deprecated/windows_certutil_download_with_url_argument.yml b/detections/deprecated/windows_certutil_download_with_url_argument.yml index 73b11d501f..98765d3abc 100644 --- a/detections/deprecated/windows_certutil_download_with_url_argument.yml +++ b/detections/deprecated/windows_certutil_download_with_url_argument.yml @@ -1,7 +1,7 @@ name: Windows CertUtil Download With URL Argument id: 4fc5ca00-4c7c-46b3-8772-c98a4b8bd944 version: 6 -date: '2025-04-24' +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: deprecated type: TTP diff --git a/detections/deprecated/windows_remote_access_software_hunt.yml b/detections/deprecated/windows_remote_access_software_hunt.yml index f1ce42bcbd..fd48f0d699 100644 --- a/detections/deprecated/windows_remote_access_software_hunt.yml +++ b/detections/deprecated/windows_remote_access_software_hunt.yml @@ -1,7 +1,7 @@ name: Windows Remote Access Software Hunt id: 8bd22c9f-05a2-4db1-b131-29271f28cb0a version: 8 -date: '2025-04-30' +date: '2025-05-02' author: Michael Haag, Splunk status: deprecated type: Hunting diff --git a/detections/deprecated/windows_service_created_within_public_path.yml b/detections/deprecated/windows_service_created_within_public_path.yml index e708ede62c..f0385afc18 100644 --- a/detections/deprecated/windows_service_created_within_public_path.yml +++ b/detections/deprecated/windows_service_created_within_public_path.yml @@ -1,7 +1,7 @@ name: Windows Service Created Within Public Path id: 3abb2eda-4bb8-11ec-9ae4-3e22fbd008af -version: 8 -date: '2025-03-27' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: deprecated type: TTP diff --git a/detections/endpoint/7zip_commandline_to_smb_share_path.yml b/detections/endpoint/7zip_commandline_to_smb_share_path.yml index 5eb1686278..90712ec225 100644 --- a/detections/endpoint/7zip_commandline_to_smb_share_path.yml +++ b/detections/endpoint/7zip_commandline_to_smb_share_path.yml @@ -1,7 +1,7 @@ name: 7zip CommandLine To SMB Share Path id: 01d29b48-ff6f-11eb-b81e-acde48001123 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/access_lsass_memory_for_dump_creation.yml b/detections/endpoint/access_lsass_memory_for_dump_creation.yml index f16c431c3f..ef0bbe5a17 100644 --- a/detections/endpoint/access_lsass_memory_for_dump_creation.yml +++ b/detections/endpoint/access_lsass_memory_for_dump_creation.yml @@ -1,7 +1,7 @@ name: Access LSASS Memory for Dump Creation id: fb4c31b0-13e8-4155-8aa5-24de4b8d6717 -version: 9 -date: '2025-04-18' +version: 10 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/active_directory_lateral_movement_identified.yml b/detections/endpoint/active_directory_lateral_movement_identified.yml index cbc978d74a..607a3e2331 100644 --- a/detections/endpoint/active_directory_lateral_movement_identified.yml +++ b/detections/endpoint/active_directory_lateral_movement_identified.yml @@ -1,7 +1,7 @@ name: Active Directory Lateral Movement Identified id: 6aa6f9dd-adfe-45a8-8f74-c4c7a0d7d037 -version: 6 -date: '2025-04-16' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Correlation diff --git a/detections/endpoint/active_directory_privilege_escalation_identified.yml b/detections/endpoint/active_directory_privilege_escalation_identified.yml index 50451168b1..d398c66a7a 100644 --- a/detections/endpoint/active_directory_privilege_escalation_identified.yml +++ b/detections/endpoint/active_directory_privilege_escalation_identified.yml @@ -1,7 +1,7 @@ name: Active Directory Privilege Escalation Identified id: 583e8a68-f2f7-45be-8fc9-bf725f0e22fd -version: 5 -date: '2025-04-16' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Correlation @@ -66,9 +66,3 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1484/privesc/priv_esc.log - source: adlm - sourcetype: stash diff --git a/detections/endpoint/active_setup_registry_autostart.yml b/detections/endpoint/active_setup_registry_autostart.yml index 113983dcc4..5c15ba89ee 100644 --- a/detections/endpoint/active_setup_registry_autostart.yml +++ b/detections/endpoint/active_setup_registry_autostart.yml @@ -1,7 +1,7 @@ name: Active Setup Registry Autostart id: f64579c0-203f-11ec-abcc-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/add_defaultuser_and_password_in_registry.yml b/detections/endpoint/add_defaultuser_and_password_in_registry.yml index 10c68a4f28..82f79b27dc 100644 --- a/detections/endpoint/add_defaultuser_and_password_in_registry.yml +++ b/detections/endpoint/add_defaultuser_and_password_in_registry.yml @@ -1,7 +1,7 @@ name: Add DefaultUser And Password In Registry id: d4a3eb62-0f1e-11ec-a971-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/add_or_set_windows_defender_exclusion.yml b/detections/endpoint/add_or_set_windows_defender_exclusion.yml index a3d83c5802..e0935a8c17 100644 --- a/detections/endpoint/add_or_set_windows_defender_exclusion.yml +++ b/detections/endpoint/add_or_set_windows_defender_exclusion.yml @@ -1,7 +1,7 @@ name: Add or Set Windows Defender Exclusion id: 773b66fe-4dd9-11ec-8289-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/adsisearcher_account_discovery.yml b/detections/endpoint/adsisearcher_account_discovery.yml index 41f5c440cd..c2e3ee27f7 100644 --- a/detections/endpoint/adsisearcher_account_discovery.yml +++ b/detections/endpoint/adsisearcher_account_discovery.yml @@ -1,7 +1,7 @@ name: AdsiSearcher Account Discovery id: de7fcadc-04f3-11ec-a241-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml index 6ac732cc41..c3de4e394e 100644 --- a/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml +++ b/detections/endpoint/allow_file_and_printing_sharing_in_firewall.yml @@ -1,7 +1,7 @@ name: Allow File And Printing Sharing In Firewall id: ce27646e-d411-11eb-8a00-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml index c9c1ca9a43..42398daf80 100644 --- a/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml +++ b/detections/endpoint/allow_inbound_traffic_by_firewall_rule_registry.yml @@ -1,7 +1,7 @@ name: Allow Inbound Traffic By Firewall Rule Registry id: 0a46537c-be02-11eb-92ca-acde48001122 -version: '11' -date: '2025-03-14' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml index 4af28169e5..86635b0ab5 100644 --- a/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml +++ b/detections/endpoint/allow_inbound_traffic_in_firewall_rule.yml @@ -1,7 +1,7 @@ name: Allow Inbound Traffic In Firewall Rule id: a5d85486-b89c-11eb-8267-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/allow_network_discovery_in_firewall.yml b/detections/endpoint/allow_network_discovery_in_firewall.yml index e9b57167c5..37add2b25a 100644 --- a/detections/endpoint/allow_network_discovery_in_firewall.yml +++ b/detections/endpoint/allow_network_discovery_in_firewall.yml @@ -1,7 +1,7 @@ name: Allow Network Discovery In Firewall id: ccd6a38c-d40b-11eb-85a5-acde48001122 -version: '7' -date: '2025-03-14' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/allow_operation_with_consent_admin.yml b/detections/endpoint/allow_operation_with_consent_admin.yml index aaa4de15a7..463e371264 100644 --- a/detections/endpoint/allow_operation_with_consent_admin.yml +++ b/detections/endpoint/allow_operation_with_consent_admin.yml @@ -1,7 +1,7 @@ name: Allow Operation with Consent Admin id: 7de17d7a-c9d8-11eb-a812-acde48001122 -version: 10 -date: '2024-12-08' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index 49c4dd5633..6c44d0dd35 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -1,7 +1,7 @@ name: Anomalous usage of 7zip id: 9364ee8e-a39a-11eb-8f1d-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index f036b0bbed..5752521731 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -1,7 +1,7 @@ name: Any Powershell DownloadFile id: 1a93b7ea-7af7-11eb-adb5-acde48001122 -version: 13 -date: '2025-03-27' +version: 14 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/any_powershell_downloadstring.yml b/detections/endpoint/any_powershell_downloadstring.yml index 0d81340cfa..8828d08cb2 100644 --- a/detections/endpoint/any_powershell_downloadstring.yml +++ b/detections/endpoint/any_powershell_downloadstring.yml @@ -1,7 +1,7 @@ name: Any Powershell DownloadString id: 4d015ef2-7adf-11eb-95da-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/attacker_tools_on_endpoint.yml b/detections/endpoint/attacker_tools_on_endpoint.yml index 5cd7bd05a6..4776b63799 100644 --- a/detections/endpoint/attacker_tools_on_endpoint.yml +++ b/detections/endpoint/attacker_tools_on_endpoint.yml @@ -1,7 +1,7 @@ name: Attacker Tools On Endpoint id: a51bfe1a-94f0-48cc-b4e4-16a110145893 -version: 10 -date: '2025-03-27' +version: 11 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml index 0cc6ac4dfa..3e32357517 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml @@ -1,7 +1,7 @@ name: Attempt To Add Certificate To Untrusted Store id: 6bc5243e-ef36-45dc-9b12-f4a6be131159 -version: 14 -date: '2025-02-10' +version: 15 +date: '2025-05-02' author: Patrick Bareiss, Rico Valdez, Splunk status: production type: TTP diff --git a/detections/endpoint/auto_admin_logon_registry_entry.yml b/detections/endpoint/auto_admin_logon_registry_entry.yml index 473a043c49..5507c2824b 100644 --- a/detections/endpoint/auto_admin_logon_registry_entry.yml +++ b/detections/endpoint/auto_admin_logon_registry_entry.yml @@ -1,7 +1,7 @@ name: Auto Admin Logon Registry Entry id: 1379d2b8-0f18-11ec-8ca3-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/batch_file_write_to_system32.yml b/detections/endpoint/batch_file_write_to_system32.yml index bfbb21c1f7..47b60a6ac6 100644 --- a/detections/endpoint/batch_file_write_to_system32.yml +++ b/detections/endpoint/batch_file_write_to_system32.yml @@ -1,7 +1,7 @@ name: Batch File Write to System32 id: 503d17cb-9eab-4cf8-a20e-01d5c6987ae3 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Steven Dick, Michael Haag, Rico Valdez, Splunk status: production type: TTP diff --git a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml index 282a6e53ac..83f6f416f2 100644 --- a/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml +++ b/detections/endpoint/bcdedit_command_back_to_normal_mode_boot.yml @@ -1,7 +1,7 @@ name: Bcdedit Command Back To Normal Mode Boot id: dc7a8004-0f18-11ec-8c54-acde48001122 -version: 6 -date: '2025-03-27' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/bcdedit_failure_recovery_modification.yml b/detections/endpoint/bcdedit_failure_recovery_modification.yml index 348b9dc0b0..0bf08a1641 100644 --- a/detections/endpoint/bcdedit_failure_recovery_modification.yml +++ b/detections/endpoint/bcdedit_failure_recovery_modification.yml @@ -1,7 +1,7 @@ name: BCDEdit Failure Recovery Modification id: 809b31d2-5462-11eb-ae93-0242ac130002 -version: 9 -date: '2025-04-16' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/bits_job_persistence.yml b/detections/endpoint/bits_job_persistence.yml index a223637f63..94df4dd8d5 100644 --- a/detections/endpoint/bits_job_persistence.yml +++ b/detections/endpoint/bits_job_persistence.yml @@ -1,7 +1,7 @@ name: BITS Job Persistence id: e97a5ffe-90bf-11eb-928a-acde48001122 -version: 8 -date: '2024-11-13' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index 20d4f3027f..cc606ede9b 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -1,7 +1,7 @@ name: BITSAdmin Download File id: 80630ff4-8e4c-11eb-aab5-acde48001122 -version: 9 -date: '2024-11-13' +version: 10 +date: '2025-05-02' author: Michael Haag, Sittikorn S status: production type: TTP diff --git a/detections/endpoint/certutil_exe_certificate_extraction.yml b/detections/endpoint/certutil_exe_certificate_extraction.yml index d364ee2a04..6d95828180 100644 --- a/detections/endpoint/certutil_exe_certificate_extraction.yml +++ b/detections/endpoint/certutil_exe_certificate_extraction.yml @@ -1,7 +1,7 @@ name: Certutil exe certificate extraction id: 337a46be-600f-11eb-ae93-0242ac130002 -version: 10 -date: '2025-04-16' +version: 11 +date: '2025-05-02' author: Rod Soto, Splunk status: production type: TTP diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml index e8da9eddb2..8f8ee34724 100644 --- a/detections/endpoint/certutil_with_decode_argument.yml +++ b/detections/endpoint/certutil_with_decode_argument.yml @@ -1,7 +1,7 @@ name: CertUtil With Decode Argument id: bfe94226-8c10-11eb-a4b3-acde48001122 -version: 9 -date: '2025-04-16' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/change_to_safe_mode_with_network_config.yml b/detections/endpoint/change_to_safe_mode_with_network_config.yml index 29d3da2b0f..e6a5b52e29 100644 --- a/detections/endpoint/change_to_safe_mode_with_network_config.yml +++ b/detections/endpoint/change_to_safe_mode_with_network_config.yml @@ -1,7 +1,7 @@ name: Change To Safe Mode With Network Config id: 81f1dce0-0f18-11ec-a5d7-acde48001122 -version: 6 -date: '2025-03-27' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/chcp_command_execution.yml b/detections/endpoint/chcp_command_execution.yml index 1532d3e1fd..8c021a0d09 100644 --- a/detections/endpoint/chcp_command_execution.yml +++ b/detections/endpoint/chcp_command_execution.yml @@ -1,7 +1,7 @@ name: CHCP Command Execution id: 21d236ec-eec1-11eb-b23e-acde48001122 version: 7 -date: '2025-04-24' +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml index 692218967c..1f780019c5 100644 --- a/detections/endpoint/check_elevated_cmd_using_whoami.yml +++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml @@ -1,7 +1,7 @@ name: Check Elevated CMD using whoami id: a9079b18-1633-11ec-859c-acde48001122 version: 7 -date: '2025-04-24' +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/child_processes_of_spoolsv_exe.yml b/detections/endpoint/child_processes_of_spoolsv_exe.yml index 946cceb192..db0f64d6db 100644 --- a/detections/endpoint/child_processes_of_spoolsv_exe.yml +++ b/detections/endpoint/child_processes_of_spoolsv_exe.yml @@ -1,7 +1,7 @@ name: Child Processes of Spoolsv exe id: aa0c4aeb-5b18-41c4-8c07-f1442d7599df -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Rico Valdez, Splunk status: experimental type: TTP diff --git a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml index bed58ac26b..f213425e7e 100644 --- a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml +++ b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml @@ -1,7 +1,7 @@ name: Clear Unallocated Sector Using Cipher App id: cd80a6ac-c9d9-11eb-8839-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/clop_common_exec_parameter.yml b/detections/endpoint/clop_common_exec_parameter.yml index a3dc5b4db9..11abfed324 100644 --- a/detections/endpoint/clop_common_exec_parameter.yml +++ b/detections/endpoint/clop_common_exec_parameter.yml @@ -1,7 +1,7 @@ name: Clop Common Exec Parameter id: 5a8a2a72-8322-11eb-9ee9-acde48001122 -version: 9 -date: '2024-12-10' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/clop_ransomware_known_service_name.yml b/detections/endpoint/clop_ransomware_known_service_name.yml index 094e346b74..3b139b0084 100644 --- a/detections/endpoint/clop_ransomware_known_service_name.yml +++ b/detections/endpoint/clop_ransomware_known_service_name.yml @@ -1,7 +1,7 @@ name: Clop Ransomware Known Service Name id: 07e08a12-870c-11eb-b5f9-acde48001122 -version: 6 -date: '2024-12-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras status: production type: TTP diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index cbb0067a2b..1dea4aac99 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -1,7 +1,7 @@ name: CMD Carry Out String Command Parameter id: 54a6ed00-3256-11ec-b031-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting diff --git a/detections/endpoint/cmd_echo_pipe___escalation.yml b/detections/endpoint/cmd_echo_pipe___escalation.yml index 1a970695c8..e99071685c 100644 --- a/detections/endpoint/cmd_echo_pipe___escalation.yml +++ b/detections/endpoint/cmd_echo_pipe___escalation.yml @@ -1,7 +1,7 @@ name: CMD Echo Pipe - Escalation id: eb277ba0-b96b-11eb-b00e-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml index 1b3b8140a7..e439602d58 100644 --- a/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml +++ b/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml @@ -1,7 +1,7 @@ name: CMLUA Or CMSTPLUA UAC Bypass id: f87b5062-b405-11eb-a889-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/cobalt_strike_named_pipes.yml b/detections/endpoint/cobalt_strike_named_pipes.yml index acadb477f9..ce2ca8274d 100644 --- a/detections/endpoint/cobalt_strike_named_pipes.yml +++ b/detections/endpoint/cobalt_strike_named_pipes.yml @@ -1,7 +1,7 @@ name: Cobalt Strike Named Pipes id: 5876d429-0240-4709-8b93-ea8330b411b5 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/common_ransomware_extensions.yml b/detections/endpoint/common_ransomware_extensions.yml index a5f22b9bd6..352c4432be 100644 --- a/detections/endpoint/common_ransomware_extensions.yml +++ b/detections/endpoint/common_ransomware_extensions.yml @@ -1,7 +1,7 @@ name: Common Ransomware Extensions id: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec -version: '13' -date: '2025-04-01' +version: 14 +date: '2025-05-02' author: David Dorsey, Michael Haag, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/common_ransomware_notes.yml b/detections/endpoint/common_ransomware_notes.yml index 3e2ac5b4fd..9f499153dd 100644 --- a/detections/endpoint/common_ransomware_notes.yml +++ b/detections/endpoint/common_ransomware_notes.yml @@ -1,7 +1,7 @@ name: Common Ransomware Notes id: ada0f478-84a8-4641-a3f1-d82362d6bd71 -version: '9' -date: '2025-04-01' +version: 10 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: Hunting diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal.yml b/detections/endpoint/connectwise_screenconnect_path_traversal.yml index 1b15ea96bd..800c6dcbc0 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal.yml @@ -1,7 +1,7 @@ name: ConnectWise ScreenConnect Path Traversal id: 56a3ac65-e747-41f7-b014-dff7423c1dda -version: 5 -date: '2025-03-24' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Sysmon EventID 11 diff --git a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml index 04aa070da3..71bd7449e3 100644 --- a/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml +++ b/detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml @@ -1,7 +1,7 @@ name: ConnectWise ScreenConnect Path Traversal Windows SACL id: 4e127857-1fc9-4c95-9d69-ba24c91d52d7 -version: 6 -date: '2025-03-24' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Windows Event Log Security 4663 diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml index 96760dea35..446d655550 100644 --- a/detections/endpoint/conti_common_exec_parameter.yml +++ b/detections/endpoint/conti_common_exec_parameter.yml @@ -1,7 +1,7 @@ name: Conti Common Exec parameter id: 624919bc-c382-11eb-adcc-acde48001122 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/control_loading_from_world_writable_directory.yml b/detections/endpoint/control_loading_from_world_writable_directory.yml index 7997499fba..570553b678 100644 --- a/detections/endpoint/control_loading_from_world_writable_directory.yml +++ b/detections/endpoint/control_loading_from_world_writable_directory.yml @@ -1,7 +1,7 @@ name: Control Loading from World Writable Directory id: 10423ac4-10c9-11ec-8dc4-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml index cba2a526d6..b987eef6a4 100644 --- a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml +++ b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml @@ -1,7 +1,7 @@ name: Create or delete windows shares using net exe id: 743a322c-9a68-4a0f-9c17-85d9cce2a27c -version: 13 -date: '2025-02-10' +version: 14 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/create_remote_thread_in_shell_application.yml b/detections/endpoint/create_remote_thread_in_shell_application.yml index c11da36f0a..852d46fd87 100644 --- a/detections/endpoint/create_remote_thread_in_shell_application.yml +++ b/detections/endpoint/create_remote_thread_in_shell_application.yml @@ -1,7 +1,7 @@ name: Create Remote Thread In Shell Application id: 10399c1e-f51e-11eb-b920-acde48001122 -version: 7 -date: '2024-12-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/create_remote_thread_into_lsass.yml b/detections/endpoint/create_remote_thread_into_lsass.yml index 2d022e8a2b..275f8de082 100644 --- a/detections/endpoint/create_remote_thread_into_lsass.yml +++ b/detections/endpoint/create_remote_thread_into_lsass.yml @@ -1,7 +1,7 @@ name: Create Remote Thread into LSASS id: 67d4dbef-9564-4699-8da8-03a151529edc -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml index 4e6c5b0018..61e311e7d9 100644 --- a/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml +++ b/detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml @@ -1,7 +1,7 @@ name: Creation of lsass Dump with Taskmgr id: b2fbe95a-9c62-4c12-8a29-24b97e84c0cd -version: 8 -date: '2025-04-18' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/creation_of_shadow_copy.yml b/detections/endpoint/creation_of_shadow_copy.yml index a3ec742a46..346421fa83 100644 --- a/detections/endpoint/creation_of_shadow_copy.yml +++ b/detections/endpoint/creation_of_shadow_copy.yml @@ -1,7 +1,7 @@ name: Creation of Shadow Copy id: eb120f5f-b879-4a63-97c1-93352b5df844 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml index 8f46b39247..caa3f0915f 100644 --- a/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml +++ b/detections/endpoint/creation_of_shadow_copy_with_wmic_and_powershell.yml @@ -1,7 +1,7 @@ name: Creation of Shadow Copy with wmic and powershell id: 2ed8b538-d284-449a-be1d-82ad1dbd186b -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml index 68b426ca73..6b478943c4 100644 --- a/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_copy_command_from_shadow_copy.yml @@ -1,7 +1,7 @@ name: Credential Dumping via Copy Command from Shadow Copy id: d8c406fe-23d2-45f3-a983-1abe7b83ff3b -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml index 85b4a297cf..a9067bc8d1 100644 --- a/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml +++ b/detections/endpoint/credential_dumping_via_symlink_to_shadow_copy.yml @@ -1,7 +1,7 @@ name: Credential Dumping via Symlink to Shadow Copy id: c5eac648-fae0-4263-91a6-773df1f4c903 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/crowdstrike_admin_weak_password_policy.yml b/detections/endpoint/crowdstrike_admin_weak_password_policy.yml index b5bea9804b..77e1a0b134 100644 --- a/detections/endpoint/crowdstrike_admin_weak_password_policy.yml +++ b/detections/endpoint/crowdstrike_admin_weak_password_policy.yml @@ -1,7 +1,7 @@ name: Crowdstrike Admin Weak Password Policy id: bb1481fd-23c0-4195-b6a0-94d746c9637c -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: [] type: TTP diff --git a/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml b/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml index 1973095184..ee41e97ff4 100644 --- a/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml +++ b/detections/endpoint/crowdstrike_admin_with_duplicate_password.yml @@ -1,7 +1,7 @@ name: Crowdstrike Admin With Duplicate Password id: b8bccfbf-6ac2-40f2-83b6-e72b7efaa7d4 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: [] type: TTP diff --git a/detections/endpoint/crowdstrike_high_identity_risk_severity.yml b/detections/endpoint/crowdstrike_high_identity_risk_severity.yml index 149a914419..cf4d9ff8b4 100644 --- a/detections/endpoint/crowdstrike_high_identity_risk_severity.yml +++ b/detections/endpoint/crowdstrike_high_identity_risk_severity.yml @@ -1,7 +1,7 @@ name: Crowdstrike High Identity Risk Severity id: 0df524ad-6d78-4883-9987-d29418928103 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: [] type: TTP diff --git a/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml b/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml index cf73fc7546..3fe1ed21d0 100644 --- a/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml +++ b/detections/endpoint/crowdstrike_medium_identity_risk_severity.yml @@ -1,7 +1,7 @@ name: Crowdstrike Medium Identity Risk Severity id: c23b425c-9024-4bd7-b526-c18a4a51d93e -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: [] type: TTP diff --git a/detections/endpoint/crowdstrike_medium_severity_alert.yml b/detections/endpoint/crowdstrike_medium_severity_alert.yml index 406835ddf2..19ef317b9f 100644 --- a/detections/endpoint/crowdstrike_medium_severity_alert.yml +++ b/detections/endpoint/crowdstrike_medium_severity_alert.yml @@ -1,7 +1,7 @@ name: Crowdstrike Medium Severity Alert id: 7e80d92a-6ec3-4eb1-a444-1480acfe2d14 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly diff --git a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml index 6fc6074d39..949719fc17 100644 --- a/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml +++ b/detections/endpoint/crowdstrike_multiple_low_severity_alerts.yml @@ -1,7 +1,7 @@ name: Crowdstrike Multiple LOW Severity Alerts id: 5c2c02d8-bee7-4f5c-9dea-e3e1012daddb -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly diff --git a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml index 263bee3e17..e0a3bcf5f8 100644 --- a/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml +++ b/detections/endpoint/crowdstrike_privilege_escalation_for_non_admin_user.yml @@ -1,7 +1,7 @@ name: Crowdstrike Privilege Escalation For Non-Admin User id: 69e2860c-0e4b-40ae-9dc4-bf9e3bf2a548 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly diff --git a/detections/endpoint/crowdstrike_user_weak_password_policy.yml b/detections/endpoint/crowdstrike_user_weak_password_policy.yml index 8c9c0b82c6..e5c18a124d 100644 --- a/detections/endpoint/crowdstrike_user_weak_password_policy.yml +++ b/detections/endpoint/crowdstrike_user_weak_password_policy.yml @@ -1,7 +1,7 @@ name: Crowdstrike User Weak Password Policy id: b49b6ef4-57cd-4d42-bd7e-64e00f11cc87 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly diff --git a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml index 1d5ae49ccd..3c248b505f 100644 --- a/detections/endpoint/crowdstrike_user_with_duplicate_password.yml +++ b/detections/endpoint/crowdstrike_user_with_duplicate_password.yml @@ -1,7 +1,7 @@ name: Crowdstrike User with Duplicate Password id: 386dd914-16e5-400b-9bf6-25572cc4415a -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: [] type: Anomaly diff --git a/detections/endpoint/csc_net_on_the_fly_compilation.yml b/detections/endpoint/csc_net_on_the_fly_compilation.yml index 34cc953708..c991da8818 100644 --- a/detections/endpoint/csc_net_on_the_fly_compilation.yml +++ b/detections/endpoint/csc_net_on_the_fly_compilation.yml @@ -1,7 +1,7 @@ name: CSC Net On The Fly Compilation id: ea73128a-43ab-11ec-9753-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/curl_download_and_bash_execution.yml b/detections/endpoint/curl_download_and_bash_execution.yml index 58a9d66e17..b41caf67e7 100644 --- a/detections/endpoint/curl_download_and_bash_execution.yml +++ b/detections/endpoint/curl_download_and_bash_execution.yml @@ -1,7 +1,7 @@ name: Curl Download and Bash Execution id: 900bc324-59f3-11ec-9fb4-acde48001122 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk, DipsyTipsy status: production type: TTP diff --git a/detections/endpoint/delete_shadowcopy_with_powershell.yml b/detections/endpoint/delete_shadowcopy_with_powershell.yml index bc264e1c60..c45a2e3472 100644 --- a/detections/endpoint/delete_shadowcopy_with_powershell.yml +++ b/detections/endpoint/delete_shadowcopy_with_powershell.yml @@ -1,7 +1,7 @@ name: Delete ShadowCopy With PowerShell id: 5ee2bcd0-b2ff-11eb-bb34-acde48001122 -version: 7 -date: '2025-04-18' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/deleting_shadow_copies.yml b/detections/endpoint/deleting_shadow_copies.yml index 672b4df4c4..16283c6304 100644 --- a/detections/endpoint/deleting_shadow_copies.yml +++ b/detections/endpoint/deleting_shadow_copies.yml @@ -1,7 +1,7 @@ name: Deleting Shadow Copies id: b89919ed-ee5f-492c-b139-95dbb162039e -version: 13 -date: '2025-04-16' +version: 14 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml index b174064306..6078666eea 100644 --- a/detections/endpoint/detect_azurehound_command_line_arguments.yml +++ b/detections/endpoint/detect_azurehound_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Detect AzureHound Command-Line Arguments id: 26f02e96-c300-11eb-b611-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_azurehound_file_modifications.yml b/detections/endpoint/detect_azurehound_file_modifications.yml index 9917d12d16..f3c822536f 100644 --- a/detections/endpoint/detect_azurehound_file_modifications.yml +++ b/detections/endpoint/detect_azurehound_file_modifications.yml @@ -1,7 +1,7 @@ name: Detect AzureHound File Modifications id: 1c34549e-c31b-11eb-996b-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml index 6cb38639a8..d63189b727 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156.yml @@ -1,7 +1,7 @@ name: Detect Baron Samedit CVE-2021-3156 id: 93fbec4e-0375-440c-8db3-4508eca470c4 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Shannon Davis, Splunk status: experimental type: TTP diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml index b6da8b499b..1c31aa7ce3 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156_segfault.yml @@ -1,7 +1,7 @@ name: Detect Baron Samedit CVE-2021-3156 Segfault id: 10f2bae0-bbe6-4984-808c-37dc1c67980d -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Shannon Davis, Splunk status: experimental type: TTP diff --git a/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml b/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml index 7787f11f60..8f07ec2bd5 100644 --- a/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml +++ b/detections/endpoint/detect_baron_samedit_cve_2021_3156_via_osquery.yml @@ -1,7 +1,7 @@ name: Detect Baron Samedit CVE-2021-3156 via OSQuery id: 1de31d5d-8fa6-4ee0-af89-17069134118a -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Shannon Davis, Splunk status: experimental type: TTP diff --git a/detections/endpoint/detect_certify_command_line_arguments.yml b/detections/endpoint/detect_certify_command_line_arguments.yml index 7cf359cb5b..86bf5665a0 100644 --- a/detections/endpoint/detect_certify_command_line_arguments.yml +++ b/detections/endpoint/detect_certify_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Detect Certify Command Line Arguments id: e6d2dc61-a8b9-4b03-906c-da0ca75d71b8 -version: 6 -date: '2024-12-10' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml index 04398a2116..e29bb67daf 100644 --- a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml @@ -1,7 +1,7 @@ name: Detect Certify With PowerShell Script Block Logging id: f533ca6c-9440-4686-80cb-7f294c07812a -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/detect_certipy_file_modifications.yml b/detections/endpoint/detect_certipy_file_modifications.yml index 7706d5ec81..1d837d6287 100644 --- a/detections/endpoint/detect_certipy_file_modifications.yml +++ b/detections/endpoint/detect_certipy_file_modifications.yml @@ -1,7 +1,7 @@ name: Detect Certipy File Modifications id: 7e3df743-b1d8-4631-8fa8-bd5819688876 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml index 0da8ae363c..7a9ece684d 100644 --- a/detections/endpoint/detect_computer_changed_with_anonymous_account.yml +++ b/detections/endpoint/detect_computer_changed_with_anonymous_account.yml @@ -1,7 +1,7 @@ name: Detect Computer Changed with Anonymous Account id: 1400624a-d42d-484d-8843-e6753e6e3645 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Rod Soto, Jose Hernandez, Splunk status: experimental type: Hunting diff --git a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml index a4c458f7ab..a788099c05 100644 --- a/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml +++ b/detections/endpoint/detect_copy_of_shadowcopy_with_script_block_logging.yml @@ -1,7 +1,7 @@ name: Detect Copy of ShadowCopy with Script Block Logging id: 9251299c-ea5b-11eb-a8de-acde48001122 -version: 7 -date: '2025-03-25' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml index 7731eec61f..29e9e7c7c3 100644 --- a/detections/endpoint/detect_credential_dumping_through_lsass_access.yml +++ b/detections/endpoint/detect_credential_dumping_through_lsass_access.yml @@ -1,7 +1,7 @@ name: Detect Credential Dumping through LSASS access id: 2c365e57-4414-4540-8dc0-73ab10729996 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml index 422a44ca2c..b8e85acebe 100644 --- a/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_empire_with_powershell_script_block_logging.yml @@ -1,7 +1,7 @@ name: Detect Empire with PowerShell Script Block Logging id: bc1dc6b8-c954-11eb-bade-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml index e81a797125..c65347b7ae 100644 --- a/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml +++ b/detections/endpoint/detect_excessive_account_lockouts_from_endpoint.yml @@ -1,7 +1,7 @@ name: Detect Excessive Account Lockouts From Endpoint id: c026e3dd-7e18-4abb-8f41-929e836efe74 -version: 12 -date: '2025-02-10' +version: 13 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: Anomaly diff --git a/detections/endpoint/detect_excessive_user_account_lockouts.yml b/detections/endpoint/detect_excessive_user_account_lockouts.yml index 6eab6eb5d8..dbb09b6743 100644 --- a/detections/endpoint/detect_excessive_user_account_lockouts.yml +++ b/detections/endpoint/detect_excessive_user_account_lockouts.yml @@ -1,7 +1,7 @@ name: Detect Excessive User Account Lockouts id: 95a7f9a5-6096-437e-a19e-86f42ac609bd -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: Anomaly diff --git a/detections/endpoint/detect_exchange_web_shell.yml b/detections/endpoint/detect_exchange_web_shell.yml index 1dc25eace0..87893ad201 100644 --- a/detections/endpoint/detect_exchange_web_shell.yml +++ b/detections/endpoint/detect_exchange_web_shell.yml @@ -1,7 +1,7 @@ name: Detect Exchange Web Shell id: 8c14eeee-2af1-4a4b-bda8-228da0f4862a -version: 11 -date: '2025-03-25' +version: 12 +date: '2025-05-02' author: Michael Haag, Shannon Davis, David Dorsey, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_html_help_renamed.yml b/detections/endpoint/detect_html_help_renamed.yml index ba01055d7a..44efeb5579 100644 --- a/detections/endpoint/detect_html_help_renamed.yml +++ b/detections/endpoint/detect_html_help_renamed.yml @@ -1,7 +1,7 @@ name: Detect HTML Help Renamed id: 62fed254-513b-460e-953d-79771493a9f3 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml index d4b5b7b318..49584331fd 100644 --- a/detections/endpoint/detect_html_help_url_in_command_line.yml +++ b/detections/endpoint/detect_html_help_url_in_command_line.yml @@ -1,7 +1,7 @@ name: Detect HTML Help URL in Command Line id: 8c5835b9-39d9-438b-817c-95f14c69a31e -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml index debacbc490..d096ef262e 100644 --- a/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml +++ b/detections/endpoint/detect_html_help_using_infotech_storage_handlers.yml @@ -1,7 +1,7 @@ name: Detect HTML Help Using InfoTech Storage Handlers id: 0b2eefa5-5508-450d-b970-3dd2fb761aec -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml index 31718bff40..93436a474d 100644 --- a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml @@ -1,7 +1,7 @@ name: Detect Mimikatz With PowerShell Script Block Logging id: 8148c29c-c952-11eb-9255-acde48001122 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index eb1250df05..2e81be7922 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -1,7 +1,7 @@ name: Detect mshta inline hta execution id: a0873b32-5b68-11eb-ae93-0242ac130002 -version: 15 -date: '2025-02-10' +version: 16 +date: '2025-05-02' author: Bhavin Patel, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_mshta_renamed.yml b/detections/endpoint/detect_mshta_renamed.yml index 5e9ed9f6d3..41fa471e01 100644 --- a/detections/endpoint/detect_mshta_renamed.yml +++ b/detections/endpoint/detect_mshta_renamed.yml @@ -1,7 +1,7 @@ name: Detect mshta renamed id: 8f45fcf0-5b68-11eb-ae93-0242ac130002 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml index f5588bf53f..ac216b3b21 100644 --- a/detections/endpoint/detect_mshta_url_in_command_line.yml +++ b/detections/endpoint/detect_mshta_url_in_command_line.yml @@ -1,7 +1,7 @@ name: Detect MSHTA Url in Command Line id: 9b3af1e6-5b68-11eb-ae93-0242ac130002 -version: 11 -date: '2025-02-10' +version: 12 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_new_local_admin_account.yml b/detections/endpoint/detect_new_local_admin_account.yml index e17eed841e..a180dffae1 100644 --- a/detections/endpoint/detect_new_local_admin_account.yml +++ b/detections/endpoint/detect_new_local_admin_account.yml @@ -1,7 +1,7 @@ name: Detect New Local Admin account id: b25f6f62-0712-43c1-b203-083231ffd97d -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml index f29e38cf3f..2a7b27ce5b 100644 --- a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml +++ b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml @@ -1,7 +1,7 @@ name: Detect Outlook exe writing a zip file id: a51bfe1a-94f0-4822-b1e4-16ae10145893 -version: 12 -date: '2025-04-22' +version: 13 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: TTP diff --git a/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml b/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml index 9400cb9938..e11f497e29 100644 --- a/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml +++ b/detections/endpoint/detect_password_spray_attack_behavior_from_source.yml @@ -1,7 +1,7 @@ name: Detect Password Spray Attack Behavior From Source id: b6391b15-e913-4c2c-8949-9eecc06efacc -version: 6 -date: '2025-03-27' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml b/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml index b3a471d221..f4ee857619 100644 --- a/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml +++ b/detections/endpoint/detect_password_spray_attack_behavior_on_user.yml @@ -1,7 +1,7 @@ name: Detect Password Spray Attack Behavior On User id: a7539705-7183-4a12-9b6a-b6eef645a6d7 -version: 6 -date: '2025-03-27' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml index 218c1b6110..74073b3cae 100644 --- a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml +++ b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml @@ -1,7 +1,7 @@ name: Detect Path Interception By Creation Of program exe id: cbef820c-e1ff-407f-887f-0a9240a2d477 -version: 12 -date: '2025-02-10' +version: 13 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml index 66336a4c7f..413b947f43 100644 --- a/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml +++ b/detections/endpoint/detect_prohibited_applications_spawning_cmd_exe.yml @@ -1,7 +1,7 @@ name: Detect Prohibited Applications Spawning cmd exe id: dcfd6b40-42f9-469d-a433-2e53f7486664 -version: 12 -date: '2025-02-10' +version: 13 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Hunting diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml index 5643d865a3..b42f34a396 100644 --- a/detections/endpoint/detect_psexec_with_accepteula_flag.yml +++ b/detections/endpoint/detect_psexec_with_accepteula_flag.yml @@ -1,7 +1,7 @@ name: Detect PsExec With accepteula Flag id: 27c3a83d-cada-47c6-9042-67baf19d2574 -version: 12 -date: '2025-04-18' +version: 13 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_rare_executables.yml b/detections/endpoint/detect_rare_executables.yml index 7367c7f959..de91efd6c4 100644 --- a/detections/endpoint/detect_rare_executables.yml +++ b/detections/endpoint/detect_rare_executables.yml @@ -1,7 +1,7 @@ name: Detect Rare Executables id: 44fddcb2-8d3b-454c-874e-7c6de5a4f7ac -version: 9 -date: '2025-03-27' +version: 10 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index 7eab4375a3..4f97b47f3e 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -1,7 +1,7 @@ name: Detect RClone Command-Line Usage id: 32e0baea-b3f1-11eb-a2ce-acde48001122 -version: 10 -date: '2025-04-18' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_regasm_spawning_a_process.yml b/detections/endpoint/detect_regasm_spawning_a_process.yml index 6775ddf818..9505c8ec86 100644 --- a/detections/endpoint/detect_regasm_spawning_a_process.yml +++ b/detections/endpoint/detect_regasm_spawning_a_process.yml @@ -1,7 +1,7 @@ name: Detect Regasm Spawning a Process id: 72170ec5-f7d2-42f5-aefb-2b8be6aad15f -version: 11 -date: '2025-02-10' +version: 12 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_regasm_with_network_connection.yml b/detections/endpoint/detect_regasm_with_network_connection.yml index a2933b40f0..7cda8e307e 100644 --- a/detections/endpoint/detect_regasm_with_network_connection.yml +++ b/detections/endpoint/detect_regasm_with_network_connection.yml @@ -1,7 +1,7 @@ name: Detect Regasm with Network Connection id: 07921114-6db4-4e2e-ae58-3ea8a52ae93f -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml index fe1d72e8a7..b4c04eb108 100644 --- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Detect Regasm with no Command Line Arguments id: c3bc1430-04e7-4178-835f-047d8e6e97df -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_regsvcs_spawning_a_process.yml b/detections/endpoint/detect_regsvcs_spawning_a_process.yml index eff567a17e..2763669577 100644 --- a/detections/endpoint/detect_regsvcs_spawning_a_process.yml +++ b/detections/endpoint/detect_regsvcs_spawning_a_process.yml @@ -1,7 +1,7 @@ name: Detect Regsvcs Spawning a Process id: bc477b57-5c21-4ab6-9c33-668772e7f114 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_regsvcs_with_network_connection.yml b/detections/endpoint/detect_regsvcs_with_network_connection.yml index 0deeab2e7f..83d19613eb 100644 --- a/detections/endpoint/detect_regsvcs_with_network_connection.yml +++ b/detections/endpoint/detect_regsvcs_with_network_connection.yml @@ -1,7 +1,7 @@ name: Detect Regsvcs with Network Connection id: e3e7a1c0-f2b9-445c-8493-f30a63522d1a -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml index 87a36d76dd..9cdda899cb 100644 --- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Detect Regsvcs with No Command Line Arguments id: 6b74d578-a02e-4e94-a0d1-39440d0bf254 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_regsvr32_application_control_bypass.yml b/detections/endpoint/detect_regsvr32_application_control_bypass.yml index b3d324c254..59b1fc91ca 100644 --- a/detections/endpoint/detect_regsvr32_application_control_bypass.yml +++ b/detections/endpoint/detect_regsvr32_application_control_bypass.yml @@ -1,7 +1,7 @@ name: Detect Regsvr32 Application Control Bypass id: 070e9b80-6252-11eb-ae93-0242ac130002 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_remote_access_software_usage_file.yml b/detections/endpoint/detect_remote_access_software_usage_file.yml index 2f4c7c4a57..59430b3f2f 100644 --- a/detections/endpoint/detect_remote_access_software_usage_file.yml +++ b/detections/endpoint/detect_remote_access_software_usage_file.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage File id: 3bf5541a-6a45-4fdc-b01d-59b899fff961 -version: 8 -date: '2025-04-18' +version: 9 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml index 2a64d4f18d..69dfeb9f46 100644 --- a/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml +++ b/detections/endpoint/detect_remote_access_software_usage_fileinfo.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage FileInfo id: ccad96d7-a48c-4f13-8b9c-9f6a31cba454 -version: 8 -date: '2025-04-18' +version: 9 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/detect_remote_access_software_usage_process.yml b/detections/endpoint/detect_remote_access_software_usage_process.yml index 7074ab0fe1..3f3514d83a 100644 --- a/detections/endpoint/detect_remote_access_software_usage_process.yml +++ b/detections/endpoint/detect_remote_access_software_usage_process.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Process id: ffd5e001-2e34-48f4-97a2-26dc4bb08178 version: 9 -date: '2025-04-30' +date: '2025-05-02' author: Steven Dick, Sebastian Wurl, Splunk Community status: production type: Anomaly diff --git a/detections/endpoint/detect_remote_access_software_usage_registry.yml b/detections/endpoint/detect_remote_access_software_usage_registry.yml index e7dc8ae2c6..fcefe4fc23 100644 --- a/detections/endpoint/detect_remote_access_software_usage_registry.yml +++ b/detections/endpoint/detect_remote_access_software_usage_registry.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Registry id: 33804986-25dd-43cf-bb6b-dc14956c7cbc -version: 6 -date: '2025-04-18' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/detect_renamed_7_zip.yml b/detections/endpoint/detect_renamed_7_zip.yml index 8f1dedf31b..6401da14bb 100644 --- a/detections/endpoint/detect_renamed_7_zip.yml +++ b/detections/endpoint/detect_renamed_7_zip.yml @@ -1,7 +1,7 @@ name: Detect Renamed 7-Zip id: 4057291a-b8cf-11eb-95fe-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/detect_renamed_psexec.yml b/detections/endpoint/detect_renamed_psexec.yml index c306b06cc8..a448f340ed 100644 --- a/detections/endpoint/detect_renamed_psexec.yml +++ b/detections/endpoint/detect_renamed_psexec.yml @@ -1,7 +1,7 @@ name: Detect Renamed PSExec id: 683e6196-b8e8-11eb-9a79-acde48001122 -version: 14 -date: '2025-04-18' +version: 15 +date: '2025-05-02' author: Michael Haag, Splunk, Alex Oberkircher, Github Community status: production type: Hunting diff --git a/detections/endpoint/detect_renamed_rclone.yml b/detections/endpoint/detect_renamed_rclone.yml index 979741dcc8..2033da6451 100644 --- a/detections/endpoint/detect_renamed_rclone.yml +++ b/detections/endpoint/detect_renamed_rclone.yml @@ -1,7 +1,7 @@ name: Detect Renamed RClone id: 6dca1124-b3ec-11eb-9328-acde48001122 -version: 9 -date: '2025-04-18' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/detect_renamed_winrar.yml b/detections/endpoint/detect_renamed_winrar.yml index 135eea84a2..f794dddddc 100644 --- a/detections/endpoint/detect_renamed_winrar.yml +++ b/detections/endpoint/detect_renamed_winrar.yml @@ -1,7 +1,7 @@ name: Detect Renamed WinRAR id: 1b7bfb2c-b8e6-11eb-99ac-acde48001122 -version: 11 -date: '2025-03-27' +version: 12 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/detect_rtlo_in_file_name.yml b/detections/endpoint/detect_rtlo_in_file_name.yml index 452101b9f7..07f4aab7df 100644 --- a/detections/endpoint/detect_rtlo_in_file_name.yml +++ b/detections/endpoint/detect_rtlo_in_file_name.yml @@ -1,7 +1,7 @@ name: Detect RTLO In File Name id: 468b7e11-d362-43b8-b6ec-7a2d3b246678 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/detect_rtlo_in_process.yml b/detections/endpoint/detect_rtlo_in_process.yml index 6357badfa2..49c967efea 100644 --- a/detections/endpoint/detect_rtlo_in_process.yml +++ b/detections/endpoint/detect_rtlo_in_process.yml @@ -1,7 +1,7 @@ name: Detect RTLO In Process id: 22ac27b4-7189-4a4f-9375-b9017c9620d7 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml index b47a9f148c..a9bdc22685 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml @@ -1,7 +1,7 @@ name: Detect Rundll32 Application Control Bypass - advpack id: 4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml index 644cd4d8f0..194bd00376 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml @@ -1,7 +1,7 @@ name: Detect Rundll32 Application Control Bypass - setupapi id: 61e7b44a-6088-4f26-b788-9a96ba13b37a -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml index 7a7385f65e..69ae4fd9fa 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml @@ -1,7 +1,7 @@ name: Detect Rundll32 Application Control Bypass - syssetup id: 71b9bf37-cde1-45fb-b899-1b0aa6fa1183 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_rundll32_inline_hta_execution.yml b/detections/endpoint/detect_rundll32_inline_hta_execution.yml index 31b46aa937..12d42f723f 100644 --- a/detections/endpoint/detect_rundll32_inline_hta_execution.yml +++ b/detections/endpoint/detect_rundll32_inline_hta_execution.yml @@ -1,7 +1,7 @@ name: Detect Rundll32 Inline HTA Execution id: 91c79f14-5b41-11eb-ae93-0242ac130002 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_sharphound_command_line_arguments.yml b/detections/endpoint/detect_sharphound_command_line_arguments.yml index e1a4404663..298adf1ab7 100644 --- a/detections/endpoint/detect_sharphound_command_line_arguments.yml +++ b/detections/endpoint/detect_sharphound_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Detect SharpHound Command-Line Arguments id: a0bdd2f6-c2ff-11eb-b918-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_sharphound_file_modifications.yml b/detections/endpoint/detect_sharphound_file_modifications.yml index 6f4f8a182b..b0dbbab8ea 100644 --- a/detections/endpoint/detect_sharphound_file_modifications.yml +++ b/detections/endpoint/detect_sharphound_file_modifications.yml @@ -1,7 +1,7 @@ name: Detect SharpHound File Modifications id: 42b4b438-beed-11eb-ba1d-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_sharphound_usage.yml b/detections/endpoint/detect_sharphound_usage.yml index e292dfa6d5..dc44938536 100644 --- a/detections/endpoint/detect_sharphound_usage.yml +++ b/detections/endpoint/detect_sharphound_usage.yml @@ -1,7 +1,7 @@ name: Detect SharpHound Usage id: dd04b29a-beed-11eb-87bc-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml index 9788ad2e58..cb4be84838 100644 --- a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml +++ b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml @@ -1,7 +1,7 @@ name: Detect suspicious processnames using pretrained model in DSDL id: a15f8977-ad7d-4669-92ef-b59b97219bf5 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly status: experimental diff --git a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml index 53e8f3e6c5..a7fdae3395 100644 --- a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml +++ b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml @@ -1,7 +1,7 @@ name: Detect Use of cmd exe to Launch Script Interpreters id: b89919ed-fe5f-492c-b139-95dbb162039e -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/detect_wmi_event_subscription_persistence.yml b/detections/endpoint/detect_wmi_event_subscription_persistence.yml index 501b884c0d..99e19bcd2c 100644 --- a/detections/endpoint/detect_wmi_event_subscription_persistence.yml +++ b/detections/endpoint/detect_wmi_event_subscription_persistence.yml @@ -1,7 +1,7 @@ name: Detect WMI Event Subscription Persistence id: 01d9a0c2-cece-11eb-ab46-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml index 2a0e7986d7..b218f78a9d 100644 --- a/detections/endpoint/detection_of_tools_built_by_nirsoft.yml +++ b/detections/endpoint/detection_of_tools_built_by_nirsoft.yml @@ -1,7 +1,7 @@ name: Detection of tools built by NirSoft id: 3d8d201c-aa03-422d-b0ee-2e5ecf9718c0 version: 8 -date: '2025-04-24' +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: Anomaly diff --git a/detections/endpoint/disable_amsi_through_registry.yml b/detections/endpoint/disable_amsi_through_registry.yml index a43ec8600f..245559a534 100644 --- a/detections/endpoint/disable_amsi_through_registry.yml +++ b/detections/endpoint/disable_amsi_through_registry.yml @@ -1,7 +1,7 @@ name: Disable AMSI Through Registry id: 9c27ec42-d338-11eb-9044-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index 4320633749..c58c85a830 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -1,7 +1,7 @@ name: Disable Defender AntiVirus Registry id: aa4f695a-3024-11ec-9987-acde48001122 -version: 12 -date: '2025-04-18' +version: 13 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 1dc7248e71..4cb606226c 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -1,7 +1,7 @@ name: Disable Defender BlockAtFirstSeen Feature id: 2dd719ac-3021-11ec-97b4-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_defender_enhanced_notification.yml b/detections/endpoint/disable_defender_enhanced_notification.yml index 79ce4fecec..0a5041bc5b 100644 --- a/detections/endpoint/disable_defender_enhanced_notification.yml +++ b/detections/endpoint/disable_defender_enhanced_notification.yml @@ -1,7 +1,7 @@ name: Disable Defender Enhanced Notification id: dc65678c-301f-11ec-8e30-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_defender_mpengine_registry.yml b/detections/endpoint/disable_defender_mpengine_registry.yml index e6230f8ca0..e81d03d426 100644 --- a/detections/endpoint/disable_defender_mpengine_registry.yml +++ b/detections/endpoint/disable_defender_mpengine_registry.yml @@ -1,7 +1,7 @@ name: Disable Defender MpEngine Registry id: cc391750-3024-11ec-955a-acde48001122 -version: 11 -date: '2025-02-10' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_defender_spynet_reporting.yml b/detections/endpoint/disable_defender_spynet_reporting.yml index 9c27eb61b6..4eaa1ff555 100644 --- a/detections/endpoint/disable_defender_spynet_reporting.yml +++ b/detections/endpoint/disable_defender_spynet_reporting.yml @@ -1,7 +1,7 @@ name: Disable Defender Spynet Reporting id: 898debf4-3021-11ec-ba7c-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index 466a408f1c..cd4e6fbc50 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -1,7 +1,7 @@ name: Disable Defender Submit Samples Consent Feature id: 73922ff8-3022-11ec-bf5e-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_etw_through_registry.yml b/detections/endpoint/disable_etw_through_registry.yml index 4556ffae7f..3551d6466b 100644 --- a/detections/endpoint/disable_etw_through_registry.yml +++ b/detections/endpoint/disable_etw_through_registry.yml @@ -1,7 +1,7 @@ name: Disable ETW Through Registry id: f0eacfa4-d33f-11eb-8f9d-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index 7cf134f07a..0005b3b0d7 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -1,7 +1,7 @@ name: Disable Logs Using WevtUtil id: 236e7c8e-c9d9-11eb-a824-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/disable_registry_tool.yml b/detections/endpoint/disable_registry_tool.yml index 6d5fb08735..b2d0aa10e8 100644 --- a/detections/endpoint/disable_registry_tool.yml +++ b/detections/endpoint/disable_registry_tool.yml @@ -1,7 +1,7 @@ name: Disable Registry Tool id: cd2cf33c-9201-11eb-a10a-acde48001122 -version: 12 -date: '2025-04-22' +version: 13 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_schedule_task.yml b/detections/endpoint/disable_schedule_task.yml index 2db9f358ce..717b883e2f 100644 --- a/detections/endpoint/disable_schedule_task.yml +++ b/detections/endpoint/disable_schedule_task.yml @@ -1,7 +1,7 @@ name: Disable Schedule Task id: db596056-3019-11ec-a9ff-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/disable_security_logs_using_minint_registry.yml b/detections/endpoint/disable_security_logs_using_minint_registry.yml index 621bea141f..27ab8e2cb5 100644 --- a/detections/endpoint/disable_security_logs_using_minint_registry.yml +++ b/detections/endpoint/disable_security_logs_using_minint_registry.yml @@ -1,7 +1,7 @@ name: Disable Security Logs Using MiniNt Registry id: 39ebdc68-25b9-11ec-aec7-acde48001122 -version: 11 -date: '2025-04-22' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_show_hidden_files.yml b/detections/endpoint/disable_show_hidden_files.yml index 248ecfcd06..ab1e0f90bd 100644 --- a/detections/endpoint/disable_show_hidden_files.yml +++ b/detections/endpoint/disable_show_hidden_files.yml @@ -1,7 +1,7 @@ name: Disable Show Hidden Files id: 6f3ccfa2-91fe-11eb-8f9b-acde48001122 -version: 12 -date: '2025-04-22' +version: 13 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/disable_uac_remote_restriction.yml b/detections/endpoint/disable_uac_remote_restriction.yml index 9438c3a2c3..c8f741dac9 100644 --- a/detections/endpoint/disable_uac_remote_restriction.yml +++ b/detections/endpoint/disable_uac_remote_restriction.yml @@ -1,7 +1,7 @@ name: Disable UAC Remote Restriction id: 9928b732-210e-11ec-b65e-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_windows_app_hotkeys.yml b/detections/endpoint/disable_windows_app_hotkeys.yml index 796c76ccd4..297fc5d724 100644 --- a/detections/endpoint/disable_windows_app_hotkeys.yml +++ b/detections/endpoint/disable_windows_app_hotkeys.yml @@ -1,7 +1,7 @@ name: Disable Windows App Hotkeys id: 1490f224-ad8b-11eb-8c4f-acde48001122 -version: 11 -date: '2025-04-22' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 5b9136bd06..a245641820 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -1,7 +1,7 @@ name: Disable Windows Behavior Monitoring id: 79439cae-9200-11eb-a4d3-acde48001122 -version: 14 -date: '2025-04-18' +version: 15 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disable_windows_smartscreen_protection.yml b/detections/endpoint/disable_windows_smartscreen_protection.yml index ad8ca01945..2b3fcbe7b2 100644 --- a/detections/endpoint/disable_windows_smartscreen_protection.yml +++ b/detections/endpoint/disable_windows_smartscreen_protection.yml @@ -1,7 +1,7 @@ name: Disable Windows SmartScreen Protection id: 664f0fd0-91ff-11eb-a56f-acde48001122 -version: 11 -date: '2025-02-10' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml index 85b2c87b4c..5968e67b0d 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml @@ -1,7 +1,7 @@ name: Disabled Kerberos Pre-Authentication Discovery With Get-ADUser id: 114c6bfe-9406-11ec-bcce-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml index ae431ddbf2..d8f3078812 100644 --- a/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml +++ b/detections/endpoint/disabled_kerberos_pre_authentication_discovery_with_powerview.yml @@ -1,7 +1,7 @@ name: Disabled Kerberos Pre-Authentication Discovery With PowerView id: b0b34e2c-90de-11ec-baeb-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/disabling_cmd_application.yml b/detections/endpoint/disabling_cmd_application.yml index 57495f502b..907d61fadf 100644 --- a/detections/endpoint/disabling_cmd_application.yml +++ b/detections/endpoint/disabling_cmd_application.yml @@ -1,7 +1,7 @@ name: Disabling CMD Application id: ff86077c-9212-11eb-a1e6-acde48001122 -version: 12 -date: '2025-04-22' +version: 13 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_controlpanel.yml b/detections/endpoint/disabling_controlpanel.yml index 363b3627ef..140aab72db 100644 --- a/detections/endpoint/disabling_controlpanel.yml +++ b/detections/endpoint/disabling_controlpanel.yml @@ -1,7 +1,7 @@ name: Disabling ControlPanel id: 6ae0148e-9215-11eb-a94a-acde48001122 -version: 12 -date: '2025-04-22' +version: 13 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_defender_services.yml b/detections/endpoint/disabling_defender_services.yml index 775539d2d2..c0efd290dc 100644 --- a/detections/endpoint/disabling_defender_services.yml +++ b/detections/endpoint/disabling_defender_services.yml @@ -1,7 +1,7 @@ name: Disabling Defender Services id: 911eacdc-317f-11ec-ad30-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_firewall_with_netsh.yml b/detections/endpoint/disabling_firewall_with_netsh.yml index 1092aa8127..3c6b6df111 100644 --- a/detections/endpoint/disabling_firewall_with_netsh.yml +++ b/detections/endpoint/disabling_firewall_with_netsh.yml @@ -1,7 +1,7 @@ name: Disabling Firewall with Netsh id: 6860a62c-9203-11eb-9e05-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/disabling_folderoptions_windows_feature.yml b/detections/endpoint/disabling_folderoptions_windows_feature.yml index 829465f384..b77b23066c 100644 --- a/detections/endpoint/disabling_folderoptions_windows_feature.yml +++ b/detections/endpoint/disabling_folderoptions_windows_feature.yml @@ -1,7 +1,7 @@ name: Disabling FolderOptions Windows Feature id: 83776de4-921a-11eb-868a-acde48001122 -version: 11 -date: '2025-02-10' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_norun_windows_app.yml b/detections/endpoint/disabling_norun_windows_app.yml index d337deb039..aa34874332 100644 --- a/detections/endpoint/disabling_norun_windows_app.yml +++ b/detections/endpoint/disabling_norun_windows_app.yml @@ -1,7 +1,7 @@ name: Disabling NoRun Windows App id: de81bc46-9213-11eb-adc9-acde48001122 -version: 12 -date: '2025-04-22' +version: 13 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_remote_user_account_control.yml b/detections/endpoint/disabling_remote_user_account_control.yml index c8feea30f1..fdc55fb649 100644 --- a/detections/endpoint/disabling_remote_user_account_control.yml +++ b/detections/endpoint/disabling_remote_user_account_control.yml @@ -1,7 +1,7 @@ name: Disabling Remote User Account Control id: bbc644bc-37df-4e1a-9c88-ec9a53e2038c -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: David Dorsey, Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/disabling_systemrestore_in_registry.yml b/detections/endpoint/disabling_systemrestore_in_registry.yml index 3f639bbf80..a28213b800 100644 --- a/detections/endpoint/disabling_systemrestore_in_registry.yml +++ b/detections/endpoint/disabling_systemrestore_in_registry.yml @@ -1,7 +1,7 @@ name: Disabling SystemRestore In Registry id: f4f837e2-91fb-11eb-8bf6-acde48001122 -version: 11 -date: '2024-12-08' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_task_manager.yml b/detections/endpoint/disabling_task_manager.yml index 63a605d2f3..a8ccb5db79 100644 --- a/detections/endpoint/disabling_task_manager.yml +++ b/detections/endpoint/disabling_task_manager.yml @@ -1,7 +1,7 @@ name: Disabling Task Manager id: dac279bc-9202-11eb-b7fb-acde48001122 -version: 11 -date: '2025-02-10' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml index 94791044ff..4cc030b6c3 100644 --- a/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml +++ b/detections/endpoint/disabling_windows_local_security_authority_defences_via_registry.yml @@ -1,7 +1,7 @@ name: Disabling Windows Local Security Authority Defences via Registry id: 45cd08f8-a2c9-4f4e-baab-e1a0c624b0ab -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml index 3eec217377..b3f0e13dd3 100644 --- a/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/dllhost_with_no_command_line_arguments_with_network.yml @@ -1,7 +1,7 @@ name: DLLHost with no Command Line Arguments with Network id: f1c07594-a141-11eb-8407-acde48001122 -version: 10 -date: '2025-04-16' +version: 11 +date: '2025-05-02' author: Steven Dick, Michael Haag, Splunk status: experimental type: TTP diff --git a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml index 71933d3d61..53026348f7 100644 --- a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml +++ b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml @@ -1,7 +1,7 @@ name: DNS Exfiltration Using Nslookup App id: 2452e632-9e0d-11eb-bacd-acde48001122 -version: 9 -date: '2024-12-10' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Wouter Jansen status: production type: TTP diff --git a/detections/endpoint/domain_account_discovery_with_dsquery.yml b/detections/endpoint/domain_account_discovery_with_dsquery.yml index 391f28c811..9d2c604e9f 100644 --- a/detections/endpoint/domain_account_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_account_discovery_with_dsquery.yml @@ -1,7 +1,7 @@ name: Domain Account Discovery with Dsquery id: b1a8ce04-04c2-11ec-bea7-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/domain_account_discovery_with_wmic.yml b/detections/endpoint/domain_account_discovery_with_wmic.yml index 44d3532984..b0281813c8 100644 --- a/detections/endpoint/domain_account_discovery_with_wmic.yml +++ b/detections/endpoint/domain_account_discovery_with_wmic.yml @@ -1,7 +1,7 @@ name: Domain Account Discovery with Wmic id: 383572e0-04c5-11ec-bdcc-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/domain_controller_discovery_with_nltest.yml b/detections/endpoint/domain_controller_discovery_with_nltest.yml index e24787fe24..17bca46e5a 100644 --- a/detections/endpoint/domain_controller_discovery_with_nltest.yml +++ b/detections/endpoint/domain_controller_discovery_with_nltest.yml @@ -1,7 +1,7 @@ name: Domain Controller Discovery with Nltest id: 41243735-89a7-4c83-bcdd-570aa78f00a1 -version: '6' -date: '2025-03-14' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/domain_controller_discovery_with_wmic.yml b/detections/endpoint/domain_controller_discovery_with_wmic.yml index 50c59aefe9..2c650757f6 100644 --- a/detections/endpoint/domain_controller_discovery_with_wmic.yml +++ b/detections/endpoint/domain_controller_discovery_with_wmic.yml @@ -1,7 +1,7 @@ name: Domain Controller Discovery with Wmic id: 64c7adaa-48ee-483c-b0d6-7175bc65e6cc -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml index a38f2cfe18..048beb3552 100644 --- a/detections/endpoint/domain_group_discovery_with_adsisearcher.yml +++ b/detections/endpoint/domain_group_discovery_with_adsisearcher.yml @@ -1,7 +1,7 @@ name: Domain Group Discovery with Adsisearcher id: 089c862f-5f83-49b5-b1c8-7e4ff66560c7 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/domain_group_discovery_with_dsquery.yml b/detections/endpoint/domain_group_discovery_with_dsquery.yml index 7589e7be1d..fe90a3c64d 100644 --- a/detections/endpoint/domain_group_discovery_with_dsquery.yml +++ b/detections/endpoint/domain_group_discovery_with_dsquery.yml @@ -1,7 +1,7 @@ name: Domain Group Discovery With Dsquery id: f0c9d62f-a232-4edd-b17e-bc409fb133d4 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/domain_group_discovery_with_wmic.yml b/detections/endpoint/domain_group_discovery_with_wmic.yml index 73f662b293..15cdd2ffcb 100644 --- a/detections/endpoint/domain_group_discovery_with_wmic.yml +++ b/detections/endpoint/domain_group_discovery_with_wmic.yml @@ -1,7 +1,7 @@ name: Domain Group Discovery With Wmic id: a87736a6-95cd-4728-8689-3c64d5026b3e -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/download_files_using_telegram.yml b/detections/endpoint/download_files_using_telegram.yml index 56a4489388..430b9d5136 100644 --- a/detections/endpoint/download_files_using_telegram.yml +++ b/detections/endpoint/download_files_using_telegram.yml @@ -1,7 +1,7 @@ name: Download Files Using Telegram id: 58194e28-ae5e-11eb-8912-acde48001122 -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/drop_icedid_license_dat.yml b/detections/endpoint/drop_icedid_license_dat.yml index c5232b8655..c7879a93bd 100644 --- a/detections/endpoint/drop_icedid_license_dat.yml +++ b/detections/endpoint/drop_icedid_license_dat.yml @@ -1,7 +1,7 @@ name: Drop IcedID License dat id: b7a045fc-f14a-11eb-8e79-acde48001122 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/dsquery_domain_discovery.yml b/detections/endpoint/dsquery_domain_discovery.yml index a9b3cd0039..e69dbe8600 100644 --- a/detections/endpoint/dsquery_domain_discovery.yml +++ b/detections/endpoint/dsquery_domain_discovery.yml @@ -1,7 +1,7 @@ name: DSQuery Domain Discovery id: cc316032-924a-11eb-91a2-acde48001122 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml index 91d6c94fe1..ce4f0c472a 100644 --- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml +++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml @@ -1,7 +1,7 @@ name: Dump LSASS via comsvcs DLL id: 8943b567-f14d-4ee8-a0bb-2121d4ce3184 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/dump_lsass_via_procdump.yml b/detections/endpoint/dump_lsass_via_procdump.yml index a52a953ec8..2bf836e70b 100644 --- a/detections/endpoint/dump_lsass_via_procdump.yml +++ b/detections/endpoint/dump_lsass_via_procdump.yml @@ -1,7 +1,7 @@ name: Dump LSASS via procdump id: 3742ebfe-64c2-11eb-ae93-0242ac130002 -version: 12 -date: '2025-04-16' +version: 13 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/elevated_group_discovery_with_powerview.yml b/detections/endpoint/elevated_group_discovery_with_powerview.yml index 96877c08f5..cfcdd629e6 100644 --- a/detections/endpoint/elevated_group_discovery_with_powerview.yml +++ b/detections/endpoint/elevated_group_discovery_with_powerview.yml @@ -1,7 +1,7 @@ name: Elevated Group Discovery with PowerView id: 10d62950-0de5-4199-a710-cff9ea79b413 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/elevated_group_discovery_with_wmic.yml b/detections/endpoint/elevated_group_discovery_with_wmic.yml index 19962729f8..83914bd9b5 100644 --- a/detections/endpoint/elevated_group_discovery_with_wmic.yml +++ b/detections/endpoint/elevated_group_discovery_with_wmic.yml @@ -1,7 +1,7 @@ name: Elevated Group Discovery With Wmic id: 3f6bbf22-093e-4cb4-9641-83f47b8444b6 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/enable_rdp_in_other_port_number.yml b/detections/endpoint/enable_rdp_in_other_port_number.yml index 5193979e87..e21025df6f 100644 --- a/detections/endpoint/enable_rdp_in_other_port_number.yml +++ b/detections/endpoint/enable_rdp_in_other_port_number.yml @@ -1,7 +1,7 @@ name: Enable RDP In Other Port Number id: 99495452-b899-11eb-96dc-acde48001122 -version: 11 -date: '2024-12-16' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml index 60fc5e16cf..97670a8408 100644 --- a/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml +++ b/detections/endpoint/enable_wdigest_uselogoncredential_registry.yml @@ -1,7 +1,7 @@ name: Enable WDigest UseLogonCredential Registry id: 0c7d8ffe-25b1-11ec-9f39-acde48001122 -version: 11 -date: '2025-04-22' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/enumerate_users_local_group_using_telegram.yml b/detections/endpoint/enumerate_users_local_group_using_telegram.yml index 70e280e803..ee74d7a973 100644 --- a/detections/endpoint/enumerate_users_local_group_using_telegram.yml +++ b/detections/endpoint/enumerate_users_local_group_using_telegram.yml @@ -1,7 +1,7 @@ name: Enumerate Users Local Group Using Telegram id: fcd74532-ae54-11eb-a5ab-acde48001122 -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/esentutl_sam_copy.yml b/detections/endpoint/esentutl_sam_copy.yml index 04f6e17fa0..0bcbdd4c31 100644 --- a/detections/endpoint/esentutl_sam_copy.yml +++ b/detections/endpoint/esentutl_sam_copy.yml @@ -1,7 +1,7 @@ name: Esentutl SAM Copy id: d372f928-ce4f-11eb-a762-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml index 673c79c9fc..9791d3aff8 100644 --- a/detections/endpoint/etw_registry_disabled.yml +++ b/detections/endpoint/etw_registry_disabled.yml @@ -1,7 +1,7 @@ name: ETW Registry Disabled id: 8ed523ac-276b-11ec-ac39-acde48001122 -version: 12 -date: '2025-02-10' +version: 13 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/eventvwr_uac_bypass.yml b/detections/endpoint/eventvwr_uac_bypass.yml index 434a84f21d..2d6def34c6 100644 --- a/detections/endpoint/eventvwr_uac_bypass.yml +++ b/detections/endpoint/eventvwr_uac_bypass.yml @@ -1,7 +1,7 @@ name: Eventvwr UAC Bypass id: 9cf8fe08-7ad8-11eb-9819-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Steven Dick, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/excessive_attempt_to_disable_services.yml b/detections/endpoint/excessive_attempt_to_disable_services.yml index 6249499960..6d82b0d545 100644 --- a/detections/endpoint/excessive_attempt_to_disable_services.yml +++ b/detections/endpoint/excessive_attempt_to_disable_services.yml @@ -1,7 +1,7 @@ name: Excessive Attempt To Disable Services id: 8fa2a0f0-acd9-11eb-8994-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml index 79c7f38ad4..afe7845af4 100644 --- a/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml +++ b/detections/endpoint/excessive_distinct_processes_from_windows_temp.yml @@ -1,7 +1,7 @@ name: Excessive distinct processes from Windows Temp id: 23587b6a-c479-11eb-b671-acde48001122 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Hart, Mauricio Velazco, Splunk status: production type: Anomaly diff --git a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml index 0892330e2e..8dc2536976 100644 --- a/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml +++ b/detections/endpoint/excessive_file_deletion_in_windefender_folder.yml @@ -1,7 +1,7 @@ name: Excessive File Deletion In WinDefender Folder id: b5baa09a-7a05-11ec-8da4-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml index 3ca23aaa06..662a3189f0 100644 --- a/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml +++ b/detections/endpoint/excessive_number_of_service_control_start_as_disabled.yml @@ -1,7 +1,7 @@ name: Excessive number of service control start as disabled id: 77592bec-d5cc-11eb-9e60-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Hart, Splunk status: production type: Anomaly diff --git a/detections/endpoint/excessive_number_of_taskhost_processes.yml b/detections/endpoint/excessive_number_of_taskhost_processes.yml index afd814f56a..ae23d14f40 100644 --- a/detections/endpoint/excessive_number_of_taskhost_processes.yml +++ b/detections/endpoint/excessive_number_of_taskhost_processes.yml @@ -1,7 +1,7 @@ name: Excessive number of taskhost processes id: f443dac2-c7cf-11eb-ab51-acde48001122 version: 8 -date: '2025-04-25' +date: '2025-05-02' author: Michael Hart status: production type: Anomaly diff --git a/detections/endpoint/excessive_usage_of_cacls_app.yml b/detections/endpoint/excessive_usage_of_cacls_app.yml index 25116f8ff8..b6598f2869 100644 --- a/detections/endpoint/excessive_usage_of_cacls_app.yml +++ b/detections/endpoint/excessive_usage_of_cacls_app.yml @@ -1,7 +1,7 @@ name: Excessive Usage Of Cacls App id: 0bdf6092-af17-11eb-939a-acde48001122 -version: 7 -date: '2024-12-16' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/excessive_usage_of_nslookup_app.yml b/detections/endpoint/excessive_usage_of_nslookup_app.yml index a85d26aefa..d2093b72a6 100644 --- a/detections/endpoint/excessive_usage_of_nslookup_app.yml +++ b/detections/endpoint/excessive_usage_of_nslookup_app.yml @@ -1,7 +1,7 @@ name: Excessive Usage of NSLOOKUP App id: 0a69fdaa-a2b8-11eb-b16d-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Stanislav Miskovic, Splunk status: production type: Anomaly diff --git a/detections/endpoint/excessive_usage_of_sc_service_utility.yml b/detections/endpoint/excessive_usage_of_sc_service_utility.yml index 3288432f72..1b61887707 100644 --- a/detections/endpoint/excessive_usage_of_sc_service_utility.yml +++ b/detections/endpoint/excessive_usage_of_sc_service_utility.yml @@ -1,7 +1,7 @@ name: Excessive Usage Of SC Service Utility id: cb6b339e-d4c6-11eb-a026-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index 7a274aa567..6ca1df6046 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -1,7 +1,7 @@ name: Excessive Usage Of Taskkill id: fe5bca48-accb-11eb-a67c-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml index 3f98a9c108..8d47b91409 100644 --- a/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml +++ b/detections/endpoint/exchange_powershell_abuse_via_ssrf.yml @@ -1,7 +1,7 @@ name: Exchange PowerShell Abuse via SSRF id: 29228ab4-0762-11ec-94aa-acde48001122 -version: 7 -date: '2025-03-25' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: TTP diff --git a/detections/endpoint/exchange_powershell_module_usage.yml b/detections/endpoint/exchange_powershell_module_usage.yml index a002070aec..fd54f1e794 100644 --- a/detections/endpoint/exchange_powershell_module_usage.yml +++ b/detections/endpoint/exchange_powershell_module_usage.yml @@ -1,7 +1,7 @@ name: Exchange PowerShell Module Usage id: 2d10095e-05ae-11ec-8fdf-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml index d559a0ad9b..5321eb3fb8 100644 --- a/detections/endpoint/executable_file_written_in_administrative_smb_share.yml +++ b/detections/endpoint/executable_file_written_in_administrative_smb_share.yml @@ -1,7 +1,7 @@ name: Executable File Written in Administrative SMB Share id: f63c34fe-a435-11eb-935a-acde48001122 -version: 9 -date: '2025-03-25' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 8f41292294..976351b907 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 14 -date: '2025-04-16' +version: 15 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml index ecdd3c4717..0ce158c9c8 100644 --- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml @@ -1,7 +1,7 @@ name: Executables Or Script Creation In Temp Path id: e0422b71-2c05-4f32-8754-01fb415f49c9 -version: 12 -date: '2025-03-27' +version: 13 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml index 7600020d9f..042aeb07ef 100644 --- a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml +++ b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml @@ -1,7 +1,7 @@ name: Execute Javascript With Jscript COM CLSID id: dc64d064-d346-11eb-8588-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/execution_of_file_with_multiple_extensions.yml b/detections/endpoint/execution_of_file_with_multiple_extensions.yml index a22538c36e..7eb44c8f69 100644 --- a/detections/endpoint/execution_of_file_with_multiple_extensions.yml +++ b/detections/endpoint/execution_of_file_with_multiple_extensions.yml @@ -1,7 +1,7 @@ name: Execution of File with Multiple Extensions id: b06a555e-dce0-417d-a2eb-28a5d8d66ef7 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Rico Valdez, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/file_with_samsam_extension.yml b/detections/endpoint/file_with_samsam_extension.yml index 86ed3f6ce0..74e965b97e 100644 --- a/detections/endpoint/file_with_samsam_extension.yml +++ b/detections/endpoint/file_with_samsam_extension.yml @@ -1,7 +1,7 @@ name: File with Samsam Extension id: 02c6cfc2-ae66-4735-bfc7-6291da834cbf -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Rico Valdez, Splunk status: production type: TTP diff --git a/detections/endpoint/firewall_allowed_program_enable.yml b/detections/endpoint/firewall_allowed_program_enable.yml index 280f1ebf1e..09b665e5f9 100644 --- a/detections/endpoint/firewall_allowed_program_enable.yml +++ b/detections/endpoint/firewall_allowed_program_enable.yml @@ -1,7 +1,7 @@ name: Firewall Allowed Program Enable id: 9a8f63a8-43ac-11ec-904c-acde48001122 -version: '6' -date: '2025-03-14' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/first_time_seen_child_process_of_zoom.yml b/detections/endpoint/first_time_seen_child_process_of_zoom.yml index e81f4d8758..c6b996aa96 100644 --- a/detections/endpoint/first_time_seen_child_process_of_zoom.yml +++ b/detections/endpoint/first_time_seen_child_process_of_zoom.yml @@ -1,7 +1,7 @@ name: First Time Seen Child Process of Zoom id: e91bd102-d630-4e76-ab73-7e3ba22c5961 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/endpoint/first_time_seen_running_windows_service.yml b/detections/endpoint/first_time_seen_running_windows_service.yml index 70ca621bf7..770794af2f 100644 --- a/detections/endpoint/first_time_seen_running_windows_service.yml +++ b/detections/endpoint/first_time_seen_running_windows_service.yml @@ -1,7 +1,7 @@ name: First Time Seen Running Windows Service id: 823136f2-d755-4b6d-ae04-372b486a5808 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 8916822ec2..e1e58c308d 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -1,7 +1,7 @@ name: FodHelper UAC Bypass id: 909f8fd8-7ac8-11eb-a1f3-acde48001122 -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/fsutil_zeroing_file.yml b/detections/endpoint/fsutil_zeroing_file.yml index 6a7c144866..4850d08ce0 100644 --- a/detections/endpoint/fsutil_zeroing_file.yml +++ b/detections/endpoint/fsutil_zeroing_file.yml @@ -1,7 +1,7 @@ name: Fsutil Zeroing File id: 4e5e024e-fabb-11eb-8b8f-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml index 8e782db553..f19e75d940 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell.yml @@ -1,7 +1,7 @@ name: Get ADDefaultDomainPasswordPolicy with Powershell id: 36e46ebe-065a-11ec-b4c7-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml index 7554c50b34..079af90f4a 100644 --- a/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: Get ADDefaultDomainPasswordPolicy with Powershell Script Block id: 1ff7ccc8-065a-11ec-91e4-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/get_aduser_with_powershell.yml b/detections/endpoint/get_aduser_with_powershell.yml index e72d6560ed..51bab1d9e7 100644 --- a/detections/endpoint/get_aduser_with_powershell.yml +++ b/detections/endpoint/get_aduser_with_powershell.yml @@ -1,7 +1,7 @@ name: Get ADUser with PowerShell id: 0b6ee3f4-04e3-11ec-a87d-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/get_aduser_with_powershell_script_block.yml b/detections/endpoint/get_aduser_with_powershell_script_block.yml index 3f42a1d3e1..fb8afbf0b7 100644 --- a/detections/endpoint/get_aduser_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduser_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: Get ADUser with PowerShell Script Block id: 21432e40-04f4-11ec-b7e6-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml index 395e465b2b..18fe2ed880 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell.yml @@ -1,7 +1,7 @@ name: Get ADUserResultantPasswordPolicy with Powershell id: 8b5ef342-065a-11ec-b0fc-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml index 342c422844..2a2a4d8ce8 100644 --- a/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: Get ADUserResultantPasswordPolicy with Powershell Script Block id: 737e1eb0-065a-11ec-921a-acde48001122 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/get_domainpolicy_with_powershell.yml b/detections/endpoint/get_domainpolicy_with_powershell.yml index ce88dad3e4..8bb26c0751 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell.yml @@ -1,7 +1,7 @@ name: Get DomainPolicy with Powershell id: b8f9947e-065a-11ec-aafb-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml index 1a7a100dec..6446e98528 100644 --- a/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainpolicy_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: Get DomainPolicy with Powershell Script Block id: a360d2b2-065a-11ec-b0bf-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/get_domaintrust_with_powershell.yml b/detections/endpoint/get_domaintrust_with_powershell.yml index 67d8026806..e63a8ca444 100644 --- a/detections/endpoint/get_domaintrust_with_powershell.yml +++ b/detections/endpoint/get_domaintrust_with_powershell.yml @@ -1,7 +1,7 @@ name: Get-DomainTrust with PowerShell id: 4fa7f846-054a-11ec-a836-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml index 15a5a585f3..6730c64bae 100644 --- a/detections/endpoint/get_domaintrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_domaintrust_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: Get-DomainTrust with PowerShell Script Block id: 89275e7e-0548-11ec-bf75-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/get_domainuser_with_powershell.yml b/detections/endpoint/get_domainuser_with_powershell.yml index ecbb4a7059..a788790e3c 100644 --- a/detections/endpoint/get_domainuser_with_powershell.yml +++ b/detections/endpoint/get_domainuser_with_powershell.yml @@ -1,7 +1,7 @@ name: Get DomainUser with PowerShell id: 9a5a41d6-04e7-11ec-923c-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/get_domainuser_with_powershell_script_block.yml b/detections/endpoint/get_domainuser_with_powershell_script_block.yml index f6fe73f535..98d35ed774 100644 --- a/detections/endpoint/get_domainuser_with_powershell_script_block.yml +++ b/detections/endpoint/get_domainuser_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: Get DomainUser with PowerShell Script Block id: 61994268-04f4-11ec-865c-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/get_foresttrust_with_powershell.yml b/detections/endpoint/get_foresttrust_with_powershell.yml index c2696029f1..9abb4dad18 100644 --- a/detections/endpoint/get_foresttrust_with_powershell.yml +++ b/detections/endpoint/get_foresttrust_with_powershell.yml @@ -1,7 +1,7 @@ name: Get-ForestTrust with PowerShell id: 584f4884-0bf1-11ec-a5ec-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml index 77c5dbf96a..f2b59de319 100644 --- a/detections/endpoint/get_foresttrust_with_powershell_script_block.yml +++ b/detections/endpoint/get_foresttrust_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: Get-ForestTrust with PowerShell Script Block id: 70fac80e-0bf1-11ec-9ba0-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/get_wmiobject_group_discovery.yml b/detections/endpoint/get_wmiobject_group_discovery.yml index 6ecfdcf444..9f73451b62 100644 --- a/detections/endpoint/get_wmiobject_group_discovery.yml +++ b/detections/endpoint/get_wmiobject_group_discovery.yml @@ -1,7 +1,7 @@ name: Get WMIObject Group Discovery id: 5434f670-155d-11ec-8cca-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml index c783e60eb6..3cdb959fcb 100644 --- a/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml +++ b/detections/endpoint/get_wmiobject_group_discovery_with_script_block_logging.yml @@ -1,7 +1,7 @@ name: Get WMIObject Group Discovery with Script Block Logging id: 69df7f7c-155d-11ec-a055-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/getadcomputer_with_powershell.yml b/detections/endpoint/getadcomputer_with_powershell.yml index f3a700e178..1826f611ef 100644 --- a/detections/endpoint/getadcomputer_with_powershell.yml +++ b/detections/endpoint/getadcomputer_with_powershell.yml @@ -1,7 +1,7 @@ name: GetAdComputer with PowerShell id: c5a31f80-5888-4d81-9f78-1cc65026316e -version: '5' -date: '2025-03-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/getadcomputer_with_powershell_script_block.yml b/detections/endpoint/getadcomputer_with_powershell_script_block.yml index 6ac785ba25..e1e3d065da 100644 --- a/detections/endpoint/getadcomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getadcomputer_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: GetAdComputer with PowerShell Script Block id: a9a1da02-8e27-4bf7-a348-f4389c9da487 -version: '7' -date: '2025-03-14' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/getadgroup_with_powershell.yml b/detections/endpoint/getadgroup_with_powershell.yml index c41ce37690..9dbd986418 100644 --- a/detections/endpoint/getadgroup_with_powershell.yml +++ b/detections/endpoint/getadgroup_with_powershell.yml @@ -1,7 +1,7 @@ name: GetAdGroup with PowerShell id: 872e3063-0fc4-4e68-b2f3-f2b99184a708 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/getadgroup_with_powershell_script_block.yml b/detections/endpoint/getadgroup_with_powershell_script_block.yml index 6e7cd38a27..cf9838330e 100644 --- a/detections/endpoint/getadgroup_with_powershell_script_block.yml +++ b/detections/endpoint/getadgroup_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: GetAdGroup with PowerShell Script Block id: e4c73d68-794b-468d-b4d0-dac1772bbae7 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/getcurrent_user_with_powershell.yml b/detections/endpoint/getcurrent_user_with_powershell.yml index 11fd09b11f..6380c2f61e 100644 --- a/detections/endpoint/getcurrent_user_with_powershell.yml +++ b/detections/endpoint/getcurrent_user_with_powershell.yml @@ -1,7 +1,7 @@ name: GetCurrent User with PowerShell id: 7eb9c3d5-c98c-4088-acc5-8240bad15379 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml index 70b9412124..04a744a79e 100644 --- a/detections/endpoint/getcurrent_user_with_powershell_script_block.yml +++ b/detections/endpoint/getcurrent_user_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: GetCurrent User with PowerShell Script Block id: 80879283-c30f-44f7-8471-d1381f6d437a -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/getdomaincomputer_with_powershell.yml b/detections/endpoint/getdomaincomputer_with_powershell.yml index cf79d7fda4..be9d42d8a0 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell.yml @@ -1,7 +1,7 @@ name: GetDomainComputer with PowerShell id: ed550c19-712e-43f6-bd19-6f58f61b3a5e -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml index eeb7ce7699..dbddca2dfd 100644 --- a/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaincomputer_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: GetDomainComputer with PowerShell Script Block id: f64da023-b988-4775-8d57-38e512beb56e -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/getdomaincontroller_with_powershell.yml b/detections/endpoint/getdomaincontroller_with_powershell.yml index 863805b98b..37b652e008 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell.yml @@ -1,7 +1,7 @@ name: GetDomainController with PowerShell id: 868ee0e4-52ab-484a-833a-6d85b7c028d0 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml index a6654161ab..71ebd44cfe 100644 --- a/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaincontroller_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: GetDomainController with PowerShell Script Block id: 676b600a-a94d-4951-b346-11329431e6c1 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/getdomaingroup_with_powershell.yml b/detections/endpoint/getdomaingroup_with_powershell.yml index bb5d457fad..53bcf083a4 100644 --- a/detections/endpoint/getdomaingroup_with_powershell.yml +++ b/detections/endpoint/getdomaingroup_with_powershell.yml @@ -1,7 +1,7 @@ name: GetDomainGroup with PowerShell id: 93c94be3-bead-4a60-860f-77ca3fe59903 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml index 8555a29caf..7eed2a99e2 100644 --- a/detections/endpoint/getdomaingroup_with_powershell_script_block.yml +++ b/detections/endpoint/getdomaingroup_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: GetDomainGroup with PowerShell Script Block id: 09725404-a44f-4ed3-9efa-8ed5d69e4c53 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/getlocaluser_with_powershell.yml b/detections/endpoint/getlocaluser_with_powershell.yml index 2fcb245e2f..d3e2c79871 100644 --- a/detections/endpoint/getlocaluser_with_powershell.yml +++ b/detections/endpoint/getlocaluser_with_powershell.yml @@ -1,7 +1,7 @@ name: GetLocalUser with PowerShell id: 85fae8fa-0427-11ec-8b78-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/getlocaluser_with_powershell_script_block.yml b/detections/endpoint/getlocaluser_with_powershell_script_block.yml index be98ab7e9c..b3f17908fa 100644 --- a/detections/endpoint/getlocaluser_with_powershell_script_block.yml +++ b/detections/endpoint/getlocaluser_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: GetLocalUser with PowerShell Script Block id: 2e891cbe-0426-11ec-9c9c-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/getnettcpconnection_with_powershell.yml b/detections/endpoint/getnettcpconnection_with_powershell.yml index d0afa95f9e..7aa698f32b 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell.yml @@ -1,7 +1,7 @@ name: GetNetTcpconnection with PowerShell id: e02af35c-1de5-4afe-b4be-f45aba57272b -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml b/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml index 595b2e0906..0e5dad591f 100644 --- a/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml +++ b/detections/endpoint/getnettcpconnection_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: GetNetTcpconnection with PowerShell Script Block id: 091712ff-b02a-4d43-82ed-34765515d95d -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml index c7fbc954a2..f151409a45 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell.yml @@ -1,7 +1,7 @@ name: GetWmiObject Ds Computer with PowerShell id: 7141122c-3bc2-4aaa-ab3b-7a85a0bbefc3 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml index 8f0b49aab1..fd03d8e10c 100644 --- a/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_computer_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: GetWmiObject Ds Computer with PowerShell Script Block id: 29b99201-723c-4118-847a-db2b3d3fb8ea -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml index ab6d4ddb71..99eacd0cda 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell.yml @@ -1,7 +1,7 @@ name: GetWmiObject Ds Group with PowerShell id: df275a44-4527-443b-b884-7600e066e3eb -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml index ab4b128b5f..835ed46637 100644 --- a/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_group_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: GetWmiObject Ds Group with PowerShell Script Block id: 67740bd3-1506-469c-b91d-effc322cc6e5 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml index 650b9860ed..a7b5f5726e 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell.yml @@ -1,7 +1,7 @@ name: GetWmiObject DS User with PowerShell id: 22d3b118-04df-11ec-8fa3-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml index 6a09c983fa..27ea3e1b74 100644 --- a/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_ds_user_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: GetWmiObject DS User with PowerShell Script Block id: fabd364e-04f3-11ec-b34b-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell.yml b/detections/endpoint/getwmiobject_user_account_with_powershell.yml index c95e2198cd..366186093e 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell.yml @@ -1,7 +1,7 @@ name: GetWmiObject User Account with PowerShell id: b44f6ac6-0429-11ec-87e9-acde48001122 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml b/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml index 2076c9797a..7125e14f08 100644 --- a/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml +++ b/detections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml @@ -1,7 +1,7 @@ name: GetWmiObject User Account with PowerShell Script Block id: 640b0eda-0429-11ec-accd-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml index 8c82b15f7c..96ae2df1da 100644 --- a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml @@ -1,7 +1,7 @@ name: GPUpdate with no Command Line Arguments with Network id: 2c853856-a140-11eb-a5b5-acde48001122 -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml index 07cf845c87..cc3568e2e1 100644 --- a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml +++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml @@ -1,7 +1,7 @@ name: Headless Browser Mockbin or Mocky Request id: 94fc85a1-e55b-4265-95e1-4b66730e05c0 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml index 5c0ad360e7..674c97ba59 100644 --- a/detections/endpoint/headless_browser_usage.yml +++ b/detections/endpoint/headless_browser_usage.yml @@ -1,7 +1,7 @@ name: Headless Browser Usage id: 869ba261-c272-47d7-affe-5c0aa85c93d6 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/hide_user_account_from_sign_in_screen.yml b/detections/endpoint/hide_user_account_from_sign_in_screen.yml index 34a600d43a..cdd5180b1b 100644 --- a/detections/endpoint/hide_user_account_from_sign_in_screen.yml +++ b/detections/endpoint/hide_user_account_from_sign_in_screen.yml @@ -1,7 +1,7 @@ name: Hide User Account From Sign-In Screen id: 834ba832-ad89-11eb-937d-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml index 45c5b4aa75..97cf82c455 100644 --- a/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml +++ b/detections/endpoint/hiding_files_and_directories_with_attrib_exe.yml @@ -1,7 +1,7 @@ name: Hiding Files And Directories With Attrib exe id: 6e5a3ae4-90a3-462d-9aa6-0119f638c0f1 -version: 11 -date: '2025-02-10' +version: 12 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml index e52e4222e0..3eddb64868 100644 --- a/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml +++ b/detections/endpoint/high_frequency_copy_of_files_in_network_share.yml @@ -1,7 +1,7 @@ name: High Frequency Copy Of Files In Network Share id: 40925f12-4709-11ec-bb43-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/high_process_termination_frequency.yml b/detections/endpoint/high_process_termination_frequency.yml index a5cb8b08b7..475fdc4e54 100644 --- a/detections/endpoint/high_process_termination_frequency.yml +++ b/detections/endpoint/high_process_termination_frequency.yml @@ -1,7 +1,7 @@ name: High Process Termination Frequency id: 17cd75b2-8666-11eb-9ab4-acde48001122 -version: '7' -date: '2025-03-14' +version: 8 +date: '2025-05-02' author: Teoderick Contreras status: production type: Anomaly diff --git a/detections/endpoint/hunting_3cxdesktopapp_software.yml b/detections/endpoint/hunting_3cxdesktopapp_software.yml index be7994e41e..624a5e5b4f 100644 --- a/detections/endpoint/hunting_3cxdesktopapp_software.yml +++ b/detections/endpoint/hunting_3cxdesktopapp_software.yml @@ -1,7 +1,7 @@ name: Hunting 3CXDesktopApp Software id: 553d0429-1a1c-44bf-b3f5-a8513deb9ee5 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk type: Hunting status: production diff --git a/detections/endpoint/icacls_deny_command.yml b/detections/endpoint/icacls_deny_command.yml index 986480a347..daf3b978ae 100644 --- a/detections/endpoint/icacls_deny_command.yml +++ b/detections/endpoint/icacls_deny_command.yml @@ -1,7 +1,7 @@ name: Icacls Deny Command id: cf8d753e-a8fe-11eb-8f58-acde48001122 -version: 7 -date: '2024-12-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/icacls_grant_command.yml b/detections/endpoint/icacls_grant_command.yml index 30ece33739..c702fd893e 100644 --- a/detections/endpoint/icacls_grant_command.yml +++ b/detections/endpoint/icacls_grant_command.yml @@ -1,7 +1,7 @@ name: ICACLS Grant Command id: b1b1e316-accc-11eb-a9b4-acde48001122 -version: 6 -date: '2024-12-17' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml index c1ed65867b..ca650e0bf0 100644 --- a/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml +++ b/detections/endpoint/icedid_exfiltrated_archived_file_creation.yml @@ -1,7 +1,7 @@ name: IcedID Exfiltrated Archived File Creation id: 0db4da70-f14b-11eb-8043-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml index 7244cf8fe4..b8b99a807f 100644 --- a/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_commandline_parameters.yml @@ -1,7 +1,7 @@ name: Impacket Lateral Movement Commandline Parameters id: 8ce07472-496f-11ec-ab3b-3e22fbd008af -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml index 81af97bcc9..ccc601e994 100644 --- a/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_smbexec_commandline_parameters.yml @@ -1,7 +1,7 @@ name: Impacket Lateral Movement smbexec CommandLine Parameters id: bb3c1bac-6bdf-4aa0-8dc9-068b8b712a76 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml index b3b60e7a76..de5f584f7f 100644 --- a/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml +++ b/detections/endpoint/impacket_lateral_movement_wmiexec_commandline_parameters.yml @@ -1,7 +1,7 @@ name: Impacket Lateral Movement WMIExec Commandline Parameters id: d6e464e4-5c6a-474e-82d2-aed616a3a492 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml index f92a2b63e4..b4f46774e6 100644 --- a/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml +++ b/detections/endpoint/interactive_session_on_remote_endpoint_with_powershell.yml @@ -1,7 +1,7 @@ name: Interactive Session on Remote Endpoint with PowerShell id: a4e8f3a4-48b2-11ec-bcfc-3e22fbd008af -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/java_writing_jsp_file.yml b/detections/endpoint/java_writing_jsp_file.yml index c8358070e3..9d60a744b2 100644 --- a/detections/endpoint/java_writing_jsp_file.yml +++ b/detections/endpoint/java_writing_jsp_file.yml @@ -1,7 +1,7 @@ name: Java Writing JSP File id: eb65619c-4f8d-4383-a975-d352765d344b version: 9 -date: '2025-04-28' +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/jscript_execution_using_cscript_app.yml b/detections/endpoint/jscript_execution_using_cscript_app.yml index cce42fe195..d9d6538188 100644 --- a/detections/endpoint/jscript_execution_using_cscript_app.yml +++ b/detections/endpoint/jscript_execution_using_cscript_app.yml @@ -1,7 +1,7 @@ name: Jscript Execution Using Cscript App id: 002f1e24-146e-11ec-a470-acde48001122 -version: 7 -date: '2025-02-19' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml index 57f2076b4c..ba7457a2ce 100644 --- a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml +++ b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml @@ -1,7 +1,7 @@ name: Kerberoasting spn request with RC4 encryption id: 5cc67381-44fa-4111-8a37-7a230943f027 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Jose Hernandez, Patrick Bareiss, Mauricio Velazco, Dean Luxton, Splunk status: production type: TTP diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml index 748fef94bf..347c300c53 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml @@ -1,7 +1,7 @@ name: Kerberos Pre-Authentication Flag Disabled in UserAccountControl id: 0cb847ee-9423-11ec-b2df-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml index 33a448a7e2..0eb44ceb21 100644 --- a/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml +++ b/detections/endpoint/kerberos_pre_authentication_flag_disabled_with_powershell.yml @@ -1,7 +1,7 @@ name: Kerberos Pre-Authentication Flag Disabled with PowerShell id: 59b51620-94c9-11ec-b3d5-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml index 768d5fe2e6..3a6d18fd8d 100644 --- a/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_service_ticket_request_using_rc4_encryption.yml @@ -1,7 +1,7 @@ name: Kerberos Service Ticket Request Using RC4 Encryption id: 7d90f334-a482-11ec-908c-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml index f823b00797..66925f5804 100644 --- a/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml +++ b/detections/endpoint/kerberos_tgt_request_using_rc4_encryption.yml @@ -1,7 +1,7 @@ name: Kerberos TGT Request Using RC4 Encryption id: 18916468-9c04-11ec-bdc6-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/kerberos_user_enumeration.yml b/detections/endpoint/kerberos_user_enumeration.yml index fa46b59e32..37f40928da 100644 --- a/detections/endpoint/kerberos_user_enumeration.yml +++ b/detections/endpoint/kerberos_user_enumeration.yml @@ -1,7 +1,7 @@ name: Kerberos User Enumeration id: d82d4af4-a0bd-11ec-9445-3e22fbd008af -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml index 821a725c09..5e6032c1a9 100644 --- a/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml +++ b/detections/endpoint/linux_account_manipulation_of_ssh_config_and_keys.yml @@ -1,7 +1,7 @@ name: Linux Account Manipulation Of SSH Config and Keys id: 73a56508-1cf5-4df7-b8d9-5737fbdc27d2 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml index be6f5ef374..2b653bd346 100644 --- a/detections/endpoint/linux_add_files_in_known_crontab_directories.yml +++ b/detections/endpoint/linux_add_files_in_known_crontab_directories.yml @@ -1,7 +1,7 @@ name: Linux Add Files In Known Crontab Directories id: 023f3452-5f27-11ec-bf00-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_add_user_account.yml b/detections/endpoint/linux_add_user_account.yml index 5835bb573b..2443b5505f 100644 --- a/detections/endpoint/linux_add_user_account.yml +++ b/detections/endpoint/linux_add_user_account.yml @@ -1,7 +1,7 @@ name: Linux Add User Account id: 51fbcaf2-6259-11ec-b0f3-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml index 4fcf7d3722..8d4713d014 100644 --- a/detections/endpoint/linux_adding_crontab_using_list_parameter.yml +++ b/detections/endpoint/linux_adding_crontab_using_list_parameter.yml @@ -1,7 +1,7 @@ name: Linux Adding Crontab Using List Parameter id: 52f6d751-1fd4-4c74-a4c9-777ecfeb5c58 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index 9895b29e2d..528f624ef3 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux apt-get Privilege Escalation id: d870ce3b-e796-402f-b2af-cab4da1223f2 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_apt_privilege_escalation.yml b/detections/endpoint/linux_apt_privilege_escalation.yml index babfbc635b..9e46639218 100644 --- a/detections/endpoint/linux_apt_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux APT Privilege Escalation id: 4d5a05fa-77d9-4fd0-af9c-05704f9f9a88 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_at_allow_config_file_creation.yml b/detections/endpoint/linux_at_allow_config_file_creation.yml index bd65b1cc65..0dfdc75e6b 100644 --- a/detections/endpoint/linux_at_allow_config_file_creation.yml +++ b/detections/endpoint/linux_at_allow_config_file_creation.yml @@ -1,7 +1,7 @@ name: Linux At Allow Config File Creation id: 977b3082-5f3d-11ec-b954-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_at_application_execution.yml b/detections/endpoint/linux_at_application_execution.yml index c9d3e607ef..414ef6080d 100644 --- a/detections/endpoint/linux_at_application_execution.yml +++ b/detections/endpoint/linux_at_application_execution.yml @@ -1,7 +1,7 @@ name: Linux At Application Execution id: bf0a378e-5f3c-11ec-a6de-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_add_user_account.yml b/detections/endpoint/linux_auditd_add_user_account.yml index 5f5495f156..0720f6c160 100644 --- a/detections/endpoint/linux_auditd_add_user_account.yml +++ b/detections/endpoint/linux_auditd_add_user_account.yml @@ -1,7 +1,7 @@ name: Linux Auditd Add User Account id: aae66dc0-74b4-4807-b480-b35f8027abb4 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_add_user_account_type.yml b/detections/endpoint/linux_auditd_add_user_account_type.yml index d6e2e2343b..6050e6cd7e 100644 --- a/detections/endpoint/linux_auditd_add_user_account_type.yml +++ b/detections/endpoint/linux_auditd_add_user_account_type.yml @@ -1,7 +1,7 @@ name: Linux Auditd Add User Account Type id: f8c325ea-506e-4105-8ccf-da1492e90115 -version: 6 -date: '2025-02-20' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_at_application_execution.yml b/detections/endpoint/linux_auditd_at_application_execution.yml index 04e207d7a1..9219b3653b 100644 --- a/detections/endpoint/linux_auditd_at_application_execution.yml +++ b/detections/endpoint/linux_auditd_at_application_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd At Application Execution id: 9f306e0a-1c36-469e-8892-968ca12470dd -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_auditd_service_stop.yml b/detections/endpoint/linux_auditd_auditd_service_stop.yml index 998f4dc6df..627ae04936 100644 --- a/detections/endpoint/linux_auditd_auditd_service_stop.yml +++ b/detections/endpoint/linux_auditd_auditd_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Auditd Service Stop id: 6cb9d0e1-eabe-41de-a11a-5efade354e9d -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_base64_decode_files.yml b/detections/endpoint/linux_auditd_base64_decode_files.yml index d8969d5de2..531a41f5fc 100644 --- a/detections/endpoint/linux_auditd_base64_decode_files.yml +++ b/detections/endpoint/linux_auditd_base64_decode_files.yml @@ -1,7 +1,7 @@ name: Linux Auditd Base64 Decode Files id: 5890ba10-4e48-4dc0-8a40-3e1ebe75e737 -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml index 9d4a2a18b1..267056dd92 100644 --- a/detections/endpoint/linux_auditd_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_auditd_change_file_owner_to_root.yml @@ -1,7 +1,7 @@ name: Linux Auditd Change File Owner To Root id: 7b87c556-0ca4-47e0-b84c-6cd62a0a3e90 -version: 6 -date: '2025-02-20' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_clipboard_data_copy.yml b/detections/endpoint/linux_auditd_clipboard_data_copy.yml index 6f1cf9bb6a..fb9d2ee09b 100644 --- a/detections/endpoint/linux_auditd_clipboard_data_copy.yml +++ b/detections/endpoint/linux_auditd_clipboard_data_copy.yml @@ -1,7 +1,7 @@ name: Linux Auditd Clipboard Data Copy id: 9ddfe470-c4d0-4e60-8668-7337bd699edd -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_data_destruction_command.yml b/detections/endpoint/linux_auditd_data_destruction_command.yml index e9768a74f8..a2c2aeebf9 100644 --- a/detections/endpoint/linux_auditd_data_destruction_command.yml +++ b/detections/endpoint/linux_auditd_data_destruction_command.yml @@ -1,7 +1,7 @@ name: Linux Auditd Data Destruction Command id: 4da5ce1a-f71b-4e71-bb73-c0a3c73f3c3c -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml index 783125a518..0123850ef8 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split.yml @@ -1,7 +1,7 @@ name: Linux Auditd Data Transfer Size Limits Via Split id: 4669561d-3bbd-44e3-857c-0e3c6ef2120c -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml index 486d997610..ae912d4253 100644 --- a/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml +++ b/detections/endpoint/linux_auditd_data_transfer_size_limits_via_split_syscall.yml @@ -1,7 +1,7 @@ name: Linux Auditd Data Transfer Size Limits Via Split Syscall id: c03d4a49-cf9d-435b-86e9-c6f8c9b6c42e -version: 4 -date: '2024-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml index 1ef43635dd..ee4aa77404 100644 --- a/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_database_file_and_directory_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd Database File And Directory Discovery id: f616c4f3-bde9-41cf-856c-019b65f668bb -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_dd_file_overwrite.yml b/detections/endpoint/linux_auditd_dd_file_overwrite.yml index b3b6308f50..f75042fc1d 100644 --- a/detections/endpoint/linux_auditd_dd_file_overwrite.yml +++ b/detections/endpoint/linux_auditd_dd_file_overwrite.yml @@ -1,7 +1,7 @@ name: Linux Auditd Dd File Overwrite id: d1b74420-4cea-4752-a123-9b40dfcca49a -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml index 629ee61ab7..cca19e4988 100644 --- a/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml +++ b/detections/endpoint/linux_auditd_disable_or_modify_system_firewall.yml @@ -1,7 +1,7 @@ name: Linux Auditd Disable Or Modify System Firewall id: 07052556-d4b5-4bae-89aa-cbdc1bb11250 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml index b372d94491..38767366dc 100644 --- a/detections/endpoint/linux_auditd_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_auditd_doas_conf_file_creation.yml @@ -1,7 +1,7 @@ name: Linux Auditd Doas Conf File Creation id: 61059783-574b-40d2-ac2f-69b898afd6b4 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_doas_tool_execution.yml b/detections/endpoint/linux_auditd_doas_tool_execution.yml index 02f6c4ea83..33811e7267 100644 --- a/detections/endpoint/linux_auditd_doas_tool_execution.yml +++ b/detections/endpoint/linux_auditd_doas_tool_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd Doas Tool Execution id: 91b8ca78-f205-4826-a3ef-cd8d6b24e97b -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml index 33311670ec..0c78c283b2 100644 --- a/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_auditd_edit_cron_table_parameter.yml @@ -1,7 +1,7 @@ name: Linux Auditd Edit Cron Table Parameter id: f4bb7321-7e64-4d1e-b1aa-21f8b019a91f -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml index 774cc68c7a..64ea14403e 100644 --- a/detections/endpoint/linux_auditd_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_file_and_directory_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd File And Directory Discovery id: 0bbfb79c-a755-49a5-a38a-1128d0a452f1 -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml index 44f5a6a8a0..6e8c8195dc 100644 --- a/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml +++ b/detections/endpoint/linux_auditd_file_permission_modification_via_chmod.yml @@ -1,7 +1,7 @@ name: Linux Auditd File Permission Modification Via Chmod id: 5f1d2ea7-eec0-4790-8b24-6875312ad492 -version: '10' -date: '2025-03-19' +version: 11 +date: '2025-05-02' author: "Teoderick Contreras, Splunk, Ivar Nyg\xE5rd" status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml index 946d665a0d..a4ba23c7d6 100644 --- a/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml +++ b/detections/endpoint/linux_auditd_file_permissions_modification_via_chattr.yml @@ -1,7 +1,7 @@ name: Linux Auditd File Permissions Modification Via Chattr id: f2d1110d-b01c-4a58-9975-90a9edeb083a -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml index 9e460eae8a..2b505f946b 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_managers.yml @@ -1,7 +1,7 @@ name: Linux Auditd Find Credentials From Password Managers id: 784241aa-85a5-4782-a503-d071bd3446f9 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml index 4b39e1d0bc..4705e72fc1 100644 --- a/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml +++ b/detections/endpoint/linux_auditd_find_credentials_from_password_stores.yml @@ -1,7 +1,7 @@ name: Linux Auditd Find Credentials From Password Stores id: 4de73044-9a1d-4a51-a1c2-85267d8dcab3 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml index d9de476bf8..66935b0d1d 100644 --- a/detections/endpoint/linux_auditd_find_ssh_private_keys.yml +++ b/detections/endpoint/linux_auditd_find_ssh_private_keys.yml @@ -1,7 +1,7 @@ name: Linux Auditd Find Ssh Private Keys id: e2d2bd10-dcd1-4b2f-8a76-0198eab32ba5 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml index f1964bbdda..6b5305e307 100644 --- a/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_auditd_hardware_addition_swapoff.yml @@ -1,7 +1,7 @@ name: Linux Auditd Hardware Addition Swapoff id: 5728bb16-1a0b-4b66-bce2-0074ac839770 -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml index a6bf5defce..6836693f6f 100644 --- a/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml +++ b/detections/endpoint/linux_auditd_hidden_files_and_directories_creation.yml @@ -1,7 +1,7 @@ name: Linux Auditd Hidden Files And Directories Creation id: 555cc358-bf16-4e05-9b3a-0f89c73b7261 -version: 6 -date: '2025-02-20' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml index f79c5a9b34..c588b5d8a7 100644 --- a/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_auditd_insert_kernel_module_using_insmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Insert Kernel Module Using Insmod Utility id: bc0ca53f-dea6-4906-9b12-09c396fdf1d3 -version: 6 -date: '2025-02-20' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml index b9e5e8f45c..335fcb0f35 100644 --- a/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_auditd_install_kernel_module_using_modprobe_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Install Kernel Module Using Modprobe Utility id: 95165985-ace5-4d42-9c42-93a89a5af901 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml index 3fce0c9f78..8e0b9710ff 100644 --- a/detections/endpoint/linux_auditd_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_auditd_kernel_module_enumeration.yml @@ -1,7 +1,7 @@ name: Linux Auditd Kernel Module Enumeration id: d1b088de-c47a-4572-9339-bdcc26493b32 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml index f31c9ddf36..d6c2dde6b3 100644 --- a/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml +++ b/detections/endpoint/linux_auditd_kernel_module_using_rmmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Kernel Module Using Rmmod Utility id: 31810b7a-0abe-42be-a210-0dec8106afee -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml index aad95585df..d60f18b488 100644 --- a/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_nopasswd_entry_in_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Nopasswd Entry In Sudoers File id: 651df959-ad17-4b73-a323-90cb96d5fa1b -version: '7' -date: '2025-03-19' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_osquery_service_stop.yml b/detections/endpoint/linux_auditd_osquery_service_stop.yml index 8007cb6d21..f3736cfe6c 100644 --- a/detections/endpoint/linux_auditd_osquery_service_stop.yml +++ b/detections/endpoint/linux_auditd_osquery_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Osquery Service Stop id: 0c320fea-6e87-4b99-a884-74d09d4b655d -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml index bd1f8f7e8e..a434536311 100644 --- a/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_or_modification_of_sshd_config_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access Or Modification Of Sshd Config File id: acb3ea33-70f7-47aa-b335-643b3aebcb2f -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml index 5e3d2312b2..4a813d80f0 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_credential_files.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Credential Files id: 0419cb7a-57ea-467b-974f-77c303dfe2a3 -version: '8' -date: '2025-03-19' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml index fc9e2d1a8b..fe99e6d623 100644 --- a/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_auditd_possible_access_to_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Access To Sudoers File id: 8be88f46-f7e8-4ae6-b15e-cf1b13392834 -version: '8' -date: '2025-03-19' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml index 557b1b7602..c8f68a7035 100644 --- a/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_auditd_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Possible Append Cronjob Entry On Existing Cronjob File id: fea71cf0-fa10-4ef6-9202-9682b2e0c477 -version: 6 -date: '2025-02-20' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml index f4906c1255..0ac9c9bc86 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_library_calls.yml @@ -1,7 +1,7 @@ name: Linux Auditd Preload Hijack Library Calls id: 35c50572-a70b-452f-afa9-bebdf3c3ce36 -version: '8' -date: '2025-03-19' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml index 63d385c257..5cd9ad3220 100644 --- a/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml +++ b/detections/endpoint/linux_auditd_preload_hijack_via_preload_file.yml @@ -1,7 +1,7 @@ name: Linux Auditd Preload Hijack Via Preload File id: c1b7abca-55cb-4a39-bdfb-e28c1c12745f -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml index e256d7247a..092e5be2dc 100644 --- a/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml +++ b/detections/endpoint/linux_auditd_private_keys_and_certificate_enumeration.yml @@ -1,7 +1,7 @@ name: Linux Auditd Private Keys and Certificate Enumeration id: 892eb674-3344-4143-8e52-4775b1daf3f1 -version: 3 -date: '2025-02-20' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_service_restarted.yml b/detections/endpoint/linux_auditd_service_restarted.yml index b8a415e327..db786ebd91 100644 --- a/detections/endpoint/linux_auditd_service_restarted.yml +++ b/detections/endpoint/linux_auditd_service_restarted.yml @@ -1,7 +1,7 @@ name: Linux Auditd Service Restarted id: 8eb3e858-18d3-44a4-a514-52cfa39f154a -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_service_started.yml b/detections/endpoint/linux_auditd_service_started.yml index 565e6af26b..fdf72e1f2e 100644 --- a/detections/endpoint/linux_auditd_service_started.yml +++ b/detections/endpoint/linux_auditd_service_started.yml @@ -1,7 +1,7 @@ name: Linux Auditd Service Started id: b5eed06d-5c97-4092-a3a1-fa4b7e77c71a -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml index ecce194753..fecb0288f8 100644 --- a/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_chmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Setuid Using Chmod Utility id: 8230c407-1b47-4d95-ac2e-718bd6381386 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml index c186d3278e..5f56cebd5a 100644 --- a/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_auditd_setuid_using_setcap_utility.yml @@ -1,7 +1,7 @@ name: Linux Auditd Setuid Using Setcap Utility id: 1474459a-302b-4255-8add-d82f96d14cd9 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_shred_overwrite_command.yml b/detections/endpoint/linux_auditd_shred_overwrite_command.yml index f7645e02b4..7bf47dd05d 100644 --- a/detections/endpoint/linux_auditd_shred_overwrite_command.yml +++ b/detections/endpoint/linux_auditd_shred_overwrite_command.yml @@ -1,7 +1,7 @@ name: Linux Auditd Shred Overwrite Command id: ce2bde4d-a1d4-4452-8c87-98440e5adfb3 -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_stop_services.yml b/detections/endpoint/linux_auditd_stop_services.yml index 8a365cf7a3..0c9c184109 100644 --- a/detections/endpoint/linux_auditd_stop_services.yml +++ b/detections/endpoint/linux_auditd_stop_services.yml @@ -1,7 +1,7 @@ name: Linux Auditd Stop Services id: 43bc9281-753b-4743-b4b7-60af84f085f3 -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml index dfe3d02727..eb9efa676c 100644 --- a/detections/endpoint/linux_auditd_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_auditd_sudo_or_su_execution.yml @@ -1,7 +1,7 @@ name: Linux Auditd Sudo Or Su Execution id: 817a5c89-5b92-4818-a22d-aa35e1361afe -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_sysmon_service_stop.yml b/detections/endpoint/linux_auditd_sysmon_service_stop.yml index d65a42cd56..34c31aef9c 100644 --- a/detections/endpoint/linux_auditd_sysmon_service_stop.yml +++ b/detections/endpoint/linux_auditd_sysmon_service_stop.yml @@ -1,7 +1,7 @@ name: Linux Auditd Sysmon Service Stop id: 20901256-633a-40de-8753-7b88811a460f -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -70,7 +70,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop.log/linux_auditd_sysmon_service_stop.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1489/linux_auditd_sysmon_service_stop/linux_auditd_sysmon_service_stop.log source: auditd sourcetype: auditd diff --git a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml index 6eb0e19f4d..0875d6e3b8 100644 --- a/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml +++ b/detections/endpoint/linux_auditd_system_network_configuration_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd System Network Configuration Discovery id: 5db16825-81bd-4923-a8d6-d6a13a59832a -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml index d2f9250224..f336325d90 100644 --- a/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml +++ b/detections/endpoint/linux_auditd_unix_shell_configuration_modification.yml @@ -1,7 +1,7 @@ name: Linux Auditd Unix Shell Configuration Modification id: 66f737c6-3f7f-46ed-8e9b-cc0e5bf01f04 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml index cc4ffe639d..b83918c943 100644 --- a/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml +++ b/detections/endpoint/linux_auditd_unload_module_via_modprobe.yml @@ -1,7 +1,7 @@ name: Linux Auditd Unload Module Via Modprobe id: 90964d6a-4b5f-409a-85bd-95e261e03fe9 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml index a70bafeda7..4cd4f6f33c 100644 --- a/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml +++ b/detections/endpoint/linux_auditd_virtual_disk_file_and_directory_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd Virtual Disk File And Directory Discovery id: eec78cef-d4c8-4b35-8f5b-6922102a4a41 -version: 5 -date: '2025-02-20' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_auditd_whoami_user_discovery.yml b/detections/endpoint/linux_auditd_whoami_user_discovery.yml index 67d3f903b3..0e9f7a60c9 100644 --- a/detections/endpoint/linux_auditd_whoami_user_discovery.yml +++ b/detections/endpoint/linux_auditd_whoami_user_discovery.yml @@ -1,7 +1,7 @@ name: Linux Auditd Whoami User Discovery id: d1ff2e22-310d-446a-80b3-faedaa7b3b52 -version: 4 -date: '2025-02-20' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_awk_privilege_escalation.yml b/detections/endpoint/linux_awk_privilege_escalation.yml index 16e3efc231..80570709d0 100644 --- a/detections/endpoint/linux_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_awk_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux AWK Privilege Escalation id: 4510cae0-96a2-4840-9919-91d262db210a -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_busybox_privilege_escalation.yml b/detections/endpoint/linux_busybox_privilege_escalation.yml index b0d53fca9a..3ebe39c258 100644 --- a/detections/endpoint/linux_busybox_privilege_escalation.yml +++ b/detections/endpoint/linux_busybox_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Busybox Privilege Escalation id: 387c4e78-f4a4-413d-ad44-e9f7bc4642c9 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_c89_privilege_escalation.yml b/detections/endpoint/linux_c89_privilege_escalation.yml index 1423c3e674..efab2c508f 100644 --- a/detections/endpoint/linux_c89_privilege_escalation.yml +++ b/detections/endpoint/linux_c89_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux c89 Privilege Escalation id: 54c95f4d-3e5d-44be-9521-ea19ba62f7a8 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_c99_privilege_escalation.yml b/detections/endpoint/linux_c99_privilege_escalation.yml index 545fb0fa79..5ab4e52aa6 100644 --- a/detections/endpoint/linux_c99_privilege_escalation.yml +++ b/detections/endpoint/linux_c99_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux c99 Privilege Escalation id: e1c6dec5-2249-442d-a1f9-99a4bd228183 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_change_file_owner_to_root.yml b/detections/endpoint/linux_change_file_owner_to_root.yml index 7492fb5e27..ee46f688ed 100644 --- a/detections/endpoint/linux_change_file_owner_to_root.yml +++ b/detections/endpoint/linux_change_file_owner_to_root.yml @@ -1,7 +1,7 @@ name: Linux Change File Owner To Root id: c1400ea2-6257-11ec-ad49-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_clipboard_data_copy.yml b/detections/endpoint/linux_clipboard_data_copy.yml index dd649b3b74..ade4a8506a 100644 --- a/detections/endpoint/linux_clipboard_data_copy.yml +++ b/detections/endpoint/linux_clipboard_data_copy.yml @@ -1,7 +1,7 @@ name: Linux Clipboard Data Copy id: 7173b2ad-6146-418f-85ae-c3479e4515fc -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_common_process_for_elevation_control.yml b/detections/endpoint/linux_common_process_for_elevation_control.yml index c4b241c16d..a702c4600d 100644 --- a/detections/endpoint/linux_common_process_for_elevation_control.yml +++ b/detections/endpoint/linux_common_process_for_elevation_control.yml @@ -1,7 +1,7 @@ name: Linux Common Process For Elevation Control id: 66ab15c0-63d0-11ec-9e70-acde48001122 -version: 8 -date: '2025-03-27' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/linux_composer_privilege_escalation.yml b/detections/endpoint/linux_composer_privilege_escalation.yml index 5b600e9955..32b4e7bd71 100644 --- a/detections/endpoint/linux_composer_privilege_escalation.yml +++ b/detections/endpoint/linux_composer_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Composer Privilege Escalation id: a3bddf71-6ba3-42ab-a6b2-396929b16d92 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_cpulimit_privilege_escalation.yml b/detections/endpoint/linux_cpulimit_privilege_escalation.yml index b5b8ca2c83..56e92d688f 100644 --- a/detections/endpoint/linux_cpulimit_privilege_escalation.yml +++ b/detections/endpoint/linux_cpulimit_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Cpulimit Privilege Escalation id: d4e40b7e-aad3-4a7d-aac8-550ea5222be5 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_csvtool_privilege_escalation.yml b/detections/endpoint/linux_csvtool_privilege_escalation.yml index 1ce087b511..c83ff74766 100644 --- a/detections/endpoint/linux_csvtool_privilege_escalation.yml +++ b/detections/endpoint/linux_csvtool_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Csvtool Privilege Escalation id: f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_curl_upload_file.yml b/detections/endpoint/linux_curl_upload_file.yml index 92bf73562d..8aa322d09b 100644 --- a/detections/endpoint/linux_curl_upload_file.yml +++ b/detections/endpoint/linux_curl_upload_file.yml @@ -1,7 +1,7 @@ name: Linux Curl Upload File id: c1de2d9a-0c02-4bb4-a49a-510c6e9cf2bf -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_data_destruction_command.yml b/detections/endpoint/linux_data_destruction_command.yml index ff5e6a8ae8..f5b46c6994 100644 --- a/detections/endpoint/linux_data_destruction_command.yml +++ b/detections/endpoint/linux_data_destruction_command.yml @@ -1,7 +1,7 @@ name: Linux Data Destruction Command id: b11d3979-b2f7-411b-bb1a-bd00e642173b -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_dd_file_overwrite.yml b/detections/endpoint/linux_dd_file_overwrite.yml index c05a4b3614..7a7bfb926b 100644 --- a/detections/endpoint/linux_dd_file_overwrite.yml +++ b/detections/endpoint/linux_dd_file_overwrite.yml @@ -1,7 +1,7 @@ name: Linux DD File Overwrite id: 9b6aae5e-8d85-11ec-b2ae-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index 2b8a8c3896..a3f55ddc36 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -1,7 +1,7 @@ name: Linux Decode Base64 to Shell id: 637b603e-1799-40fd-bf87-47ecbd551b66 -version: 8 -date: '2024-11-13' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml index dddd179d5e..5bceb4ac0d 100644 --- a/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml +++ b/detections/endpoint/linux_deleting_critical_directory_using_rm_command.yml @@ -1,7 +1,7 @@ name: Linux Deleting Critical Directory Using RM Command id: 33f89303-cc6f-49ad-921d-2eaea38a6f7a -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_deletion_of_cron_jobs.yml b/detections/endpoint/linux_deletion_of_cron_jobs.yml index 514ac78d41..f21babe795 100644 --- a/detections/endpoint/linux_deletion_of_cron_jobs.yml +++ b/detections/endpoint/linux_deletion_of_cron_jobs.yml @@ -1,7 +1,7 @@ name: Linux Deletion Of Cron Jobs id: 3b132a71-9335-4f33-9932-00bb4f6ac7e8 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_deletion_of_init_daemon_script.yml b/detections/endpoint/linux_deletion_of_init_daemon_script.yml index 9b0914b54f..be8bd22c2b 100644 --- a/detections/endpoint/linux_deletion_of_init_daemon_script.yml +++ b/detections/endpoint/linux_deletion_of_init_daemon_script.yml @@ -1,7 +1,7 @@ name: Linux Deletion Of Init Daemon Script id: 729aab57-d26f-4156-b97f-ab8dda8f44b1 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_deletion_of_services.yml b/detections/endpoint/linux_deletion_of_services.yml index 68f20f6650..f38138272c 100644 --- a/detections/endpoint/linux_deletion_of_services.yml +++ b/detections/endpoint/linux_deletion_of_services.yml @@ -1,7 +1,7 @@ name: Linux Deletion Of Services id: b509bbd3-0331-4aaa-8e4a-d2affe100af6 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_deletion_of_ssl_certificate.yml b/detections/endpoint/linux_deletion_of_ssl_certificate.yml index 50a9168bf4..a06796978a 100644 --- a/detections/endpoint/linux_deletion_of_ssl_certificate.yml +++ b/detections/endpoint/linux_deletion_of_ssl_certificate.yml @@ -1,7 +1,7 @@ name: Linux Deletion of SSL Certificate id: 839ab790-a60a-4f81-bfb3-02567063f615 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_disable_services.yml b/detections/endpoint/linux_disable_services.yml index 6cefcdf8d1..cca2249b23 100644 --- a/detections/endpoint/linux_disable_services.yml +++ b/detections/endpoint/linux_disable_services.yml @@ -1,7 +1,7 @@ name: Linux Disable Services id: f2e08a38-6689-4df4-ad8c-b51c16262316 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_doas_conf_file_creation.yml b/detections/endpoint/linux_doas_conf_file_creation.yml index 877db6be69..9ab6ec1f4b 100644 --- a/detections/endpoint/linux_doas_conf_file_creation.yml +++ b/detections/endpoint/linux_doas_conf_file_creation.yml @@ -1,7 +1,7 @@ name: Linux Doas Conf File Creation id: f6343e86-6e09-11ec-9376-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_doas_tool_execution.yml b/detections/endpoint/linux_doas_tool_execution.yml index 18db34ff3c..f1080db49e 100644 --- a/detections/endpoint/linux_doas_tool_execution.yml +++ b/detections/endpoint/linux_doas_tool_execution.yml @@ -1,7 +1,7 @@ name: Linux Doas Tool Execution id: d5a62490-6e09-11ec-884e-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_docker_privilege_escalation.yml b/detections/endpoint/linux_docker_privilege_escalation.yml index a612101c5b..c430553461 100644 --- a/detections/endpoint/linux_docker_privilege_escalation.yml +++ b/detections/endpoint/linux_docker_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Docker Privilege Escalation id: 2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_edit_cron_table_parameter.yml b/detections/endpoint/linux_edit_cron_table_parameter.yml index d9d9084f78..7b0e9c7de6 100644 --- a/detections/endpoint/linux_edit_cron_table_parameter.yml +++ b/detections/endpoint/linux_edit_cron_table_parameter.yml @@ -1,7 +1,7 @@ name: Linux Edit Cron Table Parameter id: 0d370304-5f26-11ec-a4bb-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/linux_emacs_privilege_escalation.yml b/detections/endpoint/linux_emacs_privilege_escalation.yml index 5205f16866..734fd5d61a 100644 --- a/detections/endpoint/linux_emacs_privilege_escalation.yml +++ b/detections/endpoint/linux_emacs_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Emacs Privilege Escalation id: 92033cab-1871-483d-a03b-a7ce98665cfc -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml index f3acbffb3c..ea1fdcb53c 100644 --- a/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml +++ b/detections/endpoint/linux_file_created_in_kernel_driver_directory.yml @@ -1,7 +1,7 @@ name: Linux File Created In Kernel Driver Directory id: b85bbeec-6326-11ec-9311-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml index f4bd0743b4..e82727db2d 100644 --- a/detections/endpoint/linux_file_creation_in_init_boot_directory.yml +++ b/detections/endpoint/linux_file_creation_in_init_boot_directory.yml @@ -1,7 +1,7 @@ name: Linux File Creation In Init Boot Directory id: 97d9cfb2-61ad-11ec-bb2d-acde48001122 -version: 9 -date: '2025-03-27' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_file_creation_in_profile_directory.yml b/detections/endpoint/linux_file_creation_in_profile_directory.yml index 67eea7cecc..3c763b8adc 100644 --- a/detections/endpoint/linux_file_creation_in_profile_directory.yml +++ b/detections/endpoint/linux_file_creation_in_profile_directory.yml @@ -1,7 +1,7 @@ name: Linux File Creation In Profile Directory id: 46ba0082-61af-11ec-9826-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_find_privilege_escalation.yml b/detections/endpoint/linux_find_privilege_escalation.yml index 7562dfe549..b09a413b0c 100644 --- a/detections/endpoint/linux_find_privilege_escalation.yml +++ b/detections/endpoint/linux_find_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Find Privilege Escalation id: 2ff4e0c2-8256-4143-9c07-1e39c7231111 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_gdb_privilege_escalation.yml b/detections/endpoint/linux_gdb_privilege_escalation.yml index f31c966f9c..89651fcc0f 100644 --- a/detections/endpoint/linux_gdb_privilege_escalation.yml +++ b/detections/endpoint/linux_gdb_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux GDB Privilege Escalation id: 310b7da2-ab52-437f-b1bf-0bd458674308 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_gem_privilege_escalation.yml b/detections/endpoint/linux_gem_privilege_escalation.yml index ebdfbdd8ba..78fbeb1409 100644 --- a/detections/endpoint/linux_gem_privilege_escalation.yml +++ b/detections/endpoint/linux_gem_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Gem Privilege Escalation id: 0115482a-5dcb-4bb0-bcca-5d095d224236 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml index 9f39825b7d..03cefa7b09 100644 --- a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux GNU Awk Privilege Escalation id: 0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_hardware_addition_swapoff.yml b/detections/endpoint/linux_hardware_addition_swapoff.yml index 81a67e00b3..0c49cb044c 100644 --- a/detections/endpoint/linux_hardware_addition_swapoff.yml +++ b/detections/endpoint/linux_hardware_addition_swapoff.yml @@ -1,7 +1,7 @@ name: Linux Hardware Addition SwapOff id: c1eea697-99ed-44c2-9b70-d8935464c499 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml index 3582ce15ef..5678b7e48e 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_boot_folder.yml @@ -1,7 +1,7 @@ name: Linux High Frequency Of File Deletion In Boot Folder id: e27fbc5d-0445-4c4a-bc39-87f060d5c602 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml index fefeca16fb..23d1870ea5 100644 --- a/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml +++ b/detections/endpoint/linux_high_frequency_of_file_deletion_in_etc_folder.yml @@ -1,7 +1,7 @@ name: Linux High Frequency Of File Deletion In Etc Folder id: 9d867448-2aff-4d07-876c-89409a752ff8 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_impair_defenses_process_kill.yml b/detections/endpoint/linux_impair_defenses_process_kill.yml index e512177018..5b2adfac12 100644 --- a/detections/endpoint/linux_impair_defenses_process_kill.yml +++ b/detections/endpoint/linux_impair_defenses_process_kill.yml @@ -1,7 +1,7 @@ name: Linux Impair Defenses Process Kill id: 435c6b33-adf9-47fe-be87-8e29fd6654f5 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/linux_indicator_removal_clear_cache.yml b/detections/endpoint/linux_indicator_removal_clear_cache.yml index bbdf324a94..4797121e49 100644 --- a/detections/endpoint/linux_indicator_removal_clear_cache.yml +++ b/detections/endpoint/linux_indicator_removal_clear_cache.yml @@ -1,7 +1,7 @@ name: Linux Indicator Removal Clear Cache id: e0940505-0b73-4719-84e6-cb94c44a5245 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml index 54f1c79236..ce3ccc3af6 100644 --- a/detections/endpoint/linux_indicator_removal_service_file_deletion.yml +++ b/detections/endpoint/linux_indicator_removal_service_file_deletion.yml @@ -1,7 +1,7 @@ name: Linux Indicator Removal Service File Deletion id: 6c077f81-2a83-4537-afbc-0e62e3215d55 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml index f55531f5da..da3a7898eb 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_hunting.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_hunting.yml @@ -1,7 +1,7 @@ name: Linux Ingress Tool Transfer Hunting id: 52fd468b-cb6d-48f5-b16a-92f1c9bb10cf -version: 7 -date: '2024-12-19' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml index c65698ec65..253a7b35ae 100644 --- a/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml +++ b/detections/endpoint/linux_ingress_tool_transfer_with_curl.yml @@ -1,7 +1,7 @@ name: Linux Ingress Tool Transfer with Curl id: 8c1de57d-abc1-4b41-a727-a7a8fc5e0857 -version: 7 -date: '2024-12-19' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml index 06ad099dae..88aeabfa64 100644 --- a/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml +++ b/detections/endpoint/linux_insert_kernel_module_using_insmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Insert Kernel Module Using Insmod Utility id: 18b5a1a0-6326-11ec-943a-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml index 0bff02e5dc..e4deaf1902 100644 --- a/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml +++ b/detections/endpoint/linux_install_kernel_module_using_modprobe_utility.yml @@ -1,7 +1,7 @@ name: Linux Install Kernel Module Using Modprobe Utility id: 387b278a-6326-11ec-aa2c-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_iptables_firewall_modification.yml b/detections/endpoint/linux_iptables_firewall_modification.yml index 99ef55895e..ec36cf5d5d 100644 --- a/detections/endpoint/linux_iptables_firewall_modification.yml +++ b/detections/endpoint/linux_iptables_firewall_modification.yml @@ -1,7 +1,7 @@ name: Linux Iptables Firewall Modification id: 309d59dc-1e1b-49b2-9800-7cf18d12f7b7 -version: 10 -date: '2025-03-27' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_java_spawning_shell.yml b/detections/endpoint/linux_java_spawning_shell.yml index 41534f6458..24d8ea7d8a 100644 --- a/detections/endpoint/linux_java_spawning_shell.yml +++ b/detections/endpoint/linux_java_spawning_shell.yml @@ -1,7 +1,7 @@ name: Linux Java Spawning Shell id: 7b09db8a-5c20-11ec-9945-acde48001122 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_kernel_module_enumeration.yml b/detections/endpoint/linux_kernel_module_enumeration.yml index 9d6426bb96..c99077eb2c 100644 --- a/detections/endpoint/linux_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_kernel_module_enumeration.yml @@ -1,7 +1,7 @@ name: Linux Kernel Module Enumeration id: 6df99886-0e04-4c11-8b88-325747419278 -version: 8 -date: '2024-11-17' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml index d3ab7cd0db..6e1583d188 100644 --- a/detections/endpoint/linux_kworker_process_in_writable_process_path.yml +++ b/detections/endpoint/linux_kworker_process_in_writable_process_path.yml @@ -1,7 +1,7 @@ name: Linux Kworker Process In Writable Process Path id: 1cefb270-74a5-4e27-aa0c-2b6fa7c5b4ed -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/linux_make_privilege_escalation.yml b/detections/endpoint/linux_make_privilege_escalation.yml index deafa857a7..e8d5fa158d 100644 --- a/detections/endpoint/linux_make_privilege_escalation.yml +++ b/detections/endpoint/linux_make_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Make Privilege Escalation id: 80b22836-5091-4944-80ee-f733ac443f4f -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_mysql_privilege_escalation.yml b/detections/endpoint/linux_mysql_privilege_escalation.yml index a95a6b4dca..89f10fad82 100644 --- a/detections/endpoint/linux_mysql_privilege_escalation.yml +++ b/detections/endpoint/linux_mysql_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux MySQL Privilege Escalation id: c0d810f4-230c-44ea-b703-989da02ff145 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml index 0becd41915..522767690e 100644 --- a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml @@ -1,7 +1,7 @@ name: Linux Ngrok Reverse Proxy Usage id: bc84d574-708c-467d-b78a-4c1e20171f97 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_node_privilege_escalation.yml b/detections/endpoint/linux_node_privilege_escalation.yml index 2644522fbc..dc0344dcb0 100644 --- a/detections/endpoint/linux_node_privilege_escalation.yml +++ b/detections/endpoint/linux_node_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Node Privilege Escalation id: 2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml index 93fcb838a1..1920d5c2b3 100644 --- a/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml +++ b/detections/endpoint/linux_nopasswd_entry_in_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux NOPASSWD Entry In Sudoers File id: ab1e0d52-624a-11ec-8e0b-acde48001122 -version: 8 -date: '2025-03-27' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml index 5598bf79db..257bef22b8 100644 --- a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml +++ b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml @@ -1,7 +1,7 @@ name: Linux Obfuscated Files or Information Base64 Decode id: 303b38b2-c03f-44e2-8f41-4594606fcfc7 -version: 8 -date: '2024-11-13' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_octave_privilege_escalation.yml b/detections/endpoint/linux_octave_privilege_escalation.yml index 71cfa1c78d..7689f50616 100644 --- a/detections/endpoint/linux_octave_privilege_escalation.yml +++ b/detections/endpoint/linux_octave_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Octave Privilege Escalation id: 78f7487d-42ce-4f7f-8685-2159b25fb477 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_openvpn_privilege_escalation.yml b/detections/endpoint/linux_openvpn_privilege_escalation.yml index 6200029b27..5b1e6e18c0 100644 --- a/detections/endpoint/linux_openvpn_privilege_escalation.yml +++ b/detections/endpoint/linux_openvpn_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux OpenVPN Privilege Escalation id: d25feebe-fa1c-4754-8a1e-afb03bedc0f2 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml index 5b7c6321e9..15ba268593 100644 --- a/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml +++ b/detections/endpoint/linux_persistence_and_privilege_escalation_risk_behavior.yml @@ -1,7 +1,7 @@ name: Linux Persistence and Privilege Escalation Risk Behavior id: ad5ac21b-3b1e-492c-8e19-ea5d5e8e5cf1 -version: 7 -date: '2025-04-16' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Correlation diff --git a/detections/endpoint/linux_php_privilege_escalation.yml b/detections/endpoint/linux_php_privilege_escalation.yml index 744038f95e..3dafdc2b9e 100644 --- a/detections/endpoint/linux_php_privilege_escalation.yml +++ b/detections/endpoint/linux_php_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux PHP Privilege Escalation id: 4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_pkexec_privilege_escalation.yml b/detections/endpoint/linux_pkexec_privilege_escalation.yml index 41fe9ac26b..7ef872c149 100644 --- a/detections/endpoint/linux_pkexec_privilege_escalation.yml +++ b/detections/endpoint/linux_pkexec_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux pkexec Privilege Escalation id: 03e22c1c-8086-11ec-ac2e-acde48001122 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml index 9a24efeff3..79bde41308 100644 --- a/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml +++ b/detections/endpoint/linux_possible_access_or_modification_of_sshd_config_file.yml @@ -1,7 +1,7 @@ name: Linux Possible Access Or Modification Of sshd Config File id: 7a85eb24-72da-11ec-ac76-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_possible_access_to_credential_files.yml b/detections/endpoint/linux_possible_access_to_credential_files.yml index 464ef2c05d..9c496e183b 100644 --- a/detections/endpoint/linux_possible_access_to_credential_files.yml +++ b/detections/endpoint/linux_possible_access_to_credential_files.yml @@ -1,7 +1,7 @@ name: Linux Possible Access To Credential Files id: 16107e0e-71fc-11ec-b862-acde48001122 -version: 9 -date: '2025-03-27' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_possible_access_to_sudoers_file.yml b/detections/endpoint/linux_possible_access_to_sudoers_file.yml index a57047bb68..58259d9710 100644 --- a/detections/endpoint/linux_possible_access_to_sudoers_file.yml +++ b/detections/endpoint/linux_possible_access_to_sudoers_file.yml @@ -1,7 +1,7 @@ name: Linux Possible Access To Sudoers File id: 4479539c-71fc-11ec-b2e2-acde48001122 -version: 8 -date: '2025-03-27' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml index 320796d11b..ca92c3c04a 100644 --- a/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_at_allow_config_file.yml @@ -1,7 +1,7 @@ name: Linux Possible Append Command To At Allow Config File id: 7bc20606-5f40-11ec-a586-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml index 6716db4274..1d3113d10f 100644 --- a/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml +++ b/detections/endpoint/linux_possible_append_command_to_profile_config_file.yml @@ -1,7 +1,7 @@ name: Linux Possible Append Command To Profile Config File id: 9c94732a-61af-11ec-91e3-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml index efa52f8e37..48d704ae91 100644 --- a/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml +++ b/detections/endpoint/linux_possible_append_cronjob_entry_on_existing_cronjob_file.yml @@ -1,7 +1,7 @@ name: Linux Possible Append Cronjob Entry on Existing Cronjob File id: b5b91200-5f27-11ec-bb4e-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml index 36063bd09a..7fba0f6e85 100644 --- a/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml +++ b/detections/endpoint/linux_possible_cronjob_modification_with_editor.yml @@ -1,7 +1,7 @@ name: Linux Possible Cronjob Modification With Editor id: dcc89bde-5f24-11ec-87ca-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/linux_possible_ssh_key_file_creation.yml b/detections/endpoint/linux_possible_ssh_key_file_creation.yml index 4e67b177ff..5c00e6ed9c 100644 --- a/detections/endpoint/linux_possible_ssh_key_file_creation.yml +++ b/detections/endpoint/linux_possible_ssh_key_file_creation.yml @@ -1,7 +1,7 @@ name: Linux Possible Ssh Key File Creation id: c04ef40c-72da-11ec-8eac-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_preload_hijack_library_calls.yml b/detections/endpoint/linux_preload_hijack_library_calls.yml index 9f82133d5f..bf6f9569e4 100644 --- a/detections/endpoint/linux_preload_hijack_library_calls.yml +++ b/detections/endpoint/linux_preload_hijack_library_calls.yml @@ -1,7 +1,7 @@ name: Linux Preload Hijack Library Calls id: cbe2ca30-631e-11ec-8670-acde48001122 -version: 8 -date: '2025-03-27' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_proxy_socks_curl.yml b/detections/endpoint/linux_proxy_socks_curl.yml index 82960aa1a4..64c5505948 100644 --- a/detections/endpoint/linux_proxy_socks_curl.yml +++ b/detections/endpoint/linux_proxy_socks_curl.yml @@ -1,7 +1,7 @@ name: Linux Proxy Socks Curl id: bd596c22-ad1e-44fc-b242-817253ce8b08 -version: 8 -date: '2025-03-27' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk, 0xC0FFEEEE, Github Community status: production type: TTP diff --git a/detections/endpoint/linux_puppet_privilege_escalation.yml b/detections/endpoint/linux_puppet_privilege_escalation.yml index 45923ebdd0..4a9e15e84c 100644 --- a/detections/endpoint/linux_puppet_privilege_escalation.yml +++ b/detections/endpoint/linux_puppet_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Puppet Privilege Escalation id: 1d19037f-466e-4d56-8d87-36fafd9aa3ce -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_rpm_privilege_escalation.yml b/detections/endpoint/linux_rpm_privilege_escalation.yml index 2b91858e2f..3abf8c5a04 100644 --- a/detections/endpoint/linux_rpm_privilege_escalation.yml +++ b/detections/endpoint/linux_rpm_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux RPM Privilege Escalation id: f8e58a23-cecd-495f-9c65-6c76b4cb9774 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_ruby_privilege_escalation.yml b/detections/endpoint/linux_ruby_privilege_escalation.yml index f96f0cf831..b837365de1 100644 --- a/detections/endpoint/linux_ruby_privilege_escalation.yml +++ b/detections/endpoint/linux_ruby_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Ruby Privilege Escalation id: 097b28b5-7004-4d40-a715-7e390501788b -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml index 1b206345ab..cbb066d07e 100644 --- a/detections/endpoint/linux_service_file_created_in_systemd_directory.yml +++ b/detections/endpoint/linux_service_file_created_in_systemd_directory.yml @@ -1,7 +1,7 @@ name: Linux Service File Created In Systemd Directory id: c7495048-61b6-11ec-9a37-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_service_restarted.yml b/detections/endpoint/linux_service_restarted.yml index 5dddaf2ff5..55674db9c4 100644 --- a/detections/endpoint/linux_service_restarted.yml +++ b/detections/endpoint/linux_service_restarted.yml @@ -1,7 +1,7 @@ name: Linux Service Restarted id: 084275ba-61b8-11ec-8d64-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_service_started_or_enabled.yml b/detections/endpoint/linux_service_started_or_enabled.yml index eb4540f530..212246ef09 100644 --- a/detections/endpoint/linux_service_started_or_enabled.yml +++ b/detections/endpoint/linux_service_started_or_enabled.yml @@ -1,7 +1,7 @@ name: Linux Service Started Or Enabled id: e0428212-61b7-11ec-88a3-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_setuid_using_chmod_utility.yml b/detections/endpoint/linux_setuid_using_chmod_utility.yml index e336113516..7a83ca3e28 100644 --- a/detections/endpoint/linux_setuid_using_chmod_utility.yml +++ b/detections/endpoint/linux_setuid_using_chmod_utility.yml @@ -1,7 +1,7 @@ name: Linux Setuid Using Chmod Utility id: bf0304b6-6250-11ec-9d7c-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_setuid_using_setcap_utility.yml b/detections/endpoint/linux_setuid_using_setcap_utility.yml index e79ff07948..4e15597ebc 100644 --- a/detections/endpoint/linux_setuid_using_setcap_utility.yml +++ b/detections/endpoint/linux_setuid_using_setcap_utility.yml @@ -1,7 +1,7 @@ name: Linux Setuid Using Setcap Utility id: 9d96022e-6250-11ec-9a19-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_shred_overwrite_command.yml b/detections/endpoint/linux_shred_overwrite_command.yml index e6133b9728..549bed10a4 100644 --- a/detections/endpoint/linux_shred_overwrite_command.yml +++ b/detections/endpoint/linux_shred_overwrite_command.yml @@ -1,7 +1,7 @@ name: Linux Shred Overwrite Command id: c1952cf1-643c-4965-82de-11c067cbae76 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_sqlite3_privilege_escalation.yml b/detections/endpoint/linux_sqlite3_privilege_escalation.yml index cf2c554285..d660f165b1 100644 --- a/detections/endpoint/linux_sqlite3_privilege_escalation.yml +++ b/detections/endpoint/linux_sqlite3_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Linux Sqlite3 Privilege Escalation id: ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_ssh_authorized_keys_modification.yml b/detections/endpoint/linux_ssh_authorized_keys_modification.yml index 1f924b5398..cde9da0fc8 100644 --- a/detections/endpoint/linux_ssh_authorized_keys_modification.yml +++ b/detections/endpoint/linux_ssh_authorized_keys_modification.yml @@ -1,7 +1,7 @@ name: Linux SSH Authorized Keys Modification id: f5ab595e-28e5-4327-8077-5008ba97c850 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_ssh_remote_services_script_execute.yml b/detections/endpoint/linux_ssh_remote_services_script_execute.yml index 7824769931..8af76970b0 100644 --- a/detections/endpoint/linux_ssh_remote_services_script_execute.yml +++ b/detections/endpoint/linux_ssh_remote_services_script_execute.yml @@ -1,7 +1,7 @@ name: Linux SSH Remote Services Script Execute id: aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml index cb04265156..2ca808d2f1 100644 --- a/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml +++ b/detections/endpoint/linux_stdout_redirection_to_dev_null_file.yml @@ -1,7 +1,7 @@ name: Linux Stdout Redirection To Dev Null File id: de62b809-a04d-46b5-9a15-8298d330f0c8 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: experimental type: Anomaly diff --git a/detections/endpoint/linux_stop_services.yml b/detections/endpoint/linux_stop_services.yml index a0ee4de926..4158969370 100644 --- a/detections/endpoint/linux_stop_services.yml +++ b/detections/endpoint/linux_stop_services.yml @@ -1,7 +1,7 @@ name: Linux Stop Services id: d05204a5-9f1c-4946-a7f3-4fa58d76d5fd -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_sudo_or_su_execution.yml b/detections/endpoint/linux_sudo_or_su_execution.yml index 255f1338e2..9a3af792dc 100644 --- a/detections/endpoint/linux_sudo_or_su_execution.yml +++ b/detections/endpoint/linux_sudo_or_su_execution.yml @@ -1,7 +1,7 @@ name: Linux Sudo OR Su Execution id: 4b00f134-6d6a-11ec-a90c-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/linux_sudoers_tmp_file_creation.yml b/detections/endpoint/linux_sudoers_tmp_file_creation.yml index 0a529c7205..5144dde1a3 100644 --- a/detections/endpoint/linux_sudoers_tmp_file_creation.yml +++ b/detections/endpoint/linux_sudoers_tmp_file_creation.yml @@ -1,7 +1,7 @@ name: Linux Sudoers Tmp File Creation id: be254a5c-63e7-11ec-89da-acde48001122 -version: 8 -date: '2025-03-27' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_system_network_discovery.yml b/detections/endpoint/linux_system_network_discovery.yml index 45f20262ec..0ae646262b 100644 --- a/detections/endpoint/linux_system_network_discovery.yml +++ b/detections/endpoint/linux_system_network_discovery.yml @@ -1,7 +1,7 @@ name: Linux System Network Discovery id: 535cb214-8b47-11ec-a2c7-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_system_reboot_via_system_request_key.yml b/detections/endpoint/linux_system_reboot_via_system_request_key.yml index 64f4ea261c..38b337fe71 100644 --- a/detections/endpoint/linux_system_reboot_via_system_request_key.yml +++ b/detections/endpoint/linux_system_reboot_via_system_request_key.yml @@ -1,7 +1,7 @@ name: Linux System Reboot Via System Request Key id: e1912b58-ed9c-422c-bbb0-2dbc70398345 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml index e23c928276..207669d168 100644 --- a/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml +++ b/detections/endpoint/linux_unix_shell_enable_all_sysrq_functions.yml @@ -1,7 +1,7 @@ name: Linux Unix Shell Enable All SysRq Functions id: e7a96937-3b58-4962-8dce-538e4763cf15 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/linux_visudo_utility_execution.yml b/detections/endpoint/linux_visudo_utility_execution.yml index ed3255c267..505e062cdf 100644 --- a/detections/endpoint/linux_visudo_utility_execution.yml +++ b/detections/endpoint/linux_visudo_utility_execution.yml @@ -1,7 +1,7 @@ name: Linux Visudo Utility Execution id: 08c41040-624c-11ec-a71f-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/living_off_the_land_detection.yml b/detections/endpoint/living_off_the_land_detection.yml index 2b5c39b736..d75b2c4ce3 100644 --- a/detections/endpoint/living_off_the_land_detection.yml +++ b/detections/endpoint/living_off_the_land_detection.yml @@ -1,7 +1,7 @@ name: Living Off The Land Detection id: 1be30d80-3a39-4df9-9102-64a467b24abc -version: 7 -date: '2025-04-16' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Correlation @@ -69,6 +69,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1218/living_off_the_land/lolbinrisk.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1218/living_off_the_land/lolbinrisk.log source: lotl sourcetype: stash diff --git a/detections/endpoint/loading_of_dynwrapx_module.yml b/detections/endpoint/loading_of_dynwrapx_module.yml index 4e5e9bac04..7acbbeb083 100644 --- a/detections/endpoint/loading_of_dynwrapx_module.yml +++ b/detections/endpoint/loading_of_dynwrapx_module.yml @@ -1,7 +1,7 @@ name: Loading Of Dynwrapx Module id: eac5e8ba-4857-11ec-9371-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/local_account_discovery_with_wmic.yml b/detections/endpoint/local_account_discovery_with_wmic.yml index 5ccada90a9..173a816a4f 100644 --- a/detections/endpoint/local_account_discovery_with_wmic.yml +++ b/detections/endpoint/local_account_discovery_with_wmic.yml @@ -1,7 +1,7 @@ name: Local Account Discovery With Wmic id: 4902d7aa-0134-11ec-9d65-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml index f5c27f7f04..bcb0d78d3f 100644 --- a/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml +++ b/detections/endpoint/log4shell_cve_2021_44228_exploitation.yml @@ -1,7 +1,7 @@ name: Log4Shell CVE-2021-44228 Exploitation id: 9be30d80-3a39-4df9-9102-64a467b24eac -version: 7 -date: '2025-04-16' +version: 8 +date: '2025-05-02' author: Jose Hernandez, Splunk status: production type: Correlation @@ -70,6 +70,6 @@ tests: - name: True Positive Test attack_data: - data: - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_correlation.txt + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/log4shell_exploitation/log4shell_correlation.log source: log4shell sourcetype: stash diff --git a/detections/endpoint/logon_script_event_trigger_execution.yml b/detections/endpoint/logon_script_event_trigger_execution.yml index a34a57233f..afc0229258 100644 --- a/detections/endpoint/logon_script_event_trigger_execution.yml +++ b/detections/endpoint/logon_script_event_trigger_execution.yml @@ -1,7 +1,7 @@ name: Logon Script Event Trigger Execution id: 4c38c264-1f74-11ec-b5fa-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/lolbas_with_network_traffic.yml b/detections/endpoint/lolbas_with_network_traffic.yml index b7136b6e89..b143d573df 100644 --- a/detections/endpoint/lolbas_with_network_traffic.yml +++ b/detections/endpoint/lolbas_with_network_traffic.yml @@ -1,7 +1,7 @@ name: LOLBAS With Network Traffic id: 2820f032-19eb-497e-8642-25b04a880359 -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/macos___re_opened_applications.yml b/detections/endpoint/macos___re_opened_applications.yml index fee3852b93..91063d8e86 100644 --- a/detections/endpoint/macos___re_opened_applications.yml +++ b/detections/endpoint/macos___re_opened_applications.yml @@ -1,7 +1,7 @@ name: MacOS - Re-opened Applications id: 40bb64f9-f619-4e3d-8732-328d40377c4b -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Jamie Windley, Splunk status: experimental type: TTP diff --git a/detections/endpoint/macos_lolbin.yml b/detections/endpoint/macos_lolbin.yml index 364826a00d..23fc9e3904 100644 --- a/detections/endpoint/macos_lolbin.yml +++ b/detections/endpoint/macos_lolbin.yml @@ -1,7 +1,7 @@ name: MacOS LOLbin id: 58d270fb-5b39-418e-a855-4b8ac046805e -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/macos_plutil.yml b/detections/endpoint/macos_plutil.yml index 295d560c63..03858c402f 100644 --- a/detections/endpoint/macos_plutil.yml +++ b/detections/endpoint/macos_plutil.yml @@ -1,7 +1,7 @@ name: MacOS plutil id: c11f2b57-92c1-4cd2-b46c-064eafb833ac -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/mailsniper_invoke_functions.yml b/detections/endpoint/mailsniper_invoke_functions.yml index 7551b9fcfa..78e04be73e 100644 --- a/detections/endpoint/mailsniper_invoke_functions.yml +++ b/detections/endpoint/mailsniper_invoke_functions.yml @@ -1,7 +1,7 @@ name: Mailsniper Invoke functions id: a36972c8-b894-11eb-9f78-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/malicious_inprocserver32_modification.yml b/detections/endpoint/malicious_inprocserver32_modification.yml index bc333c82c0..6ca4d46321 100644 --- a/detections/endpoint/malicious_inprocserver32_modification.yml +++ b/detections/endpoint/malicious_inprocserver32_modification.yml @@ -1,7 +1,7 @@ name: Malicious InProcServer32 Modification id: 127c8d08-25ff-11ec-9223-acde48001122 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/malicious_powershell_executed_as_a_service.yml b/detections/endpoint/malicious_powershell_executed_as_a_service.yml index 9ce1a87d91..105a5ecc07 100644 --- a/detections/endpoint/malicious_powershell_executed_as_a_service.yml +++ b/detections/endpoint/malicious_powershell_executed_as_a_service.yml @@ -1,7 +1,7 @@ name: Malicious Powershell Executed As A Service id: 8e204dfd-cae0-4ea8-a61d-e972a1ff2ff8 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Ryan Becwar status: production type: TTP diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index 412f4fba4e..59c49e2301 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -1,7 +1,7 @@ name: Malicious PowerShell Process - Encoded Command id: c4db14d9-7909-48b4-a054-aa14d89dbb19 -version: 13 -date: '2024-11-22' +version: 14 +date: '2025-05-02' author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community status: production type: Hunting diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 058fd211ae..a3168c717f 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -1,7 +1,7 @@ name: Malicious PowerShell Process - Execution Policy Bypass id: 9be56c82-b1cc-4318-87eb-d138afaaca39 -version: '12' -date: '2025-02-24' +version: 13 +date: '2025-05-02' author: Rico Valdez, Mauricio Velazco, Splunk status: production type: Anomaly diff --git a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml index 5cad885d3f..af1228ccaa 100644 --- a/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml +++ b/detections/endpoint/malicious_powershell_process_with_obfuscation_techniques.yml @@ -1,7 +1,7 @@ name: Malicious PowerShell Process With Obfuscation Techniques id: cde75cf6-3c7a-4dd6-af01-27cdb4511fd4 -version: 11 -date: '2025-02-10' +version: 12 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: TTP diff --git a/detections/endpoint/microsoft_defender_atp_alerts.yml b/detections/endpoint/microsoft_defender_atp_alerts.yml index adefaf11fd..14208b45b3 100644 --- a/detections/endpoint/microsoft_defender_atp_alerts.yml +++ b/detections/endpoint/microsoft_defender_atp_alerts.yml @@ -1,7 +1,7 @@ name: Microsoft Defender ATP Alerts id: 38f034ed-1598-46c8-95e8-14edf05fdf5d -version: 3 -date: '2025-01-20' +version: 4 +date: '2025-05-02' author: Bryan Pluta, Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/microsoft_defender_incident_alerts.yml b/detections/endpoint/microsoft_defender_incident_alerts.yml index 9756849223..bac94ddfc1 100644 --- a/detections/endpoint/microsoft_defender_incident_alerts.yml +++ b/detections/endpoint/microsoft_defender_incident_alerts.yml @@ -1,7 +1,7 @@ name: Microsoft Defender Incident Alerts id: 13435b55-afd8-46d4-9045-7d5457f430a5 -version: 3 -date: '2025-01-20' +version: 4 +date: '2025-05-02' author: Bryan Pluta, Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml index 22e7cc700b..3c3eaa4b59 100644 --- a/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml +++ b/detections/endpoint/mimikatz_passtheticket_commandline_parameters.yml @@ -1,7 +1,7 @@ name: Mimikatz PassTheTicket CommandLine Parameters id: 13bbd574-83ac-11ec-99d4-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml index 39519c3105..39a168b94f 100644 --- a/detections/endpoint/mmc_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/mmc_lolbas_execution_process_spawn.yml @@ -1,7 +1,7 @@ name: Mmc LOLBAS Execution Process Spawn id: f6601940-4c74-11ec-b9b7-3e22fbd008af -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/modification_of_wallpaper.yml b/detections/endpoint/modification_of_wallpaper.yml index 41c25f388b..ea05f5a463 100644 --- a/detections/endpoint/modification_of_wallpaper.yml +++ b/detections/endpoint/modification_of_wallpaper.yml @@ -1,7 +1,7 @@ name: Modification Of Wallpaper id: accb0712-c381-11eb-8e5b-acde48001122 -version: 6 -date: '2025-03-27' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml index 92dd79d8ec..32d238d288 100644 --- a/detections/endpoint/modify_acl_permission_to_files_or_folder.yml +++ b/detections/endpoint/modify_acl_permission_to_files_or_folder.yml @@ -1,7 +1,7 @@ name: Modify ACL permission To Files Or Folder id: 7e8458cc-acca-11eb-9e3f-acde48001122 -version: 7 -date: '2024-12-16' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml index be45e53c57..36b793aa25 100644 --- a/detections/endpoint/monitor_registry_keys_for_print_monitors.yml +++ b/detections/endpoint/monitor_registry_keys_for_print_monitors.yml @@ -1,7 +1,7 @@ name: Monitor Registry Keys for Print Monitors id: f5f6af30-7ba7-4295-bfe9-07de87c01bbc -version: 11 -date: '2025-02-10' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel status: production type: TTP diff --git a/detections/endpoint/moveit_certificate_store_access_failure.yml b/detections/endpoint/moveit_certificate_store_access_failure.yml index c37a366f9a..30701c61a7 100644 --- a/detections/endpoint/moveit_certificate_store_access_failure.yml +++ b/detections/endpoint/moveit_certificate_store_access_failure.yml @@ -1,7 +1,7 @@ name: MOVEit Certificate Store Access Failure id: d61292d5-46e4-49ea-b23b-8049ea70b525 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-05-02' author: Michael Haag, Splunk data_source: [] type: Hunting diff --git a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml index 9c09f92946..10c1c0db7c 100644 --- a/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml +++ b/detections/endpoint/moveit_empty_key_fingerprint_authentication_attempt.yml @@ -1,7 +1,7 @@ name: MOVEit Empty Key Fingerprint Authentication Attempt id: 1a537acc-199f-4713-b5d7-3d98c05ab932 -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-05-02' author: Michael Haag, Splunk data_source: [] type: Hunting diff --git a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml index dff28e7dd0..ea2a3c89e8 100644 --- a/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml +++ b/detections/endpoint/ms_exchange_mailbox_replication_service_writing_active_server_pages.yml @@ -1,7 +1,7 @@ name: MS Exchange Mailbox Replication service writing Active Server Pages id: 985f322c-57a5-11ec-b9ac-acde48001122 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: TTP diff --git a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml index aaf14e117a..4bca793af9 100644 --- a/detections/endpoint/ms_scripting_process_loading_ldap_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_ldap_module.yml @@ -1,7 +1,7 @@ name: MS Scripting Process Loading Ldap Module id: 0b0c40dc-14a6-11ec-b267-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml index 40670f9ec0..0d4c91e0de 100644 --- a/detections/endpoint/ms_scripting_process_loading_wmi_module.yml +++ b/detections/endpoint/ms_scripting_process_loading_wmi_module.yml @@ -1,7 +1,7 @@ name: MS Scripting Process Loading WMI Module id: 2eba3d36-14a6-11ec-a682-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml index 0c223d588f..10376c22b9 100644 --- a/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml +++ b/detections/endpoint/msbuild_suspicious_spawned_by_script_process.yml @@ -1,7 +1,7 @@ name: MSBuild Suspicious Spawned By Script Process id: 213b3148-24ea-11ec-93a2-acde48001122 -version: 7 -date: '2025-04-16' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml index 449ec9d965..206a789991 100644 --- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml +++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml @@ -1,7 +1,7 @@ name: Mshta spawning Rundll32 OR Regsvr32 Process id: 4aa5d062-e893-11eb-9eb2-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml index c8d97e3776..40ad5cf03f 100644 --- a/detections/endpoint/msi_module_loaded_by_non_system_binary.yml +++ b/detections/endpoint/msi_module_loaded_by_non_system_binary.yml @@ -1,7 +1,7 @@ name: MSI Module Loaded by Non-System Binary id: ccb98a66-5851-11ec-b91c-acde48001122 -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/msmpeng_application_dll_side_loading.yml b/detections/endpoint/msmpeng_application_dll_side_loading.yml index 7ee1c1ab58..6f522f2a5d 100644 --- a/detections/endpoint/msmpeng_application_dll_side_loading.yml +++ b/detections/endpoint/msmpeng_application_dll_side_loading.yml @@ -1,7 +1,7 @@ name: Msmpeng Application DLL Side Loading id: 8bb3f280-dd9b-11eb-84d5-acde48001122 -version: 9 -date: '2025-04-22' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Sanjay Govind status: production type: TTP diff --git a/detections/endpoint/net_profiler_uac_bypass.yml b/detections/endpoint/net_profiler_uac_bypass.yml index 0afede05f4..433a591b4c 100644 --- a/detections/endpoint/net_profiler_uac_bypass.yml +++ b/detections/endpoint/net_profiler_uac_bypass.yml @@ -1,7 +1,7 @@ name: NET Profiler UAC bypass id: 0252ca80-e30d-11eb-8aa3-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/network_connection_discovery_with_arp.yml b/detections/endpoint/network_connection_discovery_with_arp.yml index fc92ddd34b..221933d0e3 100644 --- a/detections/endpoint/network_connection_discovery_with_arp.yml +++ b/detections/endpoint/network_connection_discovery_with_arp.yml @@ -1,7 +1,7 @@ name: Network Connection Discovery With Arp id: ae008c0f-83bd-4ed4-9350-98d4328e15d2 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/network_connection_discovery_with_netstat.yml b/detections/endpoint/network_connection_discovery_with_netstat.yml index 683094d465..771ed99fee 100644 --- a/detections/endpoint/network_connection_discovery_with_netstat.yml +++ b/detections/endpoint/network_connection_discovery_with_netstat.yml @@ -1,7 +1,7 @@ name: Network Connection Discovery With Netstat id: 2cf5cc25-f39a-436d-a790-4857e5995ede -version: '5' -date: '2025-03-14' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/network_discovery_using_route_windows_app.yml b/detections/endpoint/network_discovery_using_route_windows_app.yml index f989eebc23..896ef41313 100644 --- a/detections/endpoint/network_discovery_using_route_windows_app.yml +++ b/detections/endpoint/network_discovery_using_route_windows_app.yml @@ -1,7 +1,7 @@ name: Network Discovery Using Route Windows App id: dd83407e-439f-11ec-ab8e-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/network_share_discovery_via_dir_command.yml b/detections/endpoint/network_share_discovery_via_dir_command.yml index a087016641..372ba46dc9 100644 --- a/detections/endpoint/network_share_discovery_via_dir_command.yml +++ b/detections/endpoint/network_share_discovery_via_dir_command.yml @@ -1,7 +1,7 @@ name: Network Share Discovery Via Dir Command id: dc1457d0-1d9b-422e-b5a7-db46c184d9aa -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml index a5e2126587..7b330841e4 100644 --- a/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml +++ b/detections/endpoint/network_traffic_to_active_directory_web_services_protocol.yml @@ -1,7 +1,7 @@ name: Network Traffic to Active Directory Web Services Protocol id: 68a0056c-34cb-455f-b03d-df935ea62c4f -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/nishang_powershelltcponeline.yml b/detections/endpoint/nishang_powershelltcponeline.yml index f3b01ad08a..8cae1a0240 100644 --- a/detections/endpoint/nishang_powershelltcponeline.yml +++ b/detections/endpoint/nishang_powershelltcponeline.yml @@ -1,7 +1,7 @@ name: Nishang PowershellTCPOneLine id: 1a382c6c-7c2e-11eb-ac69-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/nltest_domain_trust_discovery.yml b/detections/endpoint/nltest_domain_trust_discovery.yml index fdc5b81ce6..b74fb72412 100644 --- a/detections/endpoint/nltest_domain_trust_discovery.yml +++ b/detections/endpoint/nltest_domain_trust_discovery.yml @@ -1,7 +1,7 @@ name: NLTest Domain Trust Discovery id: c3e05466-5f22-11eb-ae93-0242ac130002 -version: '7' -date: '2025-03-14' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index fcc41a5bd0..020b0bf92b 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -1,7 +1,7 @@ name: Non Chrome Process Accessing Chrome Default Dir id: 81263de4-160a-11ec-944f-acde48001122 -version: '9' -date: '2025-03-19' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index ea7222e188..1537768279 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -1,7 +1,7 @@ name: Non Firefox Process Access Firefox Profile Dir id: e6fc13b0-1609-11ec-b533-acde48001122 -version: '8' -date: '2025-03-19' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/notepad_with_no_command_line_arguments.yml b/detections/endpoint/notepad_with_no_command_line_arguments.yml index 50b50cb516..0eacb16c14 100644 --- a/detections/endpoint/notepad_with_no_command_line_arguments.yml +++ b/detections/endpoint/notepad_with_no_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Notepad with no Command Line Arguments id: 5adbc5f1-9a2f-41c1-a810-f37e015f8179 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk type: TTP status: production diff --git a/detections/endpoint/ntdsutil_export_ntds.yml b/detections/endpoint/ntdsutil_export_ntds.yml index be3661397e..0e6f0af6eb 100644 --- a/detections/endpoint/ntdsutil_export_ntds.yml +++ b/detections/endpoint/ntdsutil_export_ntds.yml @@ -1,7 +1,7 @@ name: Ntdsutil Export NTDS id: da63bc76-61ae-11eb-ae93-0242ac130002 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml index d55f428f53..0455936908 100644 --- a/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml +++ b/detections/endpoint/outbound_network_connection_from_java_using_default_ports.yml @@ -1,7 +1,7 @@ name: Outbound Network Connection from Java Using Default Ports id: d2c14d28-5c47-11ec-9892-acde48001122 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Lou Stella, Splunk status: production type: TTP diff --git a/detections/endpoint/overwriting_accessibility_binaries.yml b/detections/endpoint/overwriting_accessibility_binaries.yml index 1b79e8350a..8197eaa903 100644 --- a/detections/endpoint/overwriting_accessibility_binaries.yml +++ b/detections/endpoint/overwriting_accessibility_binaries.yml @@ -1,7 +1,7 @@ name: Overwriting Accessibility Binaries id: 13c2f6c3-10c5-4deb-9ba1-7c4460ebe4ae -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: TTP diff --git a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml index b028cdc825..e29ede304b 100644 --- a/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml +++ b/detections/endpoint/papercut_ng_suspicious_behavior_debug_log.yml @@ -1,7 +1,7 @@ name: PaperCut NG Suspicious Behavior Debug Log id: 395163b8-689b-444b-86c7-9fe9ad624734 -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: Hunting diff --git a/detections/endpoint/permission_modification_using_takeown_app.yml b/detections/endpoint/permission_modification_using_takeown_app.yml index 72777577dd..26a5025aef 100644 --- a/detections/endpoint/permission_modification_using_takeown_app.yml +++ b/detections/endpoint/permission_modification_using_takeown_app.yml @@ -1,7 +1,7 @@ name: Permission Modification using Takeown App id: fa7ca5c6-c9d8-11eb-bce9-acde48001122 -version: 6 -date: '2025-01-27' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/petitpotam_network_share_access_request.yml b/detections/endpoint/petitpotam_network_share_access_request.yml index 570cd8997d..cc3cac00b3 100644 --- a/detections/endpoint/petitpotam_network_share_access_request.yml +++ b/detections/endpoint/petitpotam_network_share_access_request.yml @@ -1,7 +1,7 @@ name: PetitPotam Network Share Access Request id: 95b8061a-0a67-11ec-85ec-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml index a871ceeb31..3889738e3a 100644 --- a/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml +++ b/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml @@ -1,7 +1,7 @@ name: PetitPotam Suspicious Kerberos TGT Request id: e3ef244e-0a67-11ec-abf2-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml index 1c7af51e61..b25ff7064b 100644 --- a/detections/endpoint/ping_sleep_batch_command.yml +++ b/detections/endpoint/ping_sleep_batch_command.yml @@ -1,7 +1,7 @@ name: Ping Sleep Batch Command id: ce058d6c-79f2-11ec-b476-acde48001122 -version: 8 -date: '2025-02-19' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/possible_browser_pass_view_parameter.yml b/detections/endpoint/possible_browser_pass_view_parameter.yml index ea362d0785..a4f64e4dcd 100644 --- a/detections/endpoint/possible_browser_pass_view_parameter.yml +++ b/detections/endpoint/possible_browser_pass_view_parameter.yml @@ -1,7 +1,7 @@ name: Possible Browser Pass View Parameter id: 8ba484e8-4b97-11ec-b19a-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index d806def4f4..076de8b6ba 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -1,7 +1,7 @@ name: Possible Lateral Movement PowerShell Spawn id: cb909b3e-512b-11ec-aa31-3e22fbd008af -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/potential_password_in_username.yml b/detections/endpoint/potential_password_in_username.yml index cac9f26b90..447ae66621 100644 --- a/detections/endpoint/potential_password_in_username.yml +++ b/detections/endpoint/potential_password_in_username.yml @@ -1,7 +1,7 @@ name: Potential password in username id: 5ced34b4-ab32-4bb0-8f22-3b8f186f0a38 -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Mikael Bjerkeland, Splunk status: production type: Hunting diff --git a/detections/endpoint/potential_system_network_configuration_discovery_activity.yml b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml index 78d008a2ef..757bd7a6a7 100644 --- a/detections/endpoint/potential_system_network_configuration_discovery_activity.yml +++ b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml @@ -1,7 +1,7 @@ name: Potential System Network Configuration Discovery Activity id: 3f0b95e3-3195-46ac-bea3-84fb59e7fac5 -version: 3 -date: '2025-01-20' +version: 4 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/endpoint/potential_telegram_api_request_via_commandline.yml b/detections/endpoint/potential_telegram_api_request_via_commandline.yml index a187136d1f..29cfc15bc1 100644 --- a/detections/endpoint/potential_telegram_api_request_via_commandline.yml +++ b/detections/endpoint/potential_telegram_api_request_via_commandline.yml @@ -1,7 +1,7 @@ name: Potential Telegram API Request Via CommandLine id: d6b0d627-d0bf-46b1-936f-c48284767d21 -version: 3 -date: '2025-04-22' +version: 4 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk, Zaki Zarkasih Al Mustafa status: production type: Anomaly diff --git a/detections/endpoint/potentially_malicious_code_on_commandline.yml b/detections/endpoint/potentially_malicious_code_on_commandline.yml index 554e460501..a3e8f8d010 100644 --- a/detections/endpoint/potentially_malicious_code_on_commandline.yml +++ b/detections/endpoint/potentially_malicious_code_on_commandline.yml @@ -1,7 +1,7 @@ name: Potentially malicious code on commandline id: 9c53c446-757e-11ec-871d-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Hart, Splunk status: production type: Anomaly diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index d710231880..41d3966331 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -1,7 +1,7 @@ name: PowerShell 4104 Hunting id: d6f2b006-0041-11ec-8885-acde48001122 -version: 15 -date: '2025-04-22' +version: 16 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml index cc90b20183..1a11c03693 100644 --- a/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml +++ b/detections/endpoint/powershell___connect_to_internet_with_hidden_window.yml @@ -1,7 +1,7 @@ name: PowerShell - Connect To Internet With Hidden Window id: ee18ed37-0802-4268-9435-b3b91aaa18db -version: 13 -date: '2025-02-10' +version: 14 +date: '2025-05-02' author: David Dorsey, Michael Haag Splunk status: production type: Hunting diff --git a/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml index 5a5d90d30a..fc0487e6c1 100644 --- a/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/powershell_com_hijacking_inprocserver32_modification.yml @@ -1,7 +1,7 @@ name: Powershell COM Hijacking InprocServer32 Modification id: ea61e291-af05-4716-932a-67faddb6ae6f -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_creating_thread_mutex.yml b/detections/endpoint/powershell_creating_thread_mutex.yml index 8950bff300..df115a5e4b 100644 --- a/detections/endpoint/powershell_creating_thread_mutex.yml +++ b/detections/endpoint/powershell_creating_thread_mutex.yml @@ -1,7 +1,7 @@ name: Powershell Creating Thread Mutex id: 637557ec-ca08-11eb-bd0a-acde48001122 -version: 9 -date: '2025-04-22' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml index 0370522a12..a4310daf82 100644 --- a/detections/endpoint/powershell_disable_security_monitoring.yml +++ b/detections/endpoint/powershell_disable_security_monitoring.yml @@ -1,7 +1,7 @@ name: Powershell Disable Security Monitoring id: c148a894-dd93-11eb-bf2a-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_domain_enumeration.yml b/detections/endpoint/powershell_domain_enumeration.yml index b48ee66e5d..6eb81b323c 100644 --- a/detections/endpoint/powershell_domain_enumeration.yml +++ b/detections/endpoint/powershell_domain_enumeration.yml @@ -1,7 +1,7 @@ name: PowerShell Domain Enumeration id: e1866ce2-ca22-11eb-8e44-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_enable_powershell_remoting.yml b/detections/endpoint/powershell_enable_powershell_remoting.yml index 0ec68cb2db..eeccc6ce17 100644 --- a/detections/endpoint/powershell_enable_powershell_remoting.yml +++ b/detections/endpoint/powershell_enable_powershell_remoting.yml @@ -1,7 +1,7 @@ name: PowerShell Enable PowerShell Remoting id: 40e3b299-19a5-4460-96e9-e1467f714f8e -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk type: Anomaly status: production diff --git a/detections/endpoint/powershell_enable_smb1protocol_feature.yml b/detections/endpoint/powershell_enable_smb1protocol_feature.yml index ea353777dc..8253882591 100644 --- a/detections/endpoint/powershell_enable_smb1protocol_feature.yml +++ b/detections/endpoint/powershell_enable_smb1protocol_feature.yml @@ -1,7 +1,7 @@ name: Powershell Enable SMB1Protocol Feature id: afed80b2-d34b-11eb-a952-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_execute_com_object.yml b/detections/endpoint/powershell_execute_com_object.yml index 598976ff70..07a6ea050d 100644 --- a/detections/endpoint/powershell_execute_com_object.yml +++ b/detections/endpoint/powershell_execute_com_object.yml @@ -1,7 +1,7 @@ name: Powershell Execute COM Object id: 65711630-f9bf-11eb-8d72-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml index bb1d4edc93..aafab40a97 100644 --- a/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml +++ b/detections/endpoint/powershell_fileless_process_injection_via_getprocaddress.yml @@ -1,7 +1,7 @@ name: Powershell Fileless Process Injection via GetProcAddress id: a26d9db4-c883-11eb-9d75-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index 3d556020ad..e92ecc3068 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -1,7 +1,7 @@ name: Powershell Fileless Script Contains Base64 Encoded Content id: 8acbc04c-c882-11eb-b060-acde48001122 -version: '8' -date: '2025-03-14' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_get_localgroup_discovery.yml b/detections/endpoint/powershell_get_localgroup_discovery.yml index 7e642a7809..ec14fa98ed 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery.yml @@ -1,7 +1,7 @@ name: PowerShell Get LocalGroup Discovery id: b71adfcc-155b-11ec-9413-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml index 09df1147d8..4f6ce48900 100644 --- a/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml +++ b/detections/endpoint/powershell_get_localgroup_discovery_with_script_block_logging.yml @@ -1,7 +1,7 @@ name: Powershell Get LocalGroup Discovery with Script Block Logging id: d7c6ad22-155c-11ec-bb64-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml index 78bcb66712..297eb8e5ec 100644 --- a/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml +++ b/detections/endpoint/powershell_invoke_cimmethod_cimsession.yml @@ -1,7 +1,7 @@ name: PowerShell Invoke CIMMethod CIMSession id: 651ee958-a433-471c-b264-39725b788b83 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk type: Anomaly status: production diff --git a/detections/endpoint/powershell_invoke_wmiexec_usage.yml b/detections/endpoint/powershell_invoke_wmiexec_usage.yml index 35a9141570..412da81f33 100644 --- a/detections/endpoint/powershell_invoke_wmiexec_usage.yml +++ b/detections/endpoint/powershell_invoke_wmiexec_usage.yml @@ -1,7 +1,7 @@ name: PowerShell Invoke WmiExec Usage id: 0734bd21-2769-4972-a5f1-78bb1e011224 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk type: TTP status: production diff --git a/detections/endpoint/powershell_load_module_in_meterpreter.yml b/detections/endpoint/powershell_load_module_in_meterpreter.yml index de997dba6b..88c714886a 100644 --- a/detections/endpoint/powershell_load_module_in_meterpreter.yml +++ b/detections/endpoint/powershell_load_module_in_meterpreter.yml @@ -1,7 +1,7 @@ name: Powershell Load Module in Meterpreter id: d5905da5-d050-48db-9259-018d8f034fcf -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index 547fb3ab23..0108f57425 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -1,7 +1,7 @@ name: PowerShell Loading DotNET into Memory via Reflection id: 85bc3f30-ca28-11eb-bd21-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml index 0757f0f1ee..ef03410d12 100644 --- a/detections/endpoint/powershell_processing_stream_of_data.yml +++ b/detections/endpoint/powershell_processing_stream_of_data.yml @@ -1,7 +1,7 @@ name: Powershell Processing Stream Of Data id: 0d718b52-c9f1-11eb-bc61-acde48001122 -version: '9' -date: '2025-03-14' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_remote_services_add_trustedhost.yml b/detections/endpoint/powershell_remote_services_add_trustedhost.yml index 14d0a34dc0..655409bf73 100644 --- a/detections/endpoint/powershell_remote_services_add_trustedhost.yml +++ b/detections/endpoint/powershell_remote_services_add_trustedhost.yml @@ -1,7 +1,7 @@ name: Powershell Remote Services Add TrustedHost id: bef21d24-297e-45e3-9b9a-c6ac45450474 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml index d41f5d4154..d22290571e 100644 --- a/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml +++ b/detections/endpoint/powershell_remote_thread_to_known_windows_process.yml @@ -1,7 +1,7 @@ name: Powershell Remote Thread To Known Windows Process id: ec102cb2-a0f5-11eb-9b38-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_remove_windows_defender_directory.yml b/detections/endpoint/powershell_remove_windows_defender_directory.yml index 970833a272..80480d65e9 100644 --- a/detections/endpoint/powershell_remove_windows_defender_directory.yml +++ b/detections/endpoint/powershell_remove_windows_defender_directory.yml @@ -1,7 +1,7 @@ name: Powershell Remove Windows Defender Directory id: adf47620-79fa-11ec-b248-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_script_block_with_url_chain.yml b/detections/endpoint/powershell_script_block_with_url_chain.yml index 2621147270..424fd10311 100644 --- a/detections/endpoint/powershell_script_block_with_url_chain.yml +++ b/detections/endpoint/powershell_script_block_with_url_chain.yml @@ -1,7 +1,7 @@ name: PowerShell Script Block With URL Chain id: 4a3f2a7d-6402-4e64-a76a-869588ec3b57 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/powershell_start_bitstransfer.yml b/detections/endpoint/powershell_start_bitstransfer.yml index 0fddbd5186..37353c7279 100644 --- a/detections/endpoint/powershell_start_bitstransfer.yml +++ b/detections/endpoint/powershell_start_bitstransfer.yml @@ -1,7 +1,7 @@ name: PowerShell Start-BitsTransfer id: 39e2605a-90d8-11eb-899e-acde48001122 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_start_or_stop_service.yml b/detections/endpoint/powershell_start_or_stop_service.yml index b9a189f016..d9cbcd1630 100644 --- a/detections/endpoint/powershell_start_or_stop_service.yml +++ b/detections/endpoint/powershell_start_or_stop_service.yml @@ -1,7 +1,7 @@ name: PowerShell Start or Stop Service id: 04207f8a-e08d-4ee6-be26-1e0c4488b04a -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk type: Anomaly status: production diff --git a/detections/endpoint/powershell_using_memory_as_backing_store.yml b/detections/endpoint/powershell_using_memory_as_backing_store.yml index b1aa89a1b1..1edacaf9bb 100644 --- a/detections/endpoint/powershell_using_memory_as_backing_store.yml +++ b/detections/endpoint/powershell_using_memory_as_backing_store.yml @@ -1,7 +1,7 @@ name: Powershell Using memory As Backing Store id: c396a0c4-c9f2-11eb-b4f5-acde48001122 -version: '7' -date: '2025-03-14' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/powershell_webrequest_using_memory_stream.yml b/detections/endpoint/powershell_webrequest_using_memory_stream.yml index fd1805101b..ab181ddcae 100644 --- a/detections/endpoint/powershell_webrequest_using_memory_stream.yml +++ b/detections/endpoint/powershell_webrequest_using_memory_stream.yml @@ -1,7 +1,7 @@ name: PowerShell WebRequest Using Memory Stream id: 103affa6-924a-4b53-aff4-1d5075342aab -version: '5' -date: '2025-03-14' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml index d33847597f..618d8d0481 100644 --- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml +++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml @@ -1,7 +1,7 @@ name: Powershell Windows Defender Exclusion Commands id: 907ac95c-4dd9-11ec-ba2c-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml index 2635bea612..0defddddef 100644 --- a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml +++ b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml @@ -1,7 +1,7 @@ name: Prevent Automatic Repair Mode using Bcdedit id: 7742aa92-c9d9-11eb-bbfc-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/print_processor_registry_autostart.yml b/detections/endpoint/print_processor_registry_autostart.yml index c545f531cf..24d9a6e637 100644 --- a/detections/endpoint/print_processor_registry_autostart.yml +++ b/detections/endpoint/print_processor_registry_autostart.yml @@ -1,7 +1,7 @@ name: Print Processor Registry Autostart id: 1f5b68aa-2037-11ec-898e-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: experimental type: TTP @@ -60,6 +60,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/1f5b68aa-2037-11ec-898e-acde48001122.txt + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1547.012/print_reg/sysmon_print.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/print_spooler_adding_a_printer_driver.yml b/detections/endpoint/print_spooler_adding_a_printer_driver.yml index 3f642c1daf..1785dae589 100644 --- a/detections/endpoint/print_spooler_adding_a_printer_driver.yml +++ b/detections/endpoint/print_spooler_adding_a_printer_driver.yml @@ -1,7 +1,7 @@ name: Print Spooler Adding A Printer Driver id: 313681a2-da8e-11eb-adad-acde48001122 -version: '6' -date: '2025-03-03' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml index 505ec33faf..924db0db59 100644 --- a/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml +++ b/detections/endpoint/print_spooler_failed_to_load_a_plug_in.yml @@ -1,7 +1,7 @@ name: Print Spooler Failed to Load a Plug-in id: 1adc9548-da7c-11eb-8f13-acde48001122 -version: '6' -date: '2025-03-03' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml index f1f6ab9ab4..43114bf432 100644 --- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml +++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml @@ -1,7 +1,7 @@ name: Process Creating LNK file in Suspicious Location id: 5d814af1-1041-47b5-a9ac-d754e82e9a26 -version: 11 -date: '2025-02-10' +version: 12 +date: '2025-05-02' author: Jose Hernandez, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/process_deleting_its_process_file_path.yml b/detections/endpoint/process_deleting_its_process_file_path.yml index c8b0c758f7..f97ad0f042 100644 --- a/detections/endpoint/process_deleting_its_process_file_path.yml +++ b/detections/endpoint/process_deleting_its_process_file_path.yml @@ -1,7 +1,7 @@ name: Process Deleting Its Process File Path id: f7eda4bc-871c-11eb-b110-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras status: production type: TTP diff --git a/detections/endpoint/process_execution_via_wmi.yml b/detections/endpoint/process_execution_via_wmi.yml index da336be457..df4aca73ef 100644 --- a/detections/endpoint/process_execution_via_wmi.yml +++ b/detections/endpoint/process_execution_via_wmi.yml @@ -1,7 +1,7 @@ name: Process Execution via WMI id: 24869767-8579-485d-9a4f-d9ddfd8f0cac -version: 9 -date: '2024-11-13' +version: 10 +date: '2025-05-02' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/process_kill_base_on_file_path.yml b/detections/endpoint/process_kill_base_on_file_path.yml index 290e6fa2d4..de49573511 100644 --- a/detections/endpoint/process_kill_base_on_file_path.yml +++ b/detections/endpoint/process_kill_base_on_file_path.yml @@ -1,7 +1,7 @@ name: Process Kill Base On File Path id: 5ffaa42c-acdb-11eb-9ad3-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/process_writing_dynamicwrapperx.yml b/detections/endpoint/process_writing_dynamicwrapperx.yml index 94ee9d47de..84460c5bfb 100644 --- a/detections/endpoint/process_writing_dynamicwrapperx.yml +++ b/detections/endpoint/process_writing_dynamicwrapperx.yml @@ -1,7 +1,7 @@ name: Process Writing DynamicWrapperX id: b0a078e4-2601-11ec-9aec-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/processes_launching_netsh.yml b/detections/endpoint/processes_launching_netsh.yml index b5228dcfb5..6461216487 100644 --- a/detections/endpoint/processes_launching_netsh.yml +++ b/detections/endpoint/processes_launching_netsh.yml @@ -1,7 +1,7 @@ name: Processes launching netsh id: b89919ed-fe5f-492c-b139-95dbb162040e -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Josef Kuepker, Splunk status: production type: Anomaly diff --git a/detections/endpoint/processes_tapping_keyboard_events.yml b/detections/endpoint/processes_tapping_keyboard_events.yml index 718d164344..aca5d82d48 100644 --- a/detections/endpoint/processes_tapping_keyboard_events.yml +++ b/detections/endpoint/processes_tapping_keyboard_events.yml @@ -1,7 +1,7 @@ name: Processes Tapping Keyboard Events id: 2a371608-331d-4034-ae2c-21dda8f1d0ec -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Jose Hernandez, Splunk status: experimental type: TTP diff --git a/detections/endpoint/randomly_generated_scheduled_task_name.yml b/detections/endpoint/randomly_generated_scheduled_task_name.yml index d54a781091..2f89bea7e5 100644 --- a/detections/endpoint/randomly_generated_scheduled_task_name.yml +++ b/detections/endpoint/randomly_generated_scheduled_task_name.yml @@ -1,7 +1,7 @@ name: Randomly Generated Scheduled Task Name id: 9d22a780-5165-11ec-ad4f-3e22fbd008af -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: experimental type: Hunting diff --git a/detections/endpoint/randomly_generated_windows_service_name.yml b/detections/endpoint/randomly_generated_windows_service_name.yml index eac52741ca..fd7305e0a3 100644 --- a/detections/endpoint/randomly_generated_windows_service_name.yml +++ b/detections/endpoint/randomly_generated_windows_service_name.yml @@ -1,7 +1,7 @@ name: Randomly Generated Windows Service Name id: 2032a95a-5165-11ec-a2c3-3e22fbd008af -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: experimental type: Hunting diff --git a/detections/endpoint/ransomware_notes_bulk_creation.yml b/detections/endpoint/ransomware_notes_bulk_creation.yml index 668b0ed105..5ebcf9a1eb 100644 --- a/detections/endpoint/ransomware_notes_bulk_creation.yml +++ b/detections/endpoint/ransomware_notes_bulk_creation.yml @@ -1,7 +1,7 @@ name: Ransomware Notes bulk creation id: eff7919a-8330-11eb-83f8-acde48001122 -version: 8 -date: '2025-04-18' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml index 2f0e88c9a0..e6e440ca38 100644 --- a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml +++ b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml @@ -1,7 +1,7 @@ name: Recon AVProduct Through Pwh or WMI id: 28077620-c9f6-11eb-8785-acde48001122 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index ba16fc76ea..4ec4fb9628 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -1,7 +1,7 @@ name: Recon Using WMI Class id: 018c1972-ca07-11eb-9473-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml index 2015337a39..999e660557 100644 --- a/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml +++ b/detections/endpoint/recursive_delete_of_directory_in_batch_cmd.yml @@ -1,7 +1,7 @@ name: Recursive Delete of Directory In Batch CMD id: ba570b3a-d356-11eb-8358-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml index 4a64b1a04b..c4c3428891 100644 --- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml +++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml @@ -1,7 +1,7 @@ name: Reg exe Manipulating Windows Services Registry Keys id: 8470d755-0c13-45b3-bd63-387a373c10cf -version: 11 -date: '2025-02-10' +version: 12 +date: '2025-05-02' author: Rico Valdez, Splunk status: production type: TTP diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml index 4f63116db3..eb215c7959 100644 --- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml +++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml @@ -1,7 +1,7 @@ name: Registry Keys for Creating SHIM Databases id: f5f6af30-7aa7-4295-bfe9-07fe87c01bbb -version: 13 -date: '2025-02-10' +version: 14 +date: '2025-05-02' author: Patrick Bareiss, Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel status: production type: TTP diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 97062f7bb8..92fe23d00e 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 20 -date: '2025-04-18' +version: 21 +date: '2025-05-02' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP diff --git a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml index 8d384b1b5d..10a7127f31 100644 --- a/detections/endpoint/registry_keys_used_for_privilege_escalation.yml +++ b/detections/endpoint/registry_keys_used_for_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Registry Keys Used For Privilege Escalation id: c9f4b923-f8af-4155-b697-1354f5bcbc5e -version: 13 -date: '2025-02-10' +version: 14 +date: '2025-05-02' author: David Dorsey, Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index 1a66fdb18d..b3f1c94f55 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -1,7 +1,7 @@ name: Regsvr32 Silent and Install Param Dll Loading id: f421c250-24e7-11ec-bc43-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml index 2f3f9bba02..4a31c9dcd1 100644 --- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml +++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml @@ -1,7 +1,7 @@ name: Regsvr32 with Known Silent Switch Cmdline id: c9ef7dc4-eeaf-11eb-b2b6-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/remcos_client_registry_install_entry.yml b/detections/endpoint/remcos_client_registry_install_entry.yml index d2990b0d4e..3db70c3718 100644 --- a/detections/endpoint/remcos_client_registry_install_entry.yml +++ b/detections/endpoint/remcos_client_registry_install_entry.yml @@ -1,7 +1,7 @@ name: Remcos client registry install entry id: f2a1615a-1d63-11ec-97d2-acde48001122 -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Steven Dick, Bhavin Patel, Rod Soto, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml index 7a7f557604..9502ff953b 100644 --- a/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml +++ b/detections/endpoint/remcos_rat_file_creation_in_remcos_folder.yml @@ -1,7 +1,7 @@ name: Remcos RAT File Creation in Remcos Folder id: 25ae862a-1ac3-11ec-94a1-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Sanjay Govind status: production type: TTP diff --git a/detections/endpoint/remote_desktop_process_running_on_system.yml b/detections/endpoint/remote_desktop_process_running_on_system.yml index 93c90ca2d7..54eeef15f3 100644 --- a/detections/endpoint/remote_desktop_process_running_on_system.yml +++ b/detections/endpoint/remote_desktop_process_running_on_system.yml @@ -1,7 +1,7 @@ name: Remote Desktop Process Running On System id: f5939373-8054-40ad-8c64-cec478a22a4a -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Hunting diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml index 7d41132bc8..12aa7b0d31 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via DCOM and PowerShell id: d4f42098-4680-11ec-ad07-3e22fbd008af -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml index fe73976a20..24c4af6fba 100644 --- a/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_dcom_and_powershell_script_block.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via DCOM and PowerShell Script Block id: fa1c3040-4680-11ec-a618-3e22fbd008af -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml index 882dded535..2dc346685b 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via WinRM and PowerShell id: ba24cda8-4716-11ec-8009-3e22fbd008af -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml index 834d32b394..ada2de649f 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_powershell_script_block.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via WinRM and PowerShell Script Block id: 7d4c618e-4716-11ec-951c-3e22fbd008af -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml index 3843b4f62b..13c0ad00b1 100644 --- a/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml +++ b/detections/endpoint/remote_process_instantiation_via_winrm_and_winrs.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via WinRM and Winrs id: 0dd296a2-4338-11ec-ba02-3e22fbd008af -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/remote_process_instantiation_via_wmi.yml b/detections/endpoint/remote_process_instantiation_via_wmi.yml index e6815e33c7..3f5e6866ee 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via WMI id: d25d2c3d-d9d8-40ec-8fdf-e86fe155a3da -version: '13' -date: '2025-03-27' +version: 14 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml index 384c412a26..f901eaedb7 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via WMI and PowerShell id: 112638b4-4634-11ec-b9ab-3e22fbd008af -version: 15 -date: '2025-03-27' +version: 16 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml index 830f6215c6..71ba1485eb 100644 --- a/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml +++ b/detections/endpoint/remote_process_instantiation_via_wmi_and_powershell_script_block.yml @@ -1,7 +1,7 @@ name: Remote Process Instantiation via WMI and PowerShell Script Block id: 2a048c14-4634-11ec-a618-3e22fbd008af -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml index 0420c5905e..5b44073235 100644 --- a/detections/endpoint/remote_system_discovery_with_adsisearcher.yml +++ b/detections/endpoint/remote_system_discovery_with_adsisearcher.yml @@ -1,7 +1,7 @@ name: Remote System Discovery with Adsisearcher id: 70803451-0047-4e12-9d63-77fa7eb8649c -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/remote_system_discovery_with_dsquery.yml b/detections/endpoint/remote_system_discovery_with_dsquery.yml index b5f44152e8..ce773d8676 100644 --- a/detections/endpoint/remote_system_discovery_with_dsquery.yml +++ b/detections/endpoint/remote_system_discovery_with_dsquery.yml @@ -1,7 +1,7 @@ name: Remote System Discovery with Dsquery id: 9fb562f4-42f8-4139-8e11-a82edf7ed718 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/remote_system_discovery_with_wmic.yml b/detections/endpoint/remote_system_discovery_with_wmic.yml index 678659757f..a37a42e73d 100644 --- a/detections/endpoint/remote_system_discovery_with_wmic.yml +++ b/detections/endpoint/remote_system_discovery_with_wmic.yml @@ -1,7 +1,7 @@ name: Remote System Discovery with Wmic id: d82eced3-b1dc-42ab-859e-a2fc98827359 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/remote_wmi_command_attempt.yml b/detections/endpoint/remote_wmi_command_attempt.yml index 349c713ebd..02a821ea67 100644 --- a/detections/endpoint/remote_wmi_command_attempt.yml +++ b/detections/endpoint/remote_wmi_command_attempt.yml @@ -1,7 +1,7 @@ name: Remote WMI Command Attempt id: 272df6de-61f1-4784-877c-1fbc3e2d0838 -version: 8 -date: '2024-11-13' +version: 9 +date: '2025-05-02' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/resize_shadowstorage_volume.yml b/detections/endpoint/resize_shadowstorage_volume.yml index e3f82d7458..69bb68bb7b 100644 --- a/detections/endpoint/resize_shadowstorage_volume.yml +++ b/detections/endpoint/resize_shadowstorage_volume.yml @@ -1,7 +1,7 @@ name: Resize ShadowStorage volume id: bc760ca6-8336-11eb-bcbb-acde48001122 -version: 6 -date: '2025-03-25' +version: 7 +date: '2025-05-02' author: Teoderick Contreras status: production type: TTP diff --git a/detections/endpoint/revil_common_exec_parameter.yml b/detections/endpoint/revil_common_exec_parameter.yml index 1f9592d34a..4eec16b613 100644 --- a/detections/endpoint/revil_common_exec_parameter.yml +++ b/detections/endpoint/revil_common_exec_parameter.yml @@ -1,7 +1,7 @@ name: Revil Common Exec Parameter id: 85facebe-c382-11eb-9c3e-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/revil_registry_entry.yml b/detections/endpoint/revil_registry_entry.yml index ab85a04276..48cb6c0f9a 100644 --- a/detections/endpoint/revil_registry_entry.yml +++ b/detections/endpoint/revil_registry_entry.yml @@ -1,7 +1,7 @@ name: Revil Registry Entry id: e3d3f57a-c381-11eb-9e35-acde48001122 -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/rubeus_command_line_parameters.yml b/detections/endpoint/rubeus_command_line_parameters.yml index 997c6be4be..02f2b6d836 100644 --- a/detections/endpoint/rubeus_command_line_parameters.yml +++ b/detections/endpoint/rubeus_command_line_parameters.yml @@ -1,7 +1,7 @@ name: Rubeus Command Line Parameters id: cca37478-8377-11ec-b59a-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml index 2994bb7ba7..c0861ac47a 100644 --- a/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml +++ b/detections/endpoint/rubeus_kerberos_ticket_exports_through_winlogon_access.yml @@ -1,7 +1,7 @@ name: Rubeus Kerberos Ticket Exports Through Winlogon Access id: 5ed8c50a-8869-11ec-876f-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/runas_execution_in_commandline.yml b/detections/endpoint/runas_execution_in_commandline.yml index 69a09ff757..627cc91d88 100644 --- a/detections/endpoint/runas_execution_in_commandline.yml +++ b/detections/endpoint/runas_execution_in_commandline.yml @@ -1,7 +1,7 @@ name: Runas Execution in CommandLine id: 4807e716-43a4-11ec-a0e7-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/rundll32_control_rundll_hunt.yml b/detections/endpoint/rundll32_control_rundll_hunt.yml index d9743f4a1f..73c22a3d57 100644 --- a/detections/endpoint/rundll32_control_rundll_hunt.yml +++ b/detections/endpoint/rundll32_control_rundll_hunt.yml @@ -1,7 +1,7 @@ name: Rundll32 Control RunDLL Hunt id: c8e7ced0-10c5-11ec-8b03-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml index 457f7a21bf..697cad5f8a 100644 --- a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml +++ b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml @@ -1,7 +1,7 @@ name: Rundll32 Control RunDLL World Writable Directory id: 1adffe86-10c3-11ec-8ce6-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml index d4312ff4e3..5a56d2beab 100644 --- a/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml +++ b/detections/endpoint/rundll32_create_remote_thread_to_a_process.yml @@ -1,7 +1,7 @@ name: Rundll32 Create Remote Thread To A Process id: 2dbeee3a-f067-11eb-96c0-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/rundll32_createremotethread_in_browser.yml b/detections/endpoint/rundll32_createremotethread_in_browser.yml index 0155ed9b96..0ef2b5f2e5 100644 --- a/detections/endpoint/rundll32_createremotethread_in_browser.yml +++ b/detections/endpoint/rundll32_createremotethread_in_browser.yml @@ -1,7 +1,7 @@ name: Rundll32 CreateRemoteThread In Browser id: f8a22586-ee2d-11eb-a193-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/rundll32_lockworkstation.yml b/detections/endpoint/rundll32_lockworkstation.yml index e18797739a..1a48441e3f 100644 --- a/detections/endpoint/rundll32_lockworkstation.yml +++ b/detections/endpoint/rundll32_lockworkstation.yml @@ -1,7 +1,7 @@ name: Rundll32 LockWorkStation id: fa90f372-f91d-11eb-816c-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml index 4fcd4e901e..90bbd15000 100644 --- a/detections/endpoint/rundll32_process_creating_exe_dll_files.yml +++ b/detections/endpoint/rundll32_process_creating_exe_dll_files.yml @@ -1,7 +1,7 @@ name: Rundll32 Process Creating Exe Dll Files id: 6338266a-ee2a-11eb-bf68-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/rundll32_shimcache_flush.yml b/detections/endpoint/rundll32_shimcache_flush.yml index 85db4c3643..138fe15811 100644 --- a/detections/endpoint/rundll32_shimcache_flush.yml +++ b/detections/endpoint/rundll32_shimcache_flush.yml @@ -1,7 +1,7 @@ name: Rundll32 Shimcache Flush id: a913718a-25b6-11ec-96d3-acde48001122 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml index 5e74ee67e5..ddd46635be 100644 --- a/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/rundll32_with_no_command_line_arguments_with_network.yml @@ -1,7 +1,7 @@ name: Rundll32 with no Command Line Arguments with Network id: 35307032-a12d-11eb-835f-acde48001122 -version: 11 -date: '2025-04-18' +version: 12 +date: '2025-05-02' author: Steven Dick, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/rundll_loading_dll_by_ordinal.yml b/detections/endpoint/rundll_loading_dll_by_ordinal.yml index 7087d5b7a0..4196484d9d 100644 --- a/detections/endpoint/rundll_loading_dll_by_ordinal.yml +++ b/detections/endpoint/rundll_loading_dll_by_ordinal.yml @@ -1,7 +1,7 @@ name: RunDLL Loading DLL By Ordinal id: 6c135f8d-5e60-454e-80b7-c56eed739833 -version: 11 -date: '2025-02-10' +version: 12 +date: '2025-05-02' author: Michael Haag, David Dorsey, Splunk status: production type: TTP diff --git a/detections/endpoint/ryuk_test_files_detected.yml b/detections/endpoint/ryuk_test_files_detected.yml index 0156fd6b54..059aa43047 100644 --- a/detections/endpoint/ryuk_test_files_detected.yml +++ b/detections/endpoint/ryuk_test_files_detected.yml @@ -1,7 +1,7 @@ name: Ryuk Test Files Detected id: 57d44d70-28d9-4ed1-acf5-1c80ae2bbce3 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Rod Soto, Jose Hernandez, Splunk status: production type: TTP diff --git a/detections/endpoint/ryuk_wake_on_lan_command.yml b/detections/endpoint/ryuk_wake_on_lan_command.yml index d47ad551ef..f900061969 100644 --- a/detections/endpoint/ryuk_wake_on_lan_command.yml +++ b/detections/endpoint/ryuk_wake_on_lan_command.yml @@ -1,7 +1,7 @@ name: Ryuk Wake on LAN Command id: 538d0152-7aaa-11eb-beaa-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/sam_database_file_access_attempt.yml b/detections/endpoint/sam_database_file_access_attempt.yml index 2ce1ddaa93..76526b9687 100644 --- a/detections/endpoint/sam_database_file_access_attempt.yml +++ b/detections/endpoint/sam_database_file_access_attempt.yml @@ -1,7 +1,7 @@ name: SAM Database File Access Attempt id: 57551656-ebdb-11eb-afdf-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/samsam_test_file_write.yml b/detections/endpoint/samsam_test_file_write.yml index 173c7a8881..ec2c9f3aac 100644 --- a/detections/endpoint/samsam_test_file_write.yml +++ b/detections/endpoint/samsam_test_file_write.yml @@ -1,7 +1,7 @@ name: Samsam Test File Write id: 493a879d-519d-428f-8f57-a06a0fdc107e -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Rico Valdez, Splunk status: production type: TTP diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/endpoint/sc_exe_manipulating_windows_services.yml index 9eb470e3b0..8b86a92112 100644 --- a/detections/endpoint/sc_exe_manipulating_windows_services.yml +++ b/detections/endpoint/sc_exe_manipulating_windows_services.yml @@ -1,7 +1,7 @@ name: Sc exe Manipulating Windows Services id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Rico Valdez, Splunk status: production type: TTP diff --git a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml index 59d238eeea..fafd94f12e 100644 --- a/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml +++ b/detections/endpoint/schcache_change_by_app_connect_and_create_adsi_object.yml @@ -1,7 +1,7 @@ name: SchCache Change By App Connect And Create ADSI Object id: 991eb510-0fc6-11ec-82d3-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/schedule_task_with_http_command_arguments.yml b/detections/endpoint/schedule_task_with_http_command_arguments.yml index bfea49a4e0..1b6dbe3035 100644 --- a/detections/endpoint/schedule_task_with_http_command_arguments.yml +++ b/detections/endpoint/schedule_task_with_http_command_arguments.yml @@ -1,7 +1,7 @@ name: Schedule Task with HTTP Command Arguments id: 523c2684-a101-11eb-916b-acde48001122 -version: 5 -date: '2024-12-10' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml index 46ece09f64..0fa6a5939f 100644 --- a/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml +++ b/detections/endpoint/schedule_task_with_rundll32_command_trigger.yml @@ -1,7 +1,7 @@ name: Schedule Task with Rundll32 Command Trigger id: 75b00fd8-a0ff-11eb-8b31-acde48001122 -version: 5 -date: '2024-12-10' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml index 3119d1ae64..11654f3498 100644 --- a/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml +++ b/detections/endpoint/scheduled_task_creation_on_remote_endpoint_using_at.yml @@ -1,7 +1,7 @@ name: Scheduled Task Creation on Remote Endpoint using At id: 4be54858-432f-11ec-8209-3e22fbd008af -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 0082c81a7c..e60bc93e9b 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,7 +1,7 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: 15 -date: '2025-04-16' +version: 16 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml index 51e391fc20..8fc82e6f18 100644 --- a/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml @@ -1,7 +1,7 @@ name: Scheduled Task Initiation on Remote Endpoint id: 95cf4608-4302-11ec-8194-3e22fbd008af -version: 8 -date: '2025-03-24' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk, Badoodish, Github Community status: production type: TTP diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml index bcb429d726..a42bf1849b 100644 --- a/detections/endpoint/schtasks_run_task_on_demand.yml +++ b/detections/endpoint/schtasks_run_task_on_demand.yml @@ -1,7 +1,7 @@ name: Schtasks Run Task On Demand id: bb37061e-af1f-11eb-a159-acde48001122 -version: '5' -date: '2025-03-14' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml index 104fda64cd..e40f6755f6 100644 --- a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml +++ b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml @@ -1,7 +1,7 @@ name: Schtasks scheduling job on remote system id: 1297fb80-f42a-4b4a-9c8a-88c066237cf6 -version: 13 -date: '2025-02-10' +version: 14 +date: '2025-05-02' author: David Dorsey, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml index d9f6109f8d..f7482bb916 100644 --- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml +++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml @@ -1,7 +1,7 @@ name: Schtasks used for forcing a reboot id: 1297fb80-f42a-4b4a-9c8a-88c066437cf6 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/screensaver_event_trigger_execution.yml b/detections/endpoint/screensaver_event_trigger_execution.yml index 9ffb31f772..8ed59d4ae2 100644 --- a/detections/endpoint/screensaver_event_trigger_execution.yml +++ b/detections/endpoint/screensaver_event_trigger_execution.yml @@ -1,7 +1,7 @@ name: Screensaver Event Trigger Execution id: 58cea3ec-1f6d-11ec-8560-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/script_execution_via_wmi.yml b/detections/endpoint/script_execution_via_wmi.yml index fba0c46299..ac9316c020 100644 --- a/detections/endpoint/script_execution_via_wmi.yml +++ b/detections/endpoint/script_execution_via_wmi.yml @@ -1,7 +1,7 @@ name: Script Execution via WMI id: aa73f80d-d728-4077-b226-81ea0c8be589 -version: 8 -date: '2024-11-13' +version: 9 +date: '2025-05-02' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/sdclt_uac_bypass.yml b/detections/endpoint/sdclt_uac_bypass.yml index 3e0c8ae436..42788ab3dd 100644 --- a/detections/endpoint/sdclt_uac_bypass.yml +++ b/detections/endpoint/sdclt_uac_bypass.yml @@ -1,7 +1,7 @@ name: Sdclt UAC Bypass id: d71efbf6-da63-11eb-8c6e-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/sdelete_application_execution.yml b/detections/endpoint/sdelete_application_execution.yml index 47e81ad9f6..ee3c96b373 100644 --- a/detections/endpoint/sdelete_application_execution.yml +++ b/detections/endpoint/sdelete_application_execution.yml @@ -1,7 +1,7 @@ name: Sdelete Application Execution id: 31702fc0-2682-11ec-85c3-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml index 42bc1bd9e3..f4a7ccaa1c 100644 --- a/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml +++ b/detections/endpoint/searchprotocolhost_with_no_command_line_with_network.yml @@ -1,7 +1,7 @@ name: SearchProtocolHost with no Command Line with Network id: b690df8c-a145-11eb-a38b-acde48001122 -version: 9 -date: '2025-04-18' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml index c65492da7e..6bdcb7b2ce 100644 --- a/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml +++ b/detections/endpoint/secretdumps_offline_ntds_dumping_tool.yml @@ -1,7 +1,7 @@ name: SecretDumps Offline NTDS Dumping Tool id: 5672819c-be09-11eb-bbfb-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml index 568cc0f475..983c6f2c2a 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_powershell.yml @@ -1,7 +1,7 @@ name: ServicePrincipalNames Discovery with PowerShell id: 13243068-2d38-11ec-8908-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml index 3cbff7af05..ced6e87c44 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml @@ -1,7 +1,7 @@ name: ServicePrincipalNames Discovery with SetSPN id: ae8b3efc-2d2e-11ec-8b57-acde48001122 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/services_escalate_exe.yml b/detections/endpoint/services_escalate_exe.yml index 125ed133e1..1f7d0ab4da 100644 --- a/detections/endpoint/services_escalate_exe.yml +++ b/detections/endpoint/services_escalate_exe.yml @@ -1,7 +1,7 @@ name: Services Escalate Exe id: c448488c-b7ec-11eb-8253-acde48001122 -version: 7 -date: '2024-12-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/services_lolbas_execution_process_spawn.yml b/detections/endpoint/services_lolbas_execution_process_spawn.yml index 22cd55a917..c430084454 100644 --- a/detections/endpoint/services_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/services_lolbas_execution_process_spawn.yml @@ -1,7 +1,7 @@ name: Services LOLBAS Execution Process Spawn id: ba9e1954-4c04-11ec-8b74-3e22fbd008af -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml index a7e3bbd35a..63fe4cd21e 100644 --- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml +++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml @@ -1,7 +1,7 @@ name: Set Default PowerShell Execution Policy To Unrestricted or Bypass id: c2590137-0b08-4985-9ec5-6ae23d92f63d -version: 15 -date: '2025-03-27' +version: 16 +date: '2025-05-02' author: Steven Dick, Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/shim_database_file_creation.yml b/detections/endpoint/shim_database_file_creation.yml index 74e21fdc98..caa8b0e8d6 100644 --- a/detections/endpoint/shim_database_file_creation.yml +++ b/detections/endpoint/shim_database_file_creation.yml @@ -1,7 +1,7 @@ name: Shim Database File Creation id: 6e4c4588-ba2f-42fa-97e6-9f6f548eaa33 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: TTP diff --git a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml index 7879ac2b79..89e9077110 100644 --- a/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml +++ b/detections/endpoint/shim_database_installation_with_suspicious_parameters.yml @@ -1,7 +1,7 @@ name: Shim Database Installation With Suspicious Parameters id: 404620de-46d8-48b6-90cc-8a8d7b0876a3 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: TTP diff --git a/detections/endpoint/short_lived_scheduled_task.yml b/detections/endpoint/short_lived_scheduled_task.yml index 898596df66..3ce1222190 100644 --- a/detections/endpoint/short_lived_scheduled_task.yml +++ b/detections/endpoint/short_lived_scheduled_task.yml @@ -1,7 +1,7 @@ name: Short Lived Scheduled Task id: 6fa31414-546e-11ec-adfa-acde48001122 -version: 6 -date: '2024-12-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/short_lived_windows_accounts.yml b/detections/endpoint/short_lived_windows_accounts.yml index 2004bdfab1..672893ec2c 100644 --- a/detections/endpoint/short_lived_windows_accounts.yml +++ b/detections/endpoint/short_lived_windows_accounts.yml @@ -1,7 +1,7 @@ name: Short Lived Windows Accounts id: b25f6f62-0782-43c1-b403-083231ffd97d -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: David Dorsey, Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/silentcleanup_uac_bypass.yml b/detections/endpoint/silentcleanup_uac_bypass.yml index 0c7e56afe0..670b7540d6 100644 --- a/detections/endpoint/silentcleanup_uac_bypass.yml +++ b/detections/endpoint/silentcleanup_uac_bypass.yml @@ -1,7 +1,7 @@ name: SilentCleanup UAC Bypass id: 56d7cfcc-da63-11eb-92d4-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/single_letter_process_on_endpoint.yml b/detections/endpoint/single_letter_process_on_endpoint.yml index b41d166e23..a7897511ee 100644 --- a/detections/endpoint/single_letter_process_on_endpoint.yml +++ b/detections/endpoint/single_letter_process_on_endpoint.yml @@ -1,7 +1,7 @@ name: Single Letter Process On Endpoint id: a4214f0b-e01c-41bc-8cc4-d2b71e3056b4 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: TTP diff --git a/detections/endpoint/slui_runas_elevated.yml b/detections/endpoint/slui_runas_elevated.yml index d3017b42f5..005967b8e6 100644 --- a/detections/endpoint/slui_runas_elevated.yml +++ b/detections/endpoint/slui_runas_elevated.yml @@ -1,7 +1,7 @@ name: SLUI RunAs Elevated id: 8d124810-b3e4-11eb-96c7-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/slui_spawning_a_process.yml b/detections/endpoint/slui_spawning_a_process.yml index 366a743d10..41b7a17a00 100644 --- a/detections/endpoint/slui_spawning_a_process.yml +++ b/detections/endpoint/slui_spawning_a_process.yml @@ -1,7 +1,7 @@ name: SLUI Spawning a Process id: 879c4330-b3e0-11eb-b1b1-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/spike_in_file_writes.yml b/detections/endpoint/spike_in_file_writes.yml index 2cdc1931a8..caaa8b1731 100644 --- a/detections/endpoint/spike_in_file_writes.yml +++ b/detections/endpoint/spike_in_file_writes.yml @@ -1,7 +1,7 @@ name: Spike in File Writes id: fdb0f805-74e4-4539-8c00-618927333aae -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/endpoint/spoolsv_spawning_rundll32.yml b/detections/endpoint/spoolsv_spawning_rundll32.yml index 355a304e5b..0f52aee5dc 100644 --- a/detections/endpoint/spoolsv_spawning_rundll32.yml +++ b/detections/endpoint/spoolsv_spawning_rundll32.yml @@ -1,7 +1,7 @@ name: Spoolsv Spawning Rundll32 id: 15d905f6-da6b-11eb-ab82-acde48001122 -version: 9 -date: '2025-03-27' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml index d64d76ce85..ae5ccd33a9 100644 --- a/detections/endpoint/spoolsv_suspicious_loaded_modules.yml +++ b/detections/endpoint/spoolsv_suspicious_loaded_modules.yml @@ -1,7 +1,7 @@ name: Spoolsv Suspicious Loaded Modules id: a5e451f8-da81-11eb-b245-acde48001122 -version: 8 -date: '2025-03-27' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/spoolsv_suspicious_process_access.yml b/detections/endpoint/spoolsv_suspicious_process_access.yml index de75324a63..32c915613d 100644 --- a/detections/endpoint/spoolsv_suspicious_process_access.yml +++ b/detections/endpoint/spoolsv_suspicious_process_access.yml @@ -1,7 +1,7 @@ name: Spoolsv Suspicious Process Access id: 799b606e-da81-11eb-93f8-acde48001122 -version: 8 -date: '2025-03-27' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/spoolsv_writing_a_dll.yml b/detections/endpoint/spoolsv_writing_a_dll.yml index 63852cc5a6..30848101e5 100644 --- a/detections/endpoint/spoolsv_writing_a_dll.yml +++ b/detections/endpoint/spoolsv_writing_a_dll.yml @@ -1,7 +1,7 @@ name: Spoolsv Writing a DLL id: d5bf5cf2-da71-11eb-92c2-acde48001122 -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Mauricio Velazco, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml index 04f1f2476a..3d5cf9b194 100644 --- a/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml +++ b/detections/endpoint/spoolsv_writing_a_dll___sysmon.yml @@ -1,7 +1,7 @@ name: Spoolsv Writing a DLL - Sysmon id: 347fd388-da87-11eb-836d-acde48001122 -version: '7' -date: '2025-03-27' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/sqlite_module_in_temp_folder.yml b/detections/endpoint/sqlite_module_in_temp_folder.yml index d6476ae1db..3e276a5281 100644 --- a/detections/endpoint/sqlite_module_in_temp_folder.yml +++ b/detections/endpoint/sqlite_module_in_temp_folder.yml @@ -1,7 +1,7 @@ name: Sqlite Module In Temp Folder id: 0f216a38-f45f-11eb-b09c-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml index 0ef0c81655..9fe57583aa 100644 --- a/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml +++ b/detections/endpoint/steal_or_forge_authentication_certificates_behavior_identified.yml @@ -1,7 +1,7 @@ name: Steal or Forge Authentication Certificates Behavior Identified id: 87ac670e-bbfd-44ca-b566-44e9f835518d -version: 5 -date: '2025-04-16' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Correlation diff --git a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml index 5ef3ce8d63..d570f03c56 100644 --- a/detections/endpoint/sunburst_correlation_dll_and_network_event.yml +++ b/detections/endpoint/sunburst_correlation_dll_and_network_event.yml @@ -1,7 +1,7 @@ name: Sunburst Correlation DLL and Network Event id: 701a8740-e8db-40df-9190-5516d3819787 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: experimental type: TTP diff --git a/detections/endpoint/suspicious_computer_account_name_change.yml b/detections/endpoint/suspicious_computer_account_name_change.yml index e7aaee43b7..336b3f2591 100644 --- a/detections/endpoint/suspicious_computer_account_name_change.yml +++ b/detections/endpoint/suspicious_computer_account_name_change.yml @@ -1,7 +1,7 @@ name: Suspicious Computer Account Name Change id: 35a61ed8-61c4-11ec-bc1e-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_copy_on_system32.yml b/detections/endpoint/suspicious_copy_on_system32.yml index 91c2570260..e0c9a177fc 100644 --- a/detections/endpoint/suspicious_copy_on_system32.yml +++ b/detections/endpoint/suspicious_copy_on_system32.yml @@ -1,7 +1,7 @@ name: Suspicious Copy on System32 id: ce633e56-25b2-11ec-9e76-acde48001122 -version: 9 -date: '2025-04-22' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_curl_network_connection.yml b/detections/endpoint/suspicious_curl_network_connection.yml index eae5a20bd9..9202695dbc 100644 --- a/detections/endpoint/suspicious_curl_network_connection.yml +++ b/detections/endpoint/suspicious_curl_network_connection.yml @@ -1,7 +1,7 @@ name: Suspicious Curl Network Connection id: 3f613dc0-21f2-4063-93b1-5d3c15eef22f -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: TTP diff --git a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml index 18978cbc35..c19e3246da 100644 --- a/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_dllhost_no_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Suspicious DLLHost no Command Line Arguments id: ff61e98c-0337-4593-a78f-72a676c56f26 -version: 9 -date: '2025-04-18' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml index a905407a44..7c2780acdd 100644 --- a/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_gpupdate_no_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Suspicious GPUpdate no Command Line Arguments id: f308490a-473a-40ef-ae64-dd7a6eba284a -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml index 67f2c841c9..05c6f1336b 100644 --- a/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml +++ b/detections/endpoint/suspicious_icedid_rundll32_cmdline.yml @@ -1,7 +1,7 @@ name: Suspicious IcedID Rundll32 Cmdline id: bed761f8-ee29-11eb-8bf3-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml index 666343c940..4b7762ff63 100644 --- a/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_image_creation_in_appdata_folder.yml @@ -1,7 +1,7 @@ name: Suspicious Image Creation In Appdata Folder id: f6f904c4-1ac0-11ec-806b-acde48001122 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml index 2f08209956..f2c7b17d1c 100644 --- a/detections/endpoint/suspicious_kerberos_service_ticket_request.yml +++ b/detections/endpoint/suspicious_kerberos_service_ticket_request.yml @@ -1,7 +1,7 @@ name: Suspicious Kerberos Service Ticket Request id: 8b1297bc-6204-11ec-b7c4-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_linux_discovery_commands.yml b/detections/endpoint/suspicious_linux_discovery_commands.yml index b5bd2f3e97..e16f407e68 100644 --- a/detections/endpoint/suspicious_linux_discovery_commands.yml +++ b/detections/endpoint/suspicious_linux_discovery_commands.yml @@ -1,7 +1,7 @@ name: Suspicious Linux Discovery Commands id: 0edd5112-56c9-11ec-b990-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml index 0f3b36c71c..7d4411e178 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_rename.yml @@ -1,7 +1,7 @@ name: Suspicious microsoft workflow compiler rename id: f0db4464-55d9-11eb-ae93-0242ac130002 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml index d7f25f34e2..9a871d71de 100644 --- a/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml +++ b/detections/endpoint/suspicious_microsoft_workflow_compiler_usage.yml @@ -1,7 +1,7 @@ name: Suspicious microsoft workflow compiler usage id: 9bbc62e8-55d8-11eb-ae93-0242ac130002 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_msbuild_path.yml b/detections/endpoint/suspicious_msbuild_path.yml index 4de62e5e15..f44b5341cd 100644 --- a/detections/endpoint/suspicious_msbuild_path.yml +++ b/detections/endpoint/suspicious_msbuild_path.yml @@ -1,7 +1,7 @@ name: Suspicious msbuild path id: f5198224-551c-11eb-ae93-0242ac130002 -version: 9 -date: '2025-04-16' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_msbuild_rename.yml b/detections/endpoint/suspicious_msbuild_rename.yml index a7ac153806..7327ab5435 100644 --- a/detections/endpoint/suspicious_msbuild_rename.yml +++ b/detections/endpoint/suspicious_msbuild_rename.yml @@ -1,7 +1,7 @@ name: Suspicious MSBuild Rename id: 4006adac-5937-11eb-ae93-0242ac130002 -version: 10 -date: '2025-04-16' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/suspicious_msbuild_spawn.yml b/detections/endpoint/suspicious_msbuild_spawn.yml index 9a2505b4e8..3d1a886f2c 100644 --- a/detections/endpoint/suspicious_msbuild_spawn.yml +++ b/detections/endpoint/suspicious_msbuild_spawn.yml @@ -1,7 +1,7 @@ name: Suspicious MSBuild Spawn id: a115fba6-5514-11eb-ae93-0242ac130002 -version: 8 -date: '2025-04-16' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_mshta_child_process.yml b/detections/endpoint/suspicious_mshta_child_process.yml index c6c8e2f0ce..76f2a91622 100644 --- a/detections/endpoint/suspicious_mshta_child_process.yml +++ b/detections/endpoint/suspicious_mshta_child_process.yml @@ -1,7 +1,7 @@ name: Suspicious mshta child process id: 60023bb6-5500-11eb-ae93-0242ac130002 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_mshta_spawn.yml b/detections/endpoint/suspicious_mshta_spawn.yml index 3a8d8ea1bb..557bebd1c5 100644 --- a/detections/endpoint/suspicious_mshta_spawn.yml +++ b/detections/endpoint/suspicious_mshta_spawn.yml @@ -1,7 +1,7 @@ name: Suspicious mshta spawn id: 4d33a488-5b5f-11eb-ae93-0242ac130002 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_plistbuddy_usage.yml b/detections/endpoint/suspicious_plistbuddy_usage.yml index f3dc262cfd..943cd45dc7 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage.yml @@ -1,7 +1,7 @@ name: Suspicious PlistBuddy Usage id: c3194009-e0eb-4f84-87a9-4070f8688f00 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: TTP diff --git a/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml b/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml index ec7ee9dc78..de1bb3c041 100644 --- a/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml +++ b/detections/endpoint/suspicious_plistbuddy_usage_via_osquery.yml @@ -1,7 +1,7 @@ name: Suspicious PlistBuddy Usage via OSquery id: 20ba6c32-c733-4a32-b64e-2688cf231399 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: TTP diff --git a/detections/endpoint/suspicious_process_executed_from_container_file.yml b/detections/endpoint/suspicious_process_executed_from_container_file.yml index e2236b5130..844389b65c 100644 --- a/detections/endpoint/suspicious_process_executed_from_container_file.yml +++ b/detections/endpoint/suspicious_process_executed_from_container_file.yml @@ -1,7 +1,7 @@ name: Suspicious Process Executed From Container File id: d8120352-3b62-411c-8cb6-7b47584dd5e8 -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/suspicious_reg_exe_process.yml b/detections/endpoint/suspicious_reg_exe_process.yml index 8ecaf28eef..da5eab3e4f 100644 --- a/detections/endpoint/suspicious_reg_exe_process.yml +++ b/detections/endpoint/suspicious_reg_exe_process.yml @@ -1,7 +1,7 @@ name: Suspicious Reg exe Process id: a6b3ab4e-dd77-4213-95fa-fc94701995e0 -version: 11 -date: '2025-04-22' +version: 12 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: Anomaly diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml index 3da8e91526..71aaf11a20 100644 --- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml +++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml @@ -1,7 +1,7 @@ name: Suspicious Regsvr32 Register Suspicious Path id: 62732736-6250-11eb-ae93-0242ac130002 -version: 14 -date: '2025-03-27' +version: 15 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml index 56e226eb0e..3491b522ac 100644 --- a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml +++ b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml @@ -1,7 +1,7 @@ name: Suspicious Rundll32 dllregisterserver id: 8c00a385-9b86-4ac0-8932-c9ec3713b159 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml index 563a0fc5e4..9a67ce1171 100644 --- a/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_rundll32_no_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Suspicious Rundll32 no Command Line Arguments id: e451bd16-e4c5-4109-8eb1-c4c6ecf048b4 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_rundll32_plugininit.yml b/detections/endpoint/suspicious_rundll32_plugininit.yml index f7c649ce9b..106a60db5b 100644 --- a/detections/endpoint/suspicious_rundll32_plugininit.yml +++ b/detections/endpoint/suspicious_rundll32_plugininit.yml @@ -1,7 +1,7 @@ name: Suspicious Rundll32 PluginInit id: 92d51712-ee29-11eb-b1ae-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_rundll32_startw.yml b/detections/endpoint/suspicious_rundll32_startw.yml index 7760a93a89..1bf0ca1b50 100644 --- a/detections/endpoint/suspicious_rundll32_startw.yml +++ b/detections/endpoint/suspicious_rundll32_startw.yml @@ -1,7 +1,7 @@ name: Suspicious Rundll32 StartW id: 9319dda5-73f2-4d43-a85a-67ce961bddb7 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 5475a18e33..b420cea0bc 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -1,7 +1,7 @@ name: Suspicious Scheduled Task from Public Directory id: 7feb7972-7ac3-11eb-bac8-acde48001122 -version: 10 -date: '2025-04-16' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml index a35c3d4ee7..116faa1429 100644 --- a/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml +++ b/detections/endpoint/suspicious_searchprotocolhost_no_command_line_arguments.yml @@ -1,7 +1,7 @@ name: Suspicious SearchProtocolHost no Command Line Arguments id: f52d2db8-31f9-4aa7-a176-25779effe55c -version: 8 -date: '2025-04-18' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml index 16925a2c26..11c3fcae5b 100644 --- a/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml +++ b/detections/endpoint/suspicious_sqlite3_lsquarantine_behavior.yml @@ -1,7 +1,7 @@ name: Suspicious SQLite3 LSQuarantine Behavior id: e1997b2e-655f-4561-82fd-aeba8e1c1a86 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: TTP diff --git a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml index e51bfe28b4..daa8be9f35 100644 --- a/detections/endpoint/suspicious_ticket_granting_ticket_request.yml +++ b/detections/endpoint/suspicious_ticket_granting_ticket_request.yml @@ -1,7 +1,7 @@ name: Suspicious Ticket Granting Ticket Request id: d77d349e-6269-11ec-9cfe-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml index 911dd6035f..678b9669da 100644 --- a/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml +++ b/detections/endpoint/suspicious_wav_file_in_appdata_folder.yml @@ -1,7 +1,7 @@ name: Suspicious WAV file in Appdata Folder id: 5be109e6-1ac5-11ec-b421-acde48001122 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_wevtutil_usage.yml b/detections/endpoint/suspicious_wevtutil_usage.yml index f8c243fe2d..6f6f860da7 100644 --- a/detections/endpoint/suspicious_wevtutil_usage.yml +++ b/detections/endpoint/suspicious_wevtutil_usage.yml @@ -1,7 +1,7 @@ name: Suspicious wevtutil Usage id: 2827c0fd-e1be-4868-ae25-59d28e0f9d4f version: 13 -date: '2025-04-24' +date: '2025-05-02' author: David Dorsey, Michael Haag, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml index 662f188f9f..64ab765444 100644 --- a/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml +++ b/detections/endpoint/suspicious_writes_to_windows_recycle_bin.yml @@ -1,7 +1,7 @@ name: Suspicious writes to windows Recycle Bin id: b5541828-8ffd-4070-9d95-b3da4de924cb -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Rico Valdez, Splunk status: production type: TTP diff --git a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml index 95ed69ec10..54e9eb611d 100644 --- a/detections/endpoint/svchost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/svchost_lolbas_execution_process_spawn.yml @@ -1,7 +1,7 @@ name: Svchost LOLBAS Execution Process Spawn id: 09e5c72a-4c0d-11ec-aa29-3e22fbd008af -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml index d443ae2127..bd796e6f57 100644 --- a/detections/endpoint/system_info_gathering_using_dxdiag_application.yml +++ b/detections/endpoint/system_info_gathering_using_dxdiag_application.yml @@ -1,7 +1,7 @@ name: System Info Gathering Using Dxdiag Application id: f92d74f2-4921-11ec-b685-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index c4fbef65b6..c3ccb09b01 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -1,7 +1,7 @@ name: System Information Discovery Detection id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72 -version: '8' -date: '2025-03-14' +version: 9 +date: '2025-05-02' author: Patrick Bareiss, Splunk status: production type: TTP diff --git a/detections/endpoint/system_processes_run_from_unexpected_locations.yml b/detections/endpoint/system_processes_run_from_unexpected_locations.yml index 6b5ceb288a..1f417c4e85 100644 --- a/detections/endpoint/system_processes_run_from_unexpected_locations.yml +++ b/detections/endpoint/system_processes_run_from_unexpected_locations.yml @@ -1,7 +1,7 @@ name: System Processes Run From Unexpected Locations id: a34aae96-ccf8-4aef-952c-3ea21444444d version: 12 -date: '2025-04-24' +date: '2025-05-02' author: David Dorsey, Michael Haag, Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/system_user_discovery_with_query.yml b/detections/endpoint/system_user_discovery_with_query.yml index 3128319eec..0d015aa124 100644 --- a/detections/endpoint/system_user_discovery_with_query.yml +++ b/detections/endpoint/system_user_discovery_with_query.yml @@ -1,7 +1,7 @@ name: System User Discovery With Query id: ad03bfcf-8a91-4bc2-a500-112993deba87 -version: '6' -date: '2025-03-14' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/system_user_discovery_with_whoami.yml b/detections/endpoint/system_user_discovery_with_whoami.yml index d1a3e665a0..c1d57a3031 100644 --- a/detections/endpoint/system_user_discovery_with_whoami.yml +++ b/detections/endpoint/system_user_discovery_with_whoami.yml @@ -1,7 +1,7 @@ name: System User Discovery With Whoami id: 894fc43e-6f50-47d5-a68b-ee9ee23e18f4 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/time_provider_persistence_registry.yml b/detections/endpoint/time_provider_persistence_registry.yml index cdd16a30c0..ecb828722a 100644 --- a/detections/endpoint/time_provider_persistence_registry.yml +++ b/detections/endpoint/time_provider_persistence_registry.yml @@ -1,7 +1,7 @@ name: Time Provider Persistence Registry id: 5ba382c4-2105-11ec-8d8f-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/trickbot_named_pipe.yml b/detections/endpoint/trickbot_named_pipe.yml index 778873856c..89640bf827 100644 --- a/detections/endpoint/trickbot_named_pipe.yml +++ b/detections/endpoint/trickbot_named_pipe.yml @@ -1,7 +1,7 @@ name: Trickbot Named Pipe id: 1804b0a4-a682-11eb-8f68-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml index 12df8b9de7..47e4279f4a 100644 --- a/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml +++ b/detections/endpoint/uac_bypass_mmc_load_unsigned_dll.yml @@ -1,7 +1,7 @@ name: UAC Bypass MMC Load Unsigned Dll id: 7f04349c-e30d-11eb-bc7f-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/uac_bypass_with_colorui_com_object.yml b/detections/endpoint/uac_bypass_with_colorui_com_object.yml index 85cd67c5c2..24e9386794 100644 --- a/detections/endpoint/uac_bypass_with_colorui_com_object.yml +++ b/detections/endpoint/uac_bypass_with_colorui_com_object.yml @@ -1,7 +1,7 @@ name: UAC Bypass With Colorui COM Object id: 2bcccd20-fc2b-11eb-8d22-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/uninstall_app_using_msiexec.yml b/detections/endpoint/uninstall_app_using_msiexec.yml index 25daf99ff7..0d1a0397db 100644 --- a/detections/endpoint/uninstall_app_using_msiexec.yml +++ b/detections/endpoint/uninstall_app_using_msiexec.yml @@ -1,7 +1,7 @@ name: Uninstall App Using MsiExec id: 1fca2b28-f922-11eb-b2dd-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml index d7aafa7b1b..0ea5773741 100644 --- a/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml +++ b/detections/endpoint/unknown_process_using_the_kerberos_protocol.yml @@ -1,7 +1,7 @@ name: Unknown Process Using The Kerberos Protocol id: c91a0852-9fbb-11ec-af44-acde48001122 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/unload_sysmon_filter_driver.yml b/detections/endpoint/unload_sysmon_filter_driver.yml index 48405327e2..d281ec2b99 100644 --- a/detections/endpoint/unload_sysmon_filter_driver.yml +++ b/detections/endpoint/unload_sysmon_filter_driver.yml @@ -1,7 +1,7 @@ name: Unload Sysmon Filter Driver id: e5928ff3-23eb-4d8b-b8a4-dcbc844fdfbe -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/unloading_amsi_via_reflection.yml b/detections/endpoint/unloading_amsi_via_reflection.yml index 3dbd8dbd42..2b2b57f58a 100644 --- a/detections/endpoint/unloading_amsi_via_reflection.yml +++ b/detections/endpoint/unloading_amsi_via_reflection.yml @@ -1,7 +1,7 @@ name: Unloading AMSI via Reflection id: a21e3484-c94d-11eb-b55b-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml index c891b89ed2..e4210026e2 100644 --- a/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_computer_service_tickets_requested.yml @@ -1,7 +1,7 @@ name: Unusual Number of Computer Service Tickets Requested id: ac3b81c0-52f4-11ec-ac44-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: experimental type: Hunting diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml index 250a39176b..302f18dc3b 100644 --- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml @@ -1,7 +1,7 @@ name: Unusual Number of Kerberos Service Tickets Requested id: eb3e6702-8936-11ec-98fe-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Mauricio Velazco, Dean Luxton, Splunk status: production type: Anomaly diff --git a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml index e01d6a6efb..b8297fec67 100644 --- a/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml +++ b/detections/endpoint/unusual_number_of_remote_endpoint_authentication_events.yml @@ -1,7 +1,7 @@ name: Unusual Number of Remote Endpoint Authentication Events id: acb5dc74-5324-11ec-a36d-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: experimental type: Hunting diff --git a/detections/endpoint/unusually_long_command_line.yml b/detections/endpoint/unusually_long_command_line.yml index 989043e935..9869a1ef0f 100644 --- a/detections/endpoint/unusually_long_command_line.yml +++ b/detections/endpoint/unusually_long_command_line.yml @@ -1,7 +1,7 @@ name: Unusually Long Command Line id: c77162d3-f93c-45cc-80c8-22f6a4264e7f -version: 9 -date: '2024-11-13' +version: 10 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/endpoint/unusually_long_command_line___mltk.yml b/detections/endpoint/unusually_long_command_line___mltk.yml index 517981b6a1..76bf6deeb6 100644 --- a/detections/endpoint/unusually_long_command_line___mltk.yml +++ b/detections/endpoint/unusually_long_command_line___mltk.yml @@ -1,7 +1,7 @@ name: Unusually Long Command Line - MLTK id: 57edaefa-a73b-45e5-bbae-f39c1473f941 -version: 6 -date: '2024-12-16' +version: 7 +date: '2025-05-02' author: Rico Valdez, Splunk status: experimental type: Anomaly diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell.yml b/detections/endpoint/user_discovery_with_env_vars_powershell.yml index cc31ead507..bb912a694d 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell.yml @@ -1,7 +1,7 @@ name: User Discovery With Env Vars PowerShell id: 0cdf318b-a0dd-47d7-b257-c621c0247de8 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml index c8b9cfffb5..f8ed073de1 100644 --- a/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml +++ b/detections/endpoint/user_discovery_with_env_vars_powershell_script_block.yml @@ -1,7 +1,7 @@ name: User Discovery With Env Vars PowerShell Script Block id: 77f41d9e-b8be-47e3-ab35-5776f5ec1d20 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/usn_journal_deletion.yml b/detections/endpoint/usn_journal_deletion.yml index 5e3d7de7eb..69a0f310eb 100644 --- a/detections/endpoint/usn_journal_deletion.yml +++ b/detections/endpoint/usn_journal_deletion.yml @@ -1,7 +1,7 @@ name: USN Journal Deletion id: b6e0ff70-b122-4227-9368-4cf322ab43c3 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: TTP diff --git a/detections/endpoint/vbscript_execution_using_wscript_app.yml b/detections/endpoint/vbscript_execution_using_wscript_app.yml index a8848fa26a..64b66dfd32 100644 --- a/detections/endpoint/vbscript_execution_using_wscript_app.yml +++ b/detections/endpoint/vbscript_execution_using_wscript_app.yml @@ -1,7 +1,7 @@ name: Vbscript Execution Using Wscript App id: 35159940-228f-11ec-8a49-acde48001122 -version: 7 -date: '2025-02-19' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/verclsid_clsid_execution.yml b/detections/endpoint/verclsid_clsid_execution.yml index 754649a4c0..c49627ed45 100644 --- a/detections/endpoint/verclsid_clsid_execution.yml +++ b/detections/endpoint/verclsid_clsid_execution.yml @@ -1,7 +1,7 @@ name: Verclsid CLSID Execution id: 61e9a56a-20fa-11ec-8ba3-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/w3wp_spawning_shell.yml b/detections/endpoint/w3wp_spawning_shell.yml index 06125dcc35..f500e0d7ff 100644 --- a/detections/endpoint/w3wp_spawning_shell.yml +++ b/detections/endpoint/w3wp_spawning_shell.yml @@ -1,7 +1,7 @@ name: W3WP Spawning Shell id: 0f03423c-7c6a-11eb-bc47-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/wbadmin_delete_system_backups.yml b/detections/endpoint/wbadmin_delete_system_backups.yml index e78d51db4a..5fdc556844 100644 --- a/detections/endpoint/wbadmin_delete_system_backups.yml +++ b/detections/endpoint/wbadmin_delete_system_backups.yml @@ -1,7 +1,7 @@ name: WBAdmin Delete System Backups id: cd5aed7e-5cea-11eb-ae93-0242ac130002 -version: 7 -date: '2025-04-16' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/wbemprox_com_object_execution.yml b/detections/endpoint/wbemprox_com_object_execution.yml index a7b63ba7e6..8aafb13551 100644 --- a/detections/endpoint/wbemprox_com_object_execution.yml +++ b/detections/endpoint/wbemprox_com_object_execution.yml @@ -1,7 +1,7 @@ name: Wbemprox COM Object Execution id: 9d911ce0-c3be-11eb-b177-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/web_servers_executing_suspicious_processes.yml b/detections/endpoint/web_servers_executing_suspicious_processes.yml index f3ebb90e10..ed459dbe45 100644 --- a/detections/endpoint/web_servers_executing_suspicious_processes.yml +++ b/detections/endpoint/web_servers_executing_suspicious_processes.yml @@ -1,7 +1,7 @@ name: Web Servers Executing Suspicious Processes id: ec3b7601-689a-4463-94e0-c9f45638efb9 -version: 5 -date: '2025-01-21' +version: 6 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: TTP diff --git a/detections/endpoint/wermgr_process_create_executable_file.yml b/detections/endpoint/wermgr_process_create_executable_file.yml index 8c3ad7e96b..9fc8924bea 100644 --- a/detections/endpoint/wermgr_process_create_executable_file.yml +++ b/detections/endpoint/wermgr_process_create_executable_file.yml @@ -1,7 +1,7 @@ name: Wermgr Process Create Executable File id: ab3bcce0-a105-11eb-973c-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml index ff5005175c..13b9e76fc5 100644 --- a/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml +++ b/detections/endpoint/wermgr_process_spawned_cmd_or_powershell_process.yml @@ -1,7 +1,7 @@ name: Wermgr Process Spawned CMD Or Powershell Process id: e8fc95bc-a107-11eb-a978-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/wget_download_and_bash_execution.yml b/detections/endpoint/wget_download_and_bash_execution.yml index 58e34abd66..6b50b76a08 100644 --- a/detections/endpoint/wget_download_and_bash_execution.yml +++ b/detections/endpoint/wget_download_and_bash_execution.yml @@ -1,7 +1,7 @@ name: Wget Download and Bash Execution id: 35682718-5a85-11ec-b8f7-acde48001122 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk, DipsyTipsy status: production type: TTP diff --git a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml index 37bf2399d9..f9c5387638 100644 --- a/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml +++ b/detections/endpoint/windows_access_token_manipulation_sedebugprivilege.yml @@ -1,7 +1,7 @@ name: Windows Access Token Manipulation SeDebugPrivilege id: 6ece9ed0-5f92-4315-889d-48560472b188 -version: 13 -date: '2025-03-27' +version: 14 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml index 957a0d2fda..a335a5de6d 100644 --- a/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml +++ b/detections/endpoint/windows_access_token_manipulation_winlogon_duplicate_token_handle.yml @@ -1,7 +1,7 @@ name: Windows Access Token Manipulation Winlogon Duplicate Token Handle id: dda126d7-1d99-4f0b-b72a-4c14031f9398 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml index 1fafbf3d87..47aef1c39b 100644 --- a/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml +++ b/detections/endpoint/windows_access_token_winlogon_duplicate_handle_in_uncommon_path.yml @@ -1,7 +1,7 @@ name: Windows Access Token Winlogon Duplicate Handle In Uncommon Path id: b8f7ed6b-0556-4c84-bffd-839c262b0278 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml index 599f0d52c1..74517ba93a 100644 --- a/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml +++ b/detections/endpoint/windows_account_access_removal_via_logoff_exec.yml @@ -1,7 +1,7 @@ name: Windows Account Access Removal via Logoff Exec id: 223572ab-8768-4e20-9b39-c38707af80dc -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 diff --git a/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml b/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml index 8a24683df4..bf8fefed5e 100644 --- a/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml +++ b/detections/endpoint/windows_account_discovery_for_none_disable_user_account.yml @@ -1,7 +1,7 @@ name: Windows Account Discovery for None Disable User Account id: eddbf5ba-b89e-47ca-995e-2d259804e55e -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml index a9c8b57f1a..b53ea959e1 100644 --- a/detections/endpoint/windows_account_discovery_for_sam_account_name.yml +++ b/detections/endpoint/windows_account_discovery_for_sam_account_name.yml @@ -1,7 +1,7 @@ name: Windows Account Discovery for Sam Account Name id: 69934363-e1dd-4c49-8651-9d7663dd4d2f -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml b/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml index 64367c7e25..cad3417a46 100644 --- a/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml +++ b/detections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml @@ -1,7 +1,7 @@ name: Windows Account Discovery With NetUser PreauthNotRequire id: cf056b65-44b2-4d32-9172-d6b6f081a376 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml index 30e8c78866..8bb6f9b1cc 100644 --- a/detections/endpoint/windows_ad_abnormal_object_access_activity.yml +++ b/detections/endpoint/windows_ad_abnormal_object_access_activity.yml @@ -1,7 +1,7 @@ name: Windows AD Abnormal Object Access Activity id: 71b289db-5f2c-4c43-8256-8bf26ae7324a -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_ad_add_self_to_group.yml b/detections/endpoint/windows_ad_add_self_to_group.yml index 1ead9a85bb..cb5a402741 100644 --- a/detections/endpoint/windows_ad_add_self_to_group.yml +++ b/detections/endpoint/windows_ad_add_self_to_group.yml @@ -1,7 +1,7 @@ name: Windows AD add Self to Group id: 065f2701-b7ea-42f5-9ec4-fbc2261165f9 -version: '4' -date: '2025-03-14' +version: 5 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml index 1aa986e497..ca485847df 100644 --- a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml +++ b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml @@ -1,7 +1,7 @@ name: Windows AD AdminSDHolder ACL Modified id: 00d877c3-7b7b-443d-9562-6b231e2abab9 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Dean Luxton, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml index 10aae41670..99e8e46277 100644 --- a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml @@ -1,7 +1,7 @@ name: Windows AD Cross Domain SID History Addition id: 41bbb371-28ba-439c-bb5c-d9930c28365d -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Dean Luxton type: TTP status: production diff --git a/detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml b/detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml index 8137dd2fb4..d7bcff73c5 100644 --- a/detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml +++ b/detections/endpoint/windows_ad_dangerous_deny_acl_modification.yml @@ -1,7 +1,7 @@ name: Windows AD Dangerous Deny ACL Modification id: 8e897153-2ebd-4cb2-85d3-09ad57db2fb7 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_dangerous_group_acl_modification.yml b/detections/endpoint/windows_ad_dangerous_group_acl_modification.yml index 2c4b8152a2..d9bd5263cf 100644 --- a/detections/endpoint/windows_ad_dangerous_group_acl_modification.yml +++ b/detections/endpoint/windows_ad_dangerous_group_acl_modification.yml @@ -1,7 +1,7 @@ name: Windows AD Dangerous Group ACL Modification id: 59b0fc85-7a0d-4585-97ec-06a382801990 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_dangerous_user_acl_modification.yml b/detections/endpoint/windows_ad_dangerous_user_acl_modification.yml index 50a4431520..8ea7d16252 100644 --- a/detections/endpoint/windows_ad_dangerous_user_acl_modification.yml +++ b/detections/endpoint/windows_ad_dangerous_user_acl_modification.yml @@ -1,7 +1,7 @@ name: Windows AD Dangerous User ACL Modification id: ec5b6790-595a-4fb8-ad43-56e5b55a9617 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml b/detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml index 2f0dfc601c..d32f14de2b 100644 --- a/detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml +++ b/detections/endpoint/windows_ad_dcshadow_privileges_acl_addition.yml @@ -1,7 +1,7 @@ name: Windows AD DCShadow Privileges ACL Addition id: ae915743-1aa8-4a94-975c-8062ebc8b723 -version: 5 -date: '2025-02-17' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml index b50f9f3601..bfe31597a6 100644 --- a/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml +++ b/detections/endpoint/windows_ad_domain_controller_audit_policy_disabled.yml @@ -1,7 +1,7 @@ name: Windows AD Domain Controller Audit Policy Disabled id: fc3ccef1-60a4-4239-bd66-b279511b4d14 -version: 5 -date: '2025-01-28' +version: 6 +date: '2025-05-02' author: Dean Luxton type: TTP status: production diff --git a/detections/endpoint/windows_ad_domain_controller_promotion.yml b/detections/endpoint/windows_ad_domain_controller_promotion.yml index e24eb768b5..bc8fd9d48a 100644 --- a/detections/endpoint/windows_ad_domain_controller_promotion.yml +++ b/detections/endpoint/windows_ad_domain_controller_promotion.yml @@ -1,7 +1,7 @@ name: Windows AD Domain Controller Promotion id: e633a0ef-2a6e-4ed7-b925-5ff999e5d1f0 -version: 5 -date: '2024-12-10' +version: 6 +date: '2025-05-02' author: Dean Luxton type: TTP status: production diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml index 1b5d4510fe..d1a90a89dd 100644 --- a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml +++ b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml @@ -1,7 +1,7 @@ name: Windows AD Domain Replication ACL Addition id: 8c372853-f459-4995-afdc-280c114d33ab -version: 9 -date: '2024-12-10' +version: 10 +date: '2025-05-02' author: Dean Luxton type: TTP status: production diff --git a/detections/endpoint/windows_ad_domain_root_acl_deletion.yml b/detections/endpoint/windows_ad_domain_root_acl_deletion.yml index 975ecf1e0b..cdd0b957f4 100644 --- a/detections/endpoint/windows_ad_domain_root_acl_deletion.yml +++ b/detections/endpoint/windows_ad_domain_root_acl_deletion.yml @@ -1,7 +1,7 @@ name: Windows AD Domain Root ACL Deletion id: 3cb56e57-5642-4638-907f-8dfde9afb889 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_domain_root_acl_modification.yml b/detections/endpoint/windows_ad_domain_root_acl_modification.yml index 0fa0eea7ff..5d9483da81 100644 --- a/detections/endpoint/windows_ad_domain_root_acl_modification.yml +++ b/detections/endpoint/windows_ad_domain_root_acl_modification.yml @@ -1,7 +1,7 @@ name: Windows AD Domain Root ACL Modification id: 4981e2db-1372-440d-816e-3e7e2ed74433 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_dsrm_account_changes.yml b/detections/endpoint/windows_ad_dsrm_account_changes.yml index 172a75fe1a..c38e0bb87f 100644 --- a/detections/endpoint/windows_ad_dsrm_account_changes.yml +++ b/detections/endpoint/windows_ad_dsrm_account_changes.yml @@ -1,7 +1,7 @@ name: Windows AD DSRM Account Changes id: 08cb291e-ea77-48e8-a95a-0799319bf056 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Dean Luxton type: TTP status: production diff --git a/detections/endpoint/windows_ad_dsrm_password_reset.yml b/detections/endpoint/windows_ad_dsrm_password_reset.yml index 6544238451..f69895a43c 100644 --- a/detections/endpoint/windows_ad_dsrm_password_reset.yml +++ b/detections/endpoint/windows_ad_dsrm_password_reset.yml @@ -1,7 +1,7 @@ name: Windows AD DSRM Password Reset id: d1ab841c-36a6-46cf-b50f-b2b04b31182a -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Dean Luxton type: TTP status: production diff --git a/detections/endpoint/windows_ad_gpo_deleted.yml b/detections/endpoint/windows_ad_gpo_deleted.yml index 18cd993086..59e93ae620 100644 --- a/detections/endpoint/windows_ad_gpo_deleted.yml +++ b/detections/endpoint/windows_ad_gpo_deleted.yml @@ -1,7 +1,7 @@ name: Windows AD GPO Deleted id: 0d41772b-35ab-4e1c-a2ba-d0b455481aee -version: 5 -date: '2025-02-17' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_gpo_disabled.yml b/detections/endpoint/windows_ad_gpo_disabled.yml index 4e19e9e2fe..f9cee26c6d 100644 --- a/detections/endpoint/windows_ad_gpo_disabled.yml +++ b/detections/endpoint/windows_ad_gpo_disabled.yml @@ -1,7 +1,7 @@ name: Windows AD GPO Disabled id: 72793bc0-c0cd-400e-9e60-fdf36f278917 -version: 5 -date: '2025-02-17' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_gpo_new_cse_addition.yml b/detections/endpoint/windows_ad_gpo_new_cse_addition.yml index 3d3c84a333..7632593231 100644 --- a/detections/endpoint/windows_ad_gpo_new_cse_addition.yml +++ b/detections/endpoint/windows_ad_gpo_new_cse_addition.yml @@ -1,7 +1,7 @@ name: Windows AD GPO New CSE Addition id: 700c11d1-da09-47b2-81aa-358c143c7986 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_hidden_ou_creation.yml b/detections/endpoint/windows_ad_hidden_ou_creation.yml index a1c09abd68..61048eb1db 100644 --- a/detections/endpoint/windows_ad_hidden_ou_creation.yml +++ b/detections/endpoint/windows_ad_hidden_ou_creation.yml @@ -1,7 +1,7 @@ name: Windows AD Hidden OU Creation id: 66b6ad5e-339a-40af-b721-dacefc7bdb75 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_object_owner_updated.yml b/detections/endpoint/windows_ad_object_owner_updated.yml index a9d80aa33b..f996e63db6 100644 --- a/detections/endpoint/windows_ad_object_owner_updated.yml +++ b/detections/endpoint/windows_ad_object_owner_updated.yml @@ -1,7 +1,7 @@ name: Windows AD Object Owner Updated id: 4af01f6b-d8d4-4f96-8635-758a01557130 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml index e1007c4097..5c216caeb2 100644 --- a/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_privileged_account_sid_history_addition.yml @@ -1,7 +1,7 @@ name: Windows AD Privileged Account SID History Addition id: 6b521149-b91c-43aa-ba97-c2cac59ec830 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Dean Luxton type: TTP status: production diff --git a/detections/endpoint/windows_ad_privileged_group_modification.yml b/detections/endpoint/windows_ad_privileged_group_modification.yml index 1d45a23098..8f2896cdc7 100644 --- a/detections/endpoint/windows_ad_privileged_group_modification.yml +++ b/detections/endpoint/windows_ad_privileged_group_modification.yml @@ -1,7 +1,7 @@ name: Windows AD Privileged Group Modification id: 187bf937-c436-4c65-bbcb-7539ffe02da1 -version: 4 -date: '2025-01-21' +version: 5 +date: '2025-05-02' author: Dean Luxton status: experimental type: TTP diff --git a/detections/endpoint/windows_ad_privileged_object_access_activity.yml b/detections/endpoint/windows_ad_privileged_object_access_activity.yml index 505c7fd59b..c370362c32 100644 --- a/detections/endpoint/windows_ad_privileged_object_access_activity.yml +++ b/detections/endpoint/windows_ad_privileged_object_access_activity.yml @@ -1,7 +1,7 @@ name: Windows AD Privileged Object Access Activity id: dc2f58bc-8cd2-4e51-962a-694b963acde0 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml index c47b90a791..e7b1102eba 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml @@ -1,7 +1,7 @@ name: Windows AD Replication Request Initiated by User Account id: 51307514-1236-49f6-8686-d46d93cc2821 -version: 9 -date: '2025-03-27' +version: 10 +date: '2025-05-02' author: Dean Luxton type: TTP status: production diff --git a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml index 93371cf3da..b8f1228ff1 100644 --- a/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml +++ b/detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml @@ -1,7 +1,7 @@ name: Windows AD Replication Request Initiated from Unsanctioned Location id: 50998483-bb15-457b-a870-965080d9e3d3 -version: 10 -date: '2025-03-27' +version: 11 +date: '2025-05-02' author: Dean Luxton type: TTP status: production diff --git a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml index 3377cde418..1fd6c3fd71 100644 --- a/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_same_domain_sid_history_addition.yml @@ -1,7 +1,7 @@ name: Windows AD Same Domain SID History Addition id: 5fde0b7c-df7a-40b1-9b3a-294c00f0289d -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Dean Luxton type: TTP status: production diff --git a/detections/endpoint/windows_ad_self_dacl_assignment.yml b/detections/endpoint/windows_ad_self_dacl_assignment.yml index 03193bbd54..cbee7f3f11 100644 --- a/detections/endpoint/windows_ad_self_dacl_assignment.yml +++ b/detections/endpoint/windows_ad_self_dacl_assignment.yml @@ -1,7 +1,7 @@ name: Windows AD Self DACL Assignment id: 16132445-da9f-4d03-ad44-56d717dcd67d -version: 5 -date: '2025-02-17' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml index 8178c2a2b3..efc3d3f2f9 100644 --- a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml +++ b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml @@ -1,7 +1,7 @@ name: Windows AD ServicePrincipalName Added To Domain Account id: 8a1259cb-0ea7-409c-8bfe-74bad89259f9 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml index 1494a1eb86..1a8f7636a7 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_account_serviceprincipalname.yml @@ -1,7 +1,7 @@ name: Windows AD Short Lived Domain Account ServicePrincipalName id: b681977c-d90c-4efc-81a5-c58f945fb541 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml index 7335163c57..d2b203c9ef 100644 --- a/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml +++ b/detections/endpoint/windows_ad_short_lived_domain_controller_spn_attribute.yml @@ -1,7 +1,7 @@ name: Windows AD Short Lived Domain Controller SPN Attribute id: 57e27f27-369c-4df8-af08-e8c7ee8373d4 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Dean Luxton type: TTP status: production diff --git a/detections/endpoint/windows_ad_short_lived_server_object.yml b/detections/endpoint/windows_ad_short_lived_server_object.yml index 1dae156a44..7139b8db12 100644 --- a/detections/endpoint/windows_ad_short_lived_server_object.yml +++ b/detections/endpoint/windows_ad_short_lived_server_object.yml @@ -1,7 +1,7 @@ name: Windows AD Short Lived Server Object id: 193769d3-1e33-43a9-970e-ad4a88256cdb -version: 7 -date: '2024-12-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml index 65a1e2eedf..4fc35801b0 100644 --- a/detections/endpoint/windows_ad_sid_history_attribute_modified.yml +++ b/detections/endpoint/windows_ad_sid_history_attribute_modified.yml @@ -1,7 +1,7 @@ name: Windows AD SID History Attribute Modified id: 1155e47d-307f-4247-beab-71071e3a458c -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_ad_suspicious_attribute_modification.yml b/detections/endpoint/windows_ad_suspicious_attribute_modification.yml index 9abcb7be02..be0ad41b19 100644 --- a/detections/endpoint/windows_ad_suspicious_attribute_modification.yml +++ b/detections/endpoint/windows_ad_suspicious_attribute_modification.yml @@ -1,7 +1,7 @@ name: Windows AD Suspicious Attribute Modification id: 5682052e-ce55-4f9f-8d28-59191420b7e0 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_ad_suspicious_gpo_modification.yml b/detections/endpoint/windows_ad_suspicious_gpo_modification.yml index 05065e1dbb..26a0926972 100644 --- a/detections/endpoint/windows_ad_suspicious_gpo_modification.yml +++ b/detections/endpoint/windows_ad_suspicious_gpo_modification.yml @@ -1,7 +1,7 @@ name: Windows AD Suspicious GPO Modification id: 0a2afc18-a3b5-4452-b60a-2e774214f9bf -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Dean Luxton status: experimental type: TTP @@ -81,6 +81,6 @@ tests: - name: True Positive Test attack_data: - data: - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/gpo_new_cse/windows-security.log + https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1484.001/group_policy_new_cse/windows-security.log source: XmlWinEventLog:Security sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_adfind_exe.yml b/detections/endpoint/windows_adfind_exe.yml index 1774fe2ceb..1f554b4589 100644 --- a/detections/endpoint/windows_adfind_exe.yml +++ b/detections/endpoint/windows_adfind_exe.yml @@ -1,7 +1,7 @@ name: Windows AdFind Exe id: bd3b0187-189b-46c0-be45-f52da2bae67f version: 9 -date: '2025-04-24' +date: '2025-05-02' author: Jose Hernandez, Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_admin_permission_discovery.yml b/detections/endpoint/windows_admin_permission_discovery.yml index 3d8dd32080..5c4e3a6ba7 100644 --- a/detections/endpoint/windows_admin_permission_discovery.yml +++ b/detections/endpoint/windows_admin_permission_discovery.yml @@ -1,7 +1,7 @@ name: Windows Admin Permission Discovery id: e08620cb-9488-4052-832d-97bcc0afd414 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml index 7d73d70f51..af6b4720b9 100644 --- a/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml +++ b/detections/endpoint/windows_administrative_shares_accessed_on_multiple_hosts.yml @@ -1,7 +1,7 @@ name: Windows Administrative Shares Accessed On Multiple Hosts id: d92f2d95-05fb-48a7-910f-4d3d61ab8655 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml index 4194594106..e21db73259 100644 --- a/detections/endpoint/windows_admon_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_admon_default_group_policy_object_modified.yml @@ -1,7 +1,7 @@ name: Windows Admon Default Group Policy Object Modified id: 83458004-db60-4170-857d-8572f16f070b -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_admon_group_policy_object_created.yml b/detections/endpoint/windows_admon_group_policy_object_created.yml index 88224156c8..c867496152 100644 --- a/detections/endpoint/windows_admon_group_policy_object_created.yml +++ b/detections/endpoint/windows_admon_group_policy_object_created.yml @@ -1,7 +1,7 @@ name: Windows Admon Group Policy Object Created id: 69201633-30d9-48ef-b1b6-e680805f0582 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_alternate_datastream___base64_content.yml b/detections/endpoint/windows_alternate_datastream___base64_content.yml index 1758727515..8dfb862bfc 100644 --- a/detections/endpoint/windows_alternate_datastream___base64_content.yml +++ b/detections/endpoint/windows_alternate_datastream___base64_content.yml @@ -1,7 +1,7 @@ name: Windows Alternate DataStream - Base64 Content id: 683f48de-982f-4a7e-9aac-9cec550da498 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Steven Dick, Teoderick Contreras, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_alternate_datastream___executable_content.yml b/detections/endpoint/windows_alternate_datastream___executable_content.yml index cda4b2b06f..3360939017 100644 --- a/detections/endpoint/windows_alternate_datastream___executable_content.yml +++ b/detections/endpoint/windows_alternate_datastream___executable_content.yml @@ -1,7 +1,7 @@ name: Windows Alternate DataStream - Executable Content id: a258bf2a-34fd-4986-8086-78f506e00206 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_alternate_datastream___process_execution.yml b/detections/endpoint/windows_alternate_datastream___process_execution.yml index 1cae1265a4..576597b930 100644 --- a/detections/endpoint/windows_alternate_datastream___process_execution.yml +++ b/detections/endpoint/windows_alternate_datastream___process_execution.yml @@ -1,7 +1,7 @@ name: Windows Alternate DataStream - Process Execution id: 30c32c5c-41fe-45db-84fe-275e4320da3f -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_anonymous_pipe_activity.yml b/detections/endpoint/windows_anonymous_pipe_activity.yml index 436311b403..7e3042a851 100644 --- a/detections/endpoint/windows_anonymous_pipe_activity.yml +++ b/detections/endpoint/windows_anonymous_pipe_activity.yml @@ -1,7 +1,7 @@ name: Windows Anonymous Pipe Activity id: ee301e1e-cd81-4011-a911-e5f049b9e3d5 -version: '2' -date: '2025-03-19' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_apache_benchmark_binary.yml b/detections/endpoint/windows_apache_benchmark_binary.yml index 0eeb929b32..2a1d741fa3 100644 --- a/detections/endpoint/windows_apache_benchmark_binary.yml +++ b/detections/endpoint/windows_apache_benchmark_binary.yml @@ -1,7 +1,7 @@ name: Windows Apache Benchmark Binary id: 894f48ea-8d85-4dcd-9132-c66cdb407c9b -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml index 4894189065..ee29f28790 100644 --- a/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_qakbot_namedpipe.yml @@ -1,7 +1,7 @@ name: Windows App Layer Protocol Qakbot NamedPipe id: 63a2c15e-9448-43c5-a4a8-9852266aaada -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml index 0ac5f7d14c..4958f12705 100644 --- a/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml +++ b/detections/endpoint/windows_app_layer_protocol_wermgr_connect_to_namedpipe.yml @@ -1,7 +1,7 @@ name: Windows App Layer Protocol Wermgr Connect To NamedPipe id: 2f3a4092-548b-421c-9caa-84918e1787ef -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml index a190303aa9..0397da0f31 100644 --- a/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml +++ b/detections/endpoint/windows_application_layer_protocol_rms_radmin_tool_namedpipe.yml @@ -1,7 +1,7 @@ name: Windows Application Layer Protocol RMS Radmin Tool Namedpipe id: b62a6040-49f4-47c8-b3f6-fc1adb952a33 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_applocker_block_events.yml b/detections/endpoint/windows_applocker_block_events.yml index caf96c1682..7b45e82c11 100644 --- a/detections/endpoint/windows_applocker_block_events.yml +++ b/detections/endpoint/windows_applocker_block_events.yml @@ -1,7 +1,7 @@ name: Windows AppLocker Block Events id: e369afe8-cd35-47a3-9c1e-d813efc1f7dd -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk data_source: [] type: Anomaly diff --git a/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml b/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml index f82845eaee..a654687644 100644 --- a/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml +++ b/detections/endpoint/windows_applocker_execution_from_uncommon_locations.yml @@ -1,7 +1,7 @@ name: Windows AppLocker Execution from Uncommon Locations id: d57ce957-151a-4aec-ada5-5fb1eb555b6b -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk data_source: [] type: Hunting diff --git a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml index 1e44b50ad4..cfad624385 100644 --- a/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml +++ b/detections/endpoint/windows_applocker_privilege_escalation_via_unauthorized_bypass.yml @@ -1,7 +1,7 @@ name: Windows AppLocker Privilege Escalation via Unauthorized Bypass id: bca48629-7fa2-40d3-9e5d-807564504e28 -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk data_source: [] type: TTP diff --git a/detections/endpoint/windows_applocker_rare_application_launch_detection.yml b/detections/endpoint/windows_applocker_rare_application_launch_detection.yml index 937dc27423..39b2ea2f8f 100644 --- a/detections/endpoint/windows_applocker_rare_application_launch_detection.yml +++ b/detections/endpoint/windows_applocker_rare_application_launch_detection.yml @@ -1,7 +1,7 @@ name: Windows AppLocker Rare Application Launch Detection id: 9556f7b7-285f-4f18-8eeb-963d989f9d27 -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk data_source: [] type: Hunting diff --git a/detections/endpoint/windows_archive_collected_data_via_powershell.yml b/detections/endpoint/windows_archive_collected_data_via_powershell.yml index de6f75f6bc..695e307916 100644 --- a/detections/endpoint/windows_archive_collected_data_via_powershell.yml +++ b/detections/endpoint/windows_archive_collected_data_via_powershell.yml @@ -1,7 +1,7 @@ name: Windows Archive Collected Data via Powershell id: 74c5a3b0-27a7-463c-9d00-1a5bb12cb7b5 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_archive_collected_data_via_rar.yml b/detections/endpoint/windows_archive_collected_data_via_rar.yml index bdd86d5ef6..f2d22c5c35 100644 --- a/detections/endpoint/windows_archive_collected_data_via_rar.yml +++ b/detections/endpoint/windows_archive_collected_data_via_rar.yml @@ -1,7 +1,7 @@ name: Windows Archive Collected Data via Rar id: 2015de95-fe91-413d-9d62-2fe011b67e82 -version: 8 -date: '2025-03-27' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml index dcaa192a1b..145c37fdcb 100644 --- a/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml +++ b/detections/endpoint/windows_archived_collected_data_in_temp_folder.yml @@ -1,7 +1,7 @@ name: Windows Archived Collected Data In TEMP Folder id: cb56a1ea-e0b1-46d5-913f-e024cba40cbe -version: 4 -date: '2025-02-17' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 11 diff --git a/detections/endpoint/windows_attempt_to_stop_security_service.yml b/detections/endpoint/windows_attempt_to_stop_security_service.yml index 728c42cfff..eca7483d4e 100644 --- a/detections/endpoint/windows_attempt_to_stop_security_service.yml +++ b/detections/endpoint/windows_attempt_to_stop_security_service.yml @@ -1,7 +1,7 @@ name: Windows Attempt To Stop Security Service id: 9ed27cea-4e27-4eff-b2c6-aac9e78a7517 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-05-02' author: Rico Valdez, Nasreddine Bencherchali, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_audit_policy_auditing_option_disabled_via_auditpol.yml b/detections/endpoint/windows_audit_policy_auditing_option_disabled_via_auditpol.yml index 549bc40c6f..4828322de8 100644 --- a/detections/endpoint/windows_audit_policy_auditing_option_disabled_via_auditpol.yml +++ b/detections/endpoint/windows_audit_policy_auditing_option_disabled_via_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Auditing Option Disabled via Auditpol id: 663a7a50-b752-4c84-975b-8325ca3f6f9e -version: 2 -date: '2025-01-27' +version: 3 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml b/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml index 1e3d89909a..66ead1ff9c 100644 --- a/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml +++ b/detections/endpoint/windows_audit_policy_auditing_option_modified___registry.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Auditing Option Modified - Registry id: 27914692-9c62-44ea-9129-ceb429b61bd0 -version: 2 -date: '2025-01-27' +version: 3 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_audit_policy_cleared_via_auditpol.yml b/detections/endpoint/windows_audit_policy_cleared_via_auditpol.yml index 264a9ee360..1dbea58865 100644 --- a/detections/endpoint/windows_audit_policy_cleared_via_auditpol.yml +++ b/detections/endpoint/windows_audit_policy_cleared_via_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Cleared via Auditpol id: f067f7cf-f41b-4a60-985e-c23e268a13cb -version: 2 -date: '2025-01-27' +version: 3 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml b/detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml index 3788280ede..ad3946bfd3 100644 --- a/detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml +++ b/detections/endpoint/windows_audit_policy_disabled_via_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Disabled via Auditpol id: 14e008e5-6723-4298-b0d4-e95b24e10c18 -version: 2 -date: '2025-01-27' +version: 3 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml b/detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml index d9c6be0038..ab101e4419 100644 --- a/detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml +++ b/detections/endpoint/windows_audit_policy_disabled_via_legacy_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Disabled via Legacy Auditpol id: d2cef287-c2b7-4496-a609-7a548c1e27f9 -version: 2 -date: '2025-01-27' +version: 3 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml b/detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml index 75316db8d9..af286cb839 100644 --- a/detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml +++ b/detections/endpoint/windows_audit_policy_excluded_category_via_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Excluded Category via Auditpol id: 083708d4-d763-4ba2-87ac-105b526de81a -version: 2 -date: '2025-01-27' +version: 3 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_audit_policy_restored_via_auditpol.yml b/detections/endpoint/windows_audit_policy_restored_via_auditpol.yml index 078c29d161..b794f70395 100644 --- a/detections/endpoint/windows_audit_policy_restored_via_auditpol.yml +++ b/detections/endpoint/windows_audit_policy_restored_via_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Restored via Auditpol id: d7d1795b-ea18-47e5-9ca6-2c330d052d21 -version: 2 -date: '2025-01-27' +version: 3 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml b/detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml index cd18f233b6..fe685af9f5 100644 --- a/detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml +++ b/detections/endpoint/windows_audit_policy_security_descriptor_tampering_via_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Audit Policy Security Descriptor Tampering via Auditpol id: 5628e0b7-73dc-4f1b-b37a-6e68efc2225f -version: 2 -date: '2025-01-27' +version: 3 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_autoit3_execution.yml b/detections/endpoint/windows_autoit3_execution.yml index a2398203c5..45aac6e49d 100644 --- a/detections/endpoint/windows_autoit3_execution.yml +++ b/detections/endpoint/windows_autoit3_execution.yml @@ -1,7 +1,7 @@ name: Windows AutoIt3 Execution id: 0ecb40d9-492b-4a57-9f87-515dd742794c -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml index 852104ebfd..674ef1bc5e 100644 --- a/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml +++ b/detections/endpoint/windows_autostart_execution_lsass_driver_registry_modification.yml @@ -1,7 +1,7 @@ name: Windows Autostart Execution LSASS Driver Registry Modification id: 57fb8656-141e-4d8a-9f51-62cff4ecb82a -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml index 51fee5d738..7d3a666b4d 100644 --- a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml +++ b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml @@ -1,7 +1,7 @@ name: Windows Binary Proxy Execution Mavinject DLL Injection id: ccf4b61b-1b26-4f2e-a089-f2009c569c57 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_bitlocker_suspicious_command_usage.yml b/detections/endpoint/windows_bitlocker_suspicious_command_usage.yml index 7de5012265..bde1e79e6c 100644 --- a/detections/endpoint/windows_bitlocker_suspicious_command_usage.yml +++ b/detections/endpoint/windows_bitlocker_suspicious_command_usage.yml @@ -1,7 +1,7 @@ name: Windows BitLocker Suspicious Command Usage id: d0e6ec70-6e40-41a2-8b93-8d9ff077a746 -version: 2 -date: '2025-02-10' +version: 3 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_bitlockertogo_process_execution.yml b/detections/endpoint/windows_bitlockertogo_process_execution.yml index 0c43d19a1c..88150c4e8c 100644 --- a/detections/endpoint/windows_bitlockertogo_process_execution.yml +++ b/detections/endpoint/windows_bitlockertogo_process_execution.yml @@ -1,7 +1,7 @@ name: Windows BitLockerToGo Process Execution id: 68cbc9e9-2882-46f2-b636-3b5080589d58 -version: 4 -date: '2025-01-21' +version: 5 +date: '2025-05-02' author: Michael Haag, Nasreddine Bencherchali, Splunk data_source: - Sysmon EventID 1 diff --git a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml index 1b63c50818..fa2ad933f8 100644 --- a/detections/endpoint/windows_bitlockertogo_with_network_activity.yml +++ b/detections/endpoint/windows_bitlockertogo_with_network_activity.yml @@ -1,7 +1,7 @@ name: Windows BitLockerToGo with Network Activity id: 14e3a089-cc23-4f4d-a770-26e44a31fbac -version: 4 -date: '2025-02-17' +version: 5 +date: '2025-05-02' author: Michael Haag, Nasreddine Bencherchali, Splunk data_source: - Sysmon EventID 22 diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 795399eb90..2377901896 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -1,7 +1,7 @@ name: Windows Boot or Logon Autostart Execution In Startup Folder id: 99d157cb-923f-4a00-aee9-1f385412146f -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_bootloader_inventory.yml b/detections/endpoint/windows_bootloader_inventory.yml index 7346f0b9f4..0c33ed21cd 100644 --- a/detections/endpoint/windows_bootloader_inventory.yml +++ b/detections/endpoint/windows_bootloader_inventory.yml @@ -1,7 +1,7 @@ name: Windows BootLoader Inventory id: 4f7e3913-4db3-4ccd-afe4-31198982305d -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: Hunting diff --git a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml index 062900327d..f5541c2b4a 100644 --- a/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml +++ b/detections/endpoint/windows_bypass_uac_via_pkgmgr_tool.yml @@ -1,7 +1,7 @@ name: Windows Bypass UAC via Pkgmgr Tool id: cce58e2c-988a-4319-9390-0daa9eefa3cd -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_cab_file_on_disk.yml b/detections/endpoint/windows_cab_file_on_disk.yml index 01f19c6419..6f9325a059 100644 --- a/detections/endpoint/windows_cab_file_on_disk.yml +++ b/detections/endpoint/windows_cab_file_on_disk.yml @@ -1,7 +1,7 @@ name: Windows CAB File on Disk id: 622f08d0-69ef-42c2-8139-66088bc25acd -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml index 1ff2fb0c15..b889528dd2 100644 --- a/detections/endpoint/windows_cached_domain_credentials_reg_query.yml +++ b/detections/endpoint/windows_cached_domain_credentials_reg_query.yml @@ -1,7 +1,7 @@ name: Windows Cached Domain Credentials Reg Query id: 40ccb8e0-1785-466e-901e-6a8b75c04ecd -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml index b6d70e9e17..428a71886e 100644 --- a/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml +++ b/detections/endpoint/windows_change_default_file_association_for_no_file_ext.yml @@ -1,7 +1,7 @@ name: Windows Change Default File Association For No File Ext id: dbdf52ad-d6a1-4b68-975f-0a10939d8e38 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml index d68ccfda48..3593a311f7 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_related_service_stopped.yml @@ -1,7 +1,7 @@ name: Windows Cisco Secure Endpoint Related Service Stopped id: df74f45f-01c8-4fd6-bcb8-f6a9ea58307a -version: 1 -date: '2024-12-09' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml index 8f4a0ad61f..fc1a208bb5 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_stop_immunet_service_via_sfc.yml @@ -1,7 +1,7 @@ name: Windows Cisco Secure Endpoint Stop Immunet Service Via Sfc id: 44badcb1-2e8c-4628-9537-021bbae571ad -version: 2 -date: '2025-02-19' +version: 3 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml index 285dbb9058..1ccb1da072 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_unblock_file_via_sfc.yml @@ -1,7 +1,7 @@ name: Windows Cisco Secure Endpoint Unblock File Via Sfc id: 9a7a490c-5581-4c95-bab5-a21e351293ef -version: 2 -date: '2025-02-19' +version: 3 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml index f36d206b8a..1a652df42b 100644 --- a/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml +++ b/detections/endpoint/windows_cisco_secure_endpoint_uninstall_immunet_service_via_sfc.yml @@ -1,7 +1,7 @@ name: Windows Cisco Secure Endpoint Uninstall Immunet Service Via Sfc id: ba6e7f4d-a85e-4a14-8e7d-41f4b82e3c9a -version: 2 -date: '2025-02-19' +version: 3 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml index 9aaa2e7003..09fc362c30 100644 --- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml +++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml @@ -1,7 +1,7 @@ name: Windows ClipBoard Data via Get-ClipBoard id: ab73289e-2246-4de0-a14b-67006c72a893 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index af36506aad..52f177e87f 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -1,7 +1,7 @@ name: Windows Cmdline Tool Execution From Non-Shell Process id: 2afa393f-b88d-41b7-9793-623c93a2dfde -version: 5 -date: '2025-04-22' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml index c82ec4038a..b6f93ffca8 100644 --- a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml @@ -1,7 +1,7 @@ name: Windows COM Hijacking InprocServer32 Modification id: b7bd83c0-92b5-4fc7-b286-23eccfa2c561 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml index 1dece3a4ec..e6f093c581 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_hunting_path_traversal.yml @@ -1,7 +1,7 @@ name: Windows Command and Scripting Interpreter Hunting Path Traversal id: d0026380-b3c4-4da0-ac8e-02790063ff6b -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml index 2a0691eee7..d4af422bc3 100644 --- a/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml +++ b/detections/endpoint/windows_command_and_scripting_interpreter_path_traversal_exec.yml @@ -1,7 +1,7 @@ name: Windows Command and Scripting Interpreter Path Traversal Exec id: 58fcdeb1-728d-415d-b0d7-3ab18a275ec2 -version: 8 -date: '2025-03-27' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml index 64bc5bafcc..cd52c2b968 100644 --- a/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml +++ b/detections/endpoint/windows_command_shell_dcrat_forkbomb_payload.yml @@ -1,7 +1,7 @@ name: Windows Command Shell DCRat ForkBomb Payload id: 2bb1a362-7aa8-444a-92ed-1987e8da83e1 -version: 8 -date: '2025-02-19' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml index 82e13225f3..72b5b0eab9 100644 --- a/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml +++ b/detections/endpoint/windows_common_abused_cmd_shell_risk_behavior.yml @@ -1,7 +1,7 @@ name: Windows Common Abused Cmd Shell Risk Behavior id: e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a -version: 5 -date: '2025-04-16' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Correlation diff --git a/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml b/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml index c091ed308c..b204de3304 100644 --- a/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml +++ b/detections/endpoint/windows_compatibility_telemetry_suspicious_child_process.yml @@ -1,7 +1,7 @@ name: Windows Compatibility Telemetry Suspicious Child Process id: 56fe46ca-ffef-46fe-8f0e-5cd4b7b4cc0c -version: 3 -date: '2025-03-27' +version: 4 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml index ffe5838308..e7ee7d2eec 100644 --- a/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml +++ b/detections/endpoint/windows_compatibility_telemetry_tampering_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Compatibility Telemetry Tampering Through Registry id: 43834687-cc48-4878-a2fa-f76e4271791f -version: 3 -date: '2025-03-27' +version: 4 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_computer_account_created_by_computer_account.yml b/detections/endpoint/windows_computer_account_created_by_computer_account.yml index 08bdaaf6c2..a5d7a93660 100644 --- a/detections/endpoint/windows_computer_account_created_by_computer_account.yml +++ b/detections/endpoint/windows_computer_account_created_by_computer_account.yml @@ -1,7 +1,7 @@ name: Windows Computer Account Created by Computer Account id: 97a8dc5f-8a7c-4fed-9e3e-ec407fd0268a -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml b/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml index 62e7e4a05d..07b8316a2b 100644 --- a/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml +++ b/detections/endpoint/windows_computer_account_requesting_kerberos_ticket.yml @@ -1,7 +1,7 @@ name: Windows Computer Account Requesting Kerberos Ticket id: fb3b2bb3-75a4-4279-848a-165b42624770 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_computer_account_with_spn.yml b/detections/endpoint/windows_computer_account_with_spn.yml index a452d720e4..f0692fb796 100644 --- a/detections/endpoint/windows_computer_account_with_spn.yml +++ b/detections/endpoint/windows_computer_account_with_spn.yml @@ -1,7 +1,7 @@ name: Windows Computer Account With SPN id: 9a3e57e7-33f4-470e-b25d-165baa6e8357 -version: 6 -date: '2024-12-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_conhost_with_headless_argument.yml b/detections/endpoint/windows_conhost_with_headless_argument.yml index cec110981b..7a6407e8e3 100644 --- a/detections/endpoint/windows_conhost_with_headless_argument.yml +++ b/detections/endpoint/windows_conhost_with_headless_argument.yml @@ -1,7 +1,7 @@ name: Windows ConHost with Headless Argument id: d5039508-998d-4cfc-8b5e-9dcd679d9a62 -version: 6 -date: '2024-12-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_consolehost_history_file_deletion.yml b/detections/endpoint/windows_consolehost_history_file_deletion.yml index cf5889125d..9e5e8355b7 100644 --- a/detections/endpoint/windows_consolehost_history_file_deletion.yml +++ b/detections/endpoint/windows_consolehost_history_file_deletion.yml @@ -1,7 +1,7 @@ name: Windows ConsoleHost History File Deletion id: a203040e-f8fd-49bb-8424-d2fabf277322 -version: 1 -date: '2025-03-17' +version: 2 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_create_local_account.yml b/detections/endpoint/windows_create_local_account.yml index f6cc478ad7..ae723e17bc 100644 --- a/detections/endpoint/windows_create_local_account.yml +++ b/detections/endpoint/windows_create_local_account.yml @@ -1,7 +1,7 @@ name: Windows Create Local Account id: 3fb2e8e3-7bc0-4567-9722-c5ab9f8595eb -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_create_local_administrator_account_via_net.yml b/detections/endpoint/windows_create_local_administrator_account_via_net.yml index 367fef02af..701ffca78e 100644 --- a/detections/endpoint/windows_create_local_administrator_account_via_net.yml +++ b/detections/endpoint/windows_create_local_administrator_account_via_net.yml @@ -1,7 +1,7 @@ name: Windows Create Local Administrator Account Via Net id: 2c568c34-bb57-4b43-9d75-19c605b98e70 -version: '4' -date: '2025-03-14' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index b81effb5a3..b9223a5576 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -1,7 +1,7 @@ name: Windows Credential Access From Browser Password Store id: 72013a8e-5cea-408a-9d51-5585386b4d69 -version: 10 -date: '2025-04-16' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Bhavin Patel Splunk data_source: - Windows Event Log Security 4663 diff --git a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml index 2d4347504f..968a06a228 100644 --- a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml +++ b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml @@ -1,7 +1,7 @@ name: Windows Credential Dumping LSASS Memory Createdump id: b3b7ce35-fce5-4c73-85f4-700aeada81a9 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml b/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml index 9264cea456..8225018bb6 100644 --- a/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml +++ b/detections/endpoint/windows_credentials_access_via_vaultcli_module.yml @@ -1,7 +1,7 @@ name: Windows Credentials Access via VaultCli Module id: c0d89118-3f89-4cd7-8140-1f39e7210681 -version: 4 -date: '2025-02-17' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml index 683fa06ed0..553f8f2d50 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome Copied in TEMP Dir id: 4d14c86d-fdee-4393-94da-238d2706902f -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 11 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index 538d843239..dffcf3d9be 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome Extension Access id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af -version: 5 -date: '2024-12-10' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index aac778812c..909d060808 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: 10 -date: '2025-04-16' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 1e908f300d..faeb48d7ed 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: 10 -date: '2025-04-16' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_credentials_from_password_stores_creation.yml b/detections/endpoint/windows_credentials_from_password_stores_creation.yml index 9a6b6abe7d..a1fe9b0bfe 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_creation.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_creation.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Creation id: c0c5a479-bf57-4ca0-af3a-4c7081e5ba05 -version: 6 -date: '2024-12-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml index 5122fd5c0c..eb743fc008 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_deletion.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_deletion.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Deletion id: 46d676aa-40c6-4fe6-b917-d23b621f0f89 -version: 6 -date: '2024-12-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_credentials_from_password_stores_query.yml b/detections/endpoint/windows_credentials_from_password_stores_query.yml index 797837666c..24cb33a13b 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_query.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_query.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Query id: db02d6b4-5d5b-4c33-8d8f-f0577516a8c7 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml index 2280408737..41b1d7c3bf 100644 --- a/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml +++ b/detections/endpoint/windows_credentials_from_web_browsers_saved_in_temp_folder.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Web Browsers Saved in TEMP Folder id: b36b23ea-763c-417b-bd4a-6a378dabad1a -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 11 diff --git a/detections/endpoint/windows_credentials_in_registry_reg_query.yml b/detections/endpoint/windows_credentials_in_registry_reg_query.yml index dda02393bf..dc3b5e978a 100644 --- a/detections/endpoint/windows_credentials_in_registry_reg_query.yml +++ b/detections/endpoint/windows_credentials_in_registry_reg_query.yml @@ -1,7 +1,7 @@ name: Windows Credentials in Registry Reg Query id: a8b3124e-2278-4b73-ae9c-585117079fb2 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml index 799f30ca99..ed5a43f75b 100644 --- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml @@ -1,7 +1,7 @@ name: Windows Curl Download to Suspicious Path id: c32f091e-30db-11ec-8738-acde48001122 -version: 12 -date: '2025-03-27' +version: 13 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml index 19940a77d5..41187a45f9 100644 --- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml +++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml @@ -1,7 +1,7 @@ name: Windows Curl Upload to Remote Destination id: 42f8f1a2-4228-11ec-aade-acde48001122 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml index fa4b5093a1..8a81290329 100644 --- a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml +++ b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml @@ -1,7 +1,7 @@ name: Windows Data Destruction Recursive Exec Files Deletion id: 3596a799-6320-4a2f-8772-a9e98ddb2960 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_debugger_tool_execution.yml b/detections/endpoint/windows_debugger_tool_execution.yml index 69adeced74..ab9b22d2a3 100644 --- a/detections/endpoint/windows_debugger_tool_execution.yml +++ b/detections/endpoint/windows_debugger_tool_execution.yml @@ -1,7 +1,7 @@ name: Windows Debugger Tool Execution id: e14d94a3-07fb-4b47-8406-f5e37180d422 -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: [] type: Hunting diff --git a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml index 2475cef1f1..2171e58d2a 100644 --- a/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml +++ b/detections/endpoint/windows_defacement_modify_transcodedwallpaper_file.yml @@ -1,7 +1,7 @@ name: Windows Defacement Modify Transcodedwallpaper File id: e11c3d90-5bc7-42ad-94cd-ba75db10d897 -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_default_group_policy_object_modified.yml b/detections/endpoint/windows_default_group_policy_object_modified.yml index f0266692e6..ff63d981fb 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified.yml @@ -1,7 +1,7 @@ name: Windows Default Group Policy Object Modified id: fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml index 9e91875a60..72ffef79c0 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml @@ -1,7 +1,7 @@ name: Windows Default Group Policy Object Modified with GPME id: eaf688b3-bb8f-454d-b105-920a862cd8cb -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_defender_asr_audit_events.yml b/detections/endpoint/windows_defender_asr_audit_events.yml index f2ac9fc9c9..99c3c58516 100644 --- a/detections/endpoint/windows_defender_asr_audit_events.yml +++ b/detections/endpoint/windows_defender_asr_audit_events.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Audit Events id: 0e4d46b1-22bd-4f0e-8337-ca6f60ad4bea -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_defender_asr_block_events.yml b/detections/endpoint/windows_defender_asr_block_events.yml index 2d4c60fb86..b7a402d0e4 100644 --- a/detections/endpoint/windows_defender_asr_block_events.yml +++ b/detections/endpoint/windows_defender_asr_block_events.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Block Events id: 026f5f4e-e99f-4155-9e63-911ba587300b -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_defender_asr_registry_modification.yml b/detections/endpoint/windows_defender_asr_registry_modification.yml index 2102119480..1eab1bea26 100644 --- a/detections/endpoint/windows_defender_asr_registry_modification.yml +++ b/detections/endpoint/windows_defender_asr_registry_modification.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Registry Modification id: 6a1b6cbe-6612-44c3-92b9-1a1bd77412eb -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_defender_asr_rule_disabled.yml b/detections/endpoint/windows_defender_asr_rule_disabled.yml index c84d262106..03cf5f313b 100644 --- a/detections/endpoint/windows_defender_asr_rule_disabled.yml +++ b/detections/endpoint/windows_defender_asr_rule_disabled.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Rule Disabled id: 429d611b-3183-49a7-b235-fc4203c4e1cb -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_defender_asr_rules_stacking.yml b/detections/endpoint/windows_defender_asr_rules_stacking.yml index 40983214b4..0562d75af3 100644 --- a/detections/endpoint/windows_defender_asr_rules_stacking.yml +++ b/detections/endpoint/windows_defender_asr_rules_stacking.yml @@ -1,7 +1,7 @@ name: Windows Defender ASR Rules Stacking id: 425a6657-c5e4-4cbb-909e-fc9e5d326f01 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_defender_exclusion_registry_entry.yml b/detections/endpoint/windows_defender_exclusion_registry_entry.yml index 4b74ff632d..23adda5993 100644 --- a/detections/endpoint/windows_defender_exclusion_registry_entry.yml +++ b/detections/endpoint/windows_defender_exclusion_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Defender Exclusion Registry Entry id: 13395a44-4dd9-11ec-9df7-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_delete_or_modify_system_firewall.yml b/detections/endpoint/windows_delete_or_modify_system_firewall.yml index dc7a2fe9f7..2f1a633f92 100644 --- a/detections/endpoint/windows_delete_or_modify_system_firewall.yml +++ b/detections/endpoint/windows_delete_or_modify_system_firewall.yml @@ -1,7 +1,7 @@ name: Windows Delete or Modify System Firewall id: b188d11a-eba7-419d-b8b6-cc265b4f2c4f -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml index 0bf2151398..e41a9d5141 100644 --- a/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml +++ b/detections/endpoint/windows_deleted_registry_by_a_non_critical_process_file_path.yml @@ -1,7 +1,7 @@ name: Windows Deleted Registry By A Non Critical Process File Path id: 15e70689-f55b-489e-8a80-6d0cd6d8aad2 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_detect_network_scanner_behavior.yml b/detections/endpoint/windows_detect_network_scanner_behavior.yml index f87c888d23..5766e54cd4 100644 --- a/detections/endpoint/windows_detect_network_scanner_behavior.yml +++ b/detections/endpoint/windows_detect_network_scanner_behavior.yml @@ -1,7 +1,7 @@ name: Windows Detect Network Scanner Behavior id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_disable_change_password_through_registry.yml b/detections/endpoint/windows_disable_change_password_through_registry.yml index c2c757fcd0..22be86ed96 100644 --- a/detections/endpoint/windows_disable_change_password_through_registry.yml +++ b/detections/endpoint/windows_disable_change_password_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Change Password Through Registry id: 0df33e1a-9ef6-11ec-a1ad-acde48001122 -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml index 401f94882b..6538c86d28 100644 --- a/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml +++ b/detections/endpoint/windows_disable_lock_workstation_feature_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Lock Workstation Feature Through Registry id: c82adbc6-9f00-11ec-a81f-acde48001122 -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_disable_logoff_button_through_registry.yml b/detections/endpoint/windows_disable_logoff_button_through_registry.yml index 77324275fd..e820e6a341 100644 --- a/detections/endpoint/windows_disable_logoff_button_through_registry.yml +++ b/detections/endpoint/windows_disable_logoff_button_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable LogOff Button Through Registry id: b2fb6830-9ed1-11ec-9fcb-acde48001122 -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_disable_memory_crash_dump.yml b/detections/endpoint/windows_disable_memory_crash_dump.yml index faa6ef7862..30007f85f2 100644 --- a/detections/endpoint/windows_disable_memory_crash_dump.yml +++ b/detections/endpoint/windows_disable_memory_crash_dump.yml @@ -1,7 +1,7 @@ name: Windows Disable Memory Crash Dump id: 59e54602-9680-11ec-a8a6-acde48001122 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_disable_notification_center.yml b/detections/endpoint/windows_disable_notification_center.yml index b999630468..4aeedf6c0e 100644 --- a/detections/endpoint/windows_disable_notification_center.yml +++ b/detections/endpoint/windows_disable_notification_center.yml @@ -1,7 +1,7 @@ name: Windows Disable Notification Center id: 1cd983c8-8fd6-11ec-a09d-acde48001122 -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index d90bf1e93a..009311577b 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -1,7 +1,7 @@ name: Windows Disable or Modify Tools Via Taskkill id: a43ae66f-c410-4b3d-8741-9ce1ad17ddb0 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index 88afdbd5a2..e4fc999718 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -1,7 +1,7 @@ name: Windows Disable or Stop Browser Process id: 220d34b7-b6c7-45fe-8dbb-c35cdd9fe6d5 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 diff --git a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml index 9585e81290..966dab733c 100644 --- a/detections/endpoint/windows_disable_shutdown_button_through_registry.yml +++ b/detections/endpoint/windows_disable_shutdown_button_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Shutdown Button Through Registry id: 55fb2958-9ecd-11ec-a06a-acde48001122 -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml index fe78f043c8..2dd6003632 100644 --- a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml +++ b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml @@ -1,7 +1,7 @@ name: Windows Disable Windows Event Logging Disable HTTP Logging id: 23fb6787-255f-4d5b-9a66-9fd7504032b5 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml index d1794371f7..35a132b0eb 100644 --- a/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml +++ b/detections/endpoint/windows_disable_windows_group_policy_features_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Disable Windows Group Policy Features Through Registry id: 63a449ae-9f04-11ec-945e-acde48001122 -version: 11 -date: '2025-04-22' +version: 12 +date: '2025-05-02' author: Steven Dick, Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml index b6771d7af2..5459705433 100644 --- a/detections/endpoint/windows_disableantispyware_registry.yml +++ b/detections/endpoint/windows_disableantispyware_registry.yml @@ -1,7 +1,7 @@ name: Windows DisableAntiSpyware Registry id: 23150a40-9301-4195-b802-5bb4f43067fb -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Rod Soto, Jose Hernandez, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_diskcryptor_usage.yml b/detections/endpoint/windows_diskcryptor_usage.yml index 4a75eaebcc..77dfc4fd83 100644 --- a/detections/endpoint/windows_diskcryptor_usage.yml +++ b/detections/endpoint/windows_diskcryptor_usage.yml @@ -1,7 +1,7 @@ name: Windows DiskCryptor Usage id: d56fe0c8-4650-11ec-a8fa-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_diskshadow_proxy_execution.yml b/detections/endpoint/windows_diskshadow_proxy_execution.yml index 4e4fff67bc..2e1081a002 100644 --- a/detections/endpoint/windows_diskshadow_proxy_execution.yml +++ b/detections/endpoint/windows_diskshadow_proxy_execution.yml @@ -1,7 +1,7 @@ name: Windows Diskshadow Proxy Execution id: 58adae9e-8ea3-11ec-90f6-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Lou Stella, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_dism_install_powershell_web_access.yml b/detections/endpoint/windows_dism_install_powershell_web_access.yml index 1c14587e4b..f2d9409642 100644 --- a/detections/endpoint/windows_dism_install_powershell_web_access.yml +++ b/detections/endpoint/windows_dism_install_powershell_web_access.yml @@ -1,7 +1,7 @@ name: Windows DISM Install PowerShell Web Access id: fa6142a7-c364-4d11-9954-895dd9efb2d4 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Windows Event Log Security 4688 diff --git a/detections/endpoint/windows_dism_remove_defender.yml b/detections/endpoint/windows_dism_remove_defender.yml index 1c39f0fdbb..aff2dd9bb5 100644 --- a/detections/endpoint/windows_dism_remove_defender.yml +++ b/detections/endpoint/windows_dism_remove_defender.yml @@ -1,7 +1,7 @@ name: Windows DISM Remove Defender id: 8567da9e-47f0-11ec-99a9-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml index ca231603c2..9d6ff98fdf 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_hunt_with_sysmon.yml @@ -1,7 +1,7 @@ name: Windows DLL Search Order Hijacking Hunt with Sysmon id: 79c7d1fc-64c7-91be-a616-ccda752efe81 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml index 39a60c4b64..8cfb585ece 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml @@ -1,7 +1,7 @@ name: Windows DLL Search Order Hijacking with iscsicpl id: f39ee679-3b1e-4f47-841c-5c3c580acda2 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_dll_side_loading_in_calc.yml b/detections/endpoint/windows_dll_side_loading_in_calc.yml index b83b1dedbb..583cdfbc2d 100644 --- a/detections/endpoint/windows_dll_side_loading_in_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_in_calc.yml @@ -1,7 +1,7 @@ name: Windows DLL Side-Loading In Calc id: af01f6db-26ac-440e-8d89-2793e303f137 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml index 3aa4e7641c..1c3506df76 100644 --- a/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml +++ b/detections/endpoint/windows_dll_side_loading_process_child_of_calc.yml @@ -1,7 +1,7 @@ name: Windows DLL Side-Loading Process Child Of Calc id: 295ca9ed-e97b-4520-90f7-dfb6469902e1 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_dns_gather_network_info.yml b/detections/endpoint/windows_dns_gather_network_info.yml index 2d84d9893f..e21706365b 100644 --- a/detections/endpoint/windows_dns_gather_network_info.yml +++ b/detections/endpoint/windows_dns_gather_network_info.yml @@ -1,7 +1,7 @@ name: Windows DNS Gather Network Info id: 347e0892-e8f3-4512-afda-dc0e3fa996f3 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk type: Anomaly status: production diff --git a/detections/endpoint/windows_dnsadmins_new_member_added.yml b/detections/endpoint/windows_dnsadmins_new_member_added.yml index dc4d89d1bf..2b44f3d5f2 100644 --- a/detections/endpoint/windows_dnsadmins_new_member_added.yml +++ b/detections/endpoint/windows_dnsadmins_new_member_added.yml @@ -1,7 +1,7 @@ name: Windows DnsAdmins New Member Added id: 27e600aa-77f8-4614-bc80-2662a67e2f48 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml index 8c8ba50133..6a2e924ba3 100644 --- a/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml +++ b/detections/endpoint/windows_domain_account_discovery_via_get_netcomputer.yml @@ -1,7 +1,7 @@ name: Windows Domain Account Discovery Via Get-NetComputer id: a7fbbc4e-4571-424a-b627-6968e1c939e4 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml index a3b2fe6887..669b6d6805 100644 --- a/detections/endpoint/windows_domain_admin_impersonation_indicator.yml +++ b/detections/endpoint/windows_domain_admin_impersonation_indicator.yml @@ -1,7 +1,7 @@ name: Windows Domain Admin Impersonation Indicator id: 10381f93-6d38-470a-9c30-d25478e3bd3f -version: 7 -date: '2025-01-20' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml index 8e27a1f30a..2d07fcc425 100644 --- a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml +++ b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml @@ -1,7 +1,7 @@ name: Windows DotNet Binary in Non Standard Path id: fddf3b56-7933-11ec-98a6-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_driver_inventory.yml b/detections/endpoint/windows_driver_inventory.yml index 6b0dac97a8..da30f8f574 100644 --- a/detections/endpoint/windows_driver_inventory.yml +++ b/detections/endpoint/windows_driver_inventory.yml @@ -1,7 +1,7 @@ name: Windows Driver Inventory id: f87aa96b-369b-4a3e-9021-1bbacbfcb8fb -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: Hunting diff --git a/detections/endpoint/windows_driver_load_non_standard_path.yml b/detections/endpoint/windows_driver_load_non_standard_path.yml index e36e98bcbd..25253223b3 100644 --- a/detections/endpoint/windows_driver_load_non_standard_path.yml +++ b/detections/endpoint/windows_driver_load_non_standard_path.yml @@ -1,7 +1,7 @@ name: Windows Driver Load Non-Standard Path id: 9216ef3d-066a-4958-8f27-c84589465e62 -version: 6 -date: '2025-01-27' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_drivers_loaded_by_signature.yml b/detections/endpoint/windows_drivers_loaded_by_signature.yml index 9ab85a2248..4385b31f51 100644 --- a/detections/endpoint/windows_drivers_loaded_by_signature.yml +++ b/detections/endpoint/windows_drivers_loaded_by_signature.yml @@ -1,7 +1,7 @@ name: Windows Drivers Loaded by Signature id: d2d4af6a-6c2b-4d79-80c5-fc2cf12a2f68 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_enable_powershell_web_access.yml b/detections/endpoint/windows_enable_powershell_web_access.yml index 82ddf9694a..e1cd0f1dbf 100644 --- a/detections/endpoint/windows_enable_powershell_web_access.yml +++ b/detections/endpoint/windows_enable_powershell_web_access.yml @@ -1,7 +1,7 @@ name: Windows Enable PowerShell Web Access id: 175bb2de-6227-416b-9678-9b61999cd21f -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Powershell Script Block Logging 4104 diff --git a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml index 8ffe23702d..7cf544c5b6 100644 --- a/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml +++ b/detections/endpoint/windows_enable_win32_scheduledjob_via_registry.yml @@ -1,7 +1,7 @@ name: Windows Enable Win32 ScheduledJob via Registry id: 12c80db8-ef62-4456-92df-b23e1b3219f6 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk type: Anomaly status: production diff --git a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml index 52d9809eb2..92c88c46fc 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_security_event.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_security_event.yml @@ -1,7 +1,7 @@ name: Windows ESX Admins Group Creation Security Event id: 53b4c927-5ec4-47cd-8aed-d4b303304f87 -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Windows Event Log Security 4727 diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml index e797978c9b..e68cbfeac7 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml @@ -1,7 +1,7 @@ name: Windows ESX Admins Group Creation via Net id: 3d7df60b-3332-4667-8090-afe03e08dce0 -version: 6 -date: '2025-01-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml index 474a50be70..c7a1887c8a 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml @@ -1,7 +1,7 @@ name: Windows ESX Admins Group Creation via PowerShell id: f48a5557-be06-4b96-b8e8-be563e387620 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Powershell Script Block Logging 4104 diff --git a/detections/endpoint/windows_event_for_service_disabled.yml b/detections/endpoint/windows_event_for_service_disabled.yml index aef5a45b51..d80702582e 100644 --- a/detections/endpoint/windows_event_for_service_disabled.yml +++ b/detections/endpoint/windows_event_for_service_disabled.yml @@ -1,7 +1,7 @@ name: Windows Event For Service Disabled id: 9c2620a8-94a1-11ec-b40c-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_event_log_cleared.yml b/detections/endpoint/windows_event_log_cleared.yml index 0ace7122de..c212ae2fef 100644 --- a/detections/endpoint/windows_event_log_cleared.yml +++ b/detections/endpoint/windows_event_log_cleared.yml @@ -1,7 +1,7 @@ name: Windows Event Log Cleared id: ad517544-aff9-4c96-bd99-d6eb43bfbb6a -version: 14 -date: '2025-02-10' +version: 15 +date: '2025-05-02' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_event_logging_service_has_shutdown.yml b/detections/endpoint/windows_event_logging_service_has_shutdown.yml index 00a0280e77..457b292d8b 100644 --- a/detections/endpoint/windows_event_logging_service_has_shutdown.yml +++ b/detections/endpoint/windows_event_logging_service_has_shutdown.yml @@ -1,7 +1,7 @@ name: Windows Event Logging Service Has Shutdown id: d696f622-6b08-4336-b456-696cb5b43ba0 -version: 2 -date: '2025-01-28' +version: 3 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml b/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml index 3b9abe6184..b06f27ddb0 100644 --- a/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml +++ b/detections/endpoint/windows_event_triggered_image_file_execution_options_injection.yml @@ -1,7 +1,7 @@ name: Windows Event Triggered Image File Execution Options Injection id: f7abfab9-12ea-44e8-8745-475f9ca6e0a4 -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml b/detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml index 24f93f1204..432849087d 100644 --- a/detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml +++ b/detections/endpoint/windows_eventlog_cleared_via_wevtutil.yml @@ -1,7 +1,7 @@ name: Windows Eventlog Cleared Via Wevtutil id: fdb829a8-db84-4832-b64b-3e964cd44f01 -version: 1 -date: '2025-04-15' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml index aacdc16149..8cd9f501b8 100644 --- a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml +++ b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml @@ -1,7 +1,7 @@ name: Windows EventLog Recon Activity Using Log Query Utilities id: dc167f8b-3f9d-4460-9c98-8b6e703fd628 -version: 1 -date: '2025-04-23' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_excessive_disabled_services_event.yml b/detections/endpoint/windows_excessive_disabled_services_event.yml index 047bd056e9..6c57f0db8d 100644 --- a/detections/endpoint/windows_excessive_disabled_services_event.yml +++ b/detections/endpoint/windows_excessive_disabled_services_event.yml @@ -1,7 +1,7 @@ name: Windows Excessive Disabled Services Event id: c3f85976-94a5-11ec-9a58-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_excessive_service_stop_attempt.yml b/detections/endpoint/windows_excessive_service_stop_attempt.yml index 22d6c84284..8772308450 100644 --- a/detections/endpoint/windows_excessive_service_stop_attempt.yml +++ b/detections/endpoint/windows_excessive_service_stop_attempt.yml @@ -1,7 +1,7 @@ name: Windows Excessive Service Stop Attempt id: 8f3a614f-6b98-4f7d-82dd-d0df38452a8b -version: 2 -date: '2025-01-13' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_excessive_usage_of_net_app.yml b/detections/endpoint/windows_excessive_usage_of_net_app.yml index 871b5d61c4..fb9f7f2abe 100644 --- a/detections/endpoint/windows_excessive_usage_of_net_app.yml +++ b/detections/endpoint/windows_excessive_usage_of_net_app.yml @@ -1,7 +1,7 @@ name: Windows Excessive Usage Of Net App id: 355ba810-0a20-4215-8485-9ce3f87f2e38 -version: 3 -date: '2025-01-13' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_executable_in_loaded_modules.yml b/detections/endpoint/windows_executable_in_loaded_modules.yml index 16f9d84a8c..b8ee578bfc 100644 --- a/detections/endpoint/windows_executable_in_loaded_modules.yml +++ b/detections/endpoint/windows_executable_in_loaded_modules.yml @@ -1,7 +1,7 @@ name: Windows Executable in Loaded Modules id: 3e27af56-fcf0-4113-988d-24969b062be7 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml index 085df9316e..9492e75c6b 100644 --- a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml +++ b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml @@ -1,7 +1,7 @@ name: Windows Execute Arbitrary Commands with MSDT id: e1d5145f-38fe-42b9-a5d5-457796715f97 -version: 10 -date: '2024-12-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml index d2986002d8..f0f5931686 100644 --- a/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml +++ b/detections/endpoint/windows_exfiltration_over_c2_via_invoke_restmethod.yml @@ -1,7 +1,7 @@ name: Windows Exfiltration Over C2 Via Invoke RestMethod id: 06ade821-f6fa-40d0-80af-15bc1d45b3ba -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml index 20cb8a0f11..3133cae28c 100644 --- a/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml +++ b/detections/endpoint/windows_exfiltration_over_c2_via_powershell_uploadstring.yml @@ -1,7 +1,7 @@ name: Windows Exfiltration Over C2 Via Powershell UploadString id: 59e8bf41-7472-412a-90d3-00f3afa452e9 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_explorer_exe_spawning_powershell_or_cmd.yml b/detections/endpoint/windows_explorer_exe_spawning_powershell_or_cmd.yml index b33296fb98..813290f5b0 100644 --- a/detections/endpoint/windows_explorer_exe_spawning_powershell_or_cmd.yml +++ b/detections/endpoint/windows_explorer_exe_spawning_powershell_or_cmd.yml @@ -1,7 +1,7 @@ name: Windows Explorer.exe Spawning PowerShell or Cmd id: 593854c5-2182-49dd-9f31-18ef697445b9 -version: 1 -date: '2025-03-24' +version: 2 +date: '2025-05-02' author: Michael Haag, AJ King, Splunk, Jesse Hunter, Splunk Community Contributor status: production type: Hunting diff --git a/detections/endpoint/windows_explorer_lnk_exploit_process_launch_with_padding.yml b/detections/endpoint/windows_explorer_lnk_exploit_process_launch_with_padding.yml index a989e415a8..2d1333e1d2 100644 --- a/detections/endpoint/windows_explorer_lnk_exploit_process_launch_with_padding.yml +++ b/detections/endpoint/windows_explorer_lnk_exploit_process_launch_with_padding.yml @@ -1,7 +1,7 @@ name: Windows Explorer LNK Exploit Process Launch With Padding id: 8775fcf3-05e4-4525-bba2-a56e39d8d050 -version: 1 -date: '2025-03-24' +version: 2 +date: '2025-05-02' author: Michael Haag, AJ King, Splunk, Jesse Hunter, Splunk Community Contributor status: production type: TTP diff --git a/detections/endpoint/windows_export_certificate.yml b/detections/endpoint/windows_export_certificate.yml index 745605dc64..06a30c125b 100644 --- a/detections/endpoint/windows_export_certificate.yml +++ b/detections/endpoint/windows_export_certificate.yml @@ -1,7 +1,7 @@ name: Windows Export Certificate id: d8ddfa9b-b724-4df9-9dbe-f34cc0936714 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml index f2c8751fd9..bec65dffb8 100644 --- a/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml +++ b/detections/endpoint/windows_file_and_directory_enable_readonly_permissions.yml @@ -1,7 +1,7 @@ name: Windows File and Directory Enable ReadOnly Permissions id: 1ae407b0-a042-4eb0-834a-590da055575e -version: 2 -date: '2024-12-13' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 diff --git a/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml b/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml index e448025f50..1267605089 100644 --- a/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml +++ b/detections/endpoint/windows_file_and_directory_permissions_enable_inheritance.yml @@ -1,7 +1,7 @@ name: Windows File and Directory Permissions Enable Inheritance id: 0247f90a-aca4-47b2-a94d-e30f445d7b41 -version: 2 -date: '2024-12-13' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 diff --git a/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml b/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml index e3e4e76958..0cebb9baec 100644 --- a/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml +++ b/detections/endpoint/windows_file_and_directory_permissions_remove_inheritance.yml @@ -1,7 +1,7 @@ name: Windows File and Directory Permissions Remove Inheritance id: 9b62da2c-e442-474f-83ca-fac4dabab1b3 -version: 2 -date: '2024-12-13' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 diff --git a/detections/endpoint/windows_file_download_via_certutil.yml b/detections/endpoint/windows_file_download_via_certutil.yml index bf5000df1e..ae8b5b588f 100644 --- a/detections/endpoint/windows_file_download_via_certutil.yml +++ b/detections/endpoint/windows_file_download_via_certutil.yml @@ -1,7 +1,7 @@ name: Windows File Download Via CertUtil id: 7fac8d40-e370-45ea-a4a3-031bbcc18b02 -version: 1 -date: '2025-04-24' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_file_share_discovery_with_powerview.yml b/detections/endpoint/windows_file_share_discovery_with_powerview.yml index a398d502d6..0f911048c3 100644 --- a/detections/endpoint/windows_file_share_discovery_with_powerview.yml +++ b/detections/endpoint/windows_file_share_discovery_with_powerview.yml @@ -1,7 +1,7 @@ name: Windows File Share Discovery With Powerview id: a44c0be1-d7ab-41e4-92fd-aa9af4fe232c -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml index 368ef79547..3577836cfa 100644 --- a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml @@ -1,7 +1,7 @@ name: Windows File Transfer Protocol In Non-Common Process Path id: 0f43758f-1fe9-470a-a9e4-780acc4d5407 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml index 8f52079b68..4f70755ecb 100644 --- a/detections/endpoint/windows_file_without_extension_in_critical_folder.yml +++ b/detections/endpoint/windows_file_without_extension_in_critical_folder.yml @@ -1,7 +1,7 @@ name: Windows File Without Extension In Critical Folder id: 0dbcac64-963c-11ec-bf04-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index 7d06b70b11..b753f700a4 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -1,7 +1,7 @@ name: Windows Files and Dirs Access Rights Modification Via Icacls id: c76b796c-27e1-4520-91c4-4a58695c749e -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml index 69f5de75bd..224a70bc40 100644 --- a/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml +++ b/detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml @@ -1,7 +1,7 @@ name: Windows Find Domain Organizational Units with GetDomainOU id: 0ada2f82-b7af-40cc-b1d7-1e5985afcb4e -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml index 58f395abfe..8dd3bea83e 100644 --- a/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml +++ b/detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml @@ -1,7 +1,7 @@ name: Windows Find Interesting ACL with FindInterestingDomainAcl id: e4a96dfd-667a-4487-b942-ccef5a1e81e8 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_findstr_gpp_discovery.yml b/detections/endpoint/windows_findstr_gpp_discovery.yml index e9f8deef4f..4a9316962d 100644 --- a/detections/endpoint/windows_findstr_gpp_discovery.yml +++ b/detections/endpoint/windows_findstr_gpp_discovery.yml @@ -1,7 +1,7 @@ name: Windows Findstr GPP Discovery id: 1631ac2d-f2a9-42fa-8a59-d6e210d472f5 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_firewall_rule_added.yml b/detections/endpoint/windows_firewall_rule_added.yml index c623a80630..557d683043 100644 --- a/detections/endpoint/windows_firewall_rule_added.yml +++ b/detections/endpoint/windows_firewall_rule_added.yml @@ -1,7 +1,7 @@ name: Windows Firewall Rule Added id: efc25501-4e75-4075-8cc5-ac80f2847d80 -version: 1 -date: '2025-03-19' +version: 2 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_firewall_rule_deletion.yml b/detections/endpoint/windows_firewall_rule_deletion.yml index 5a49f18cd2..d2202a7da2 100644 --- a/detections/endpoint/windows_firewall_rule_deletion.yml +++ b/detections/endpoint/windows_firewall_rule_deletion.yml @@ -1,7 +1,7 @@ name: Windows Firewall Rule Deletion id: ca5327e1-0a91-4e23-bbd4-8901806c00e1 -version: 1 -date: '2025-03-19' +version: 2 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_firewall_rule_modification.yml b/detections/endpoint/windows_firewall_rule_modification.yml index d626007e3c..bbd296a2ba 100644 --- a/detections/endpoint/windows_firewall_rule_modification.yml +++ b/detections/endpoint/windows_firewall_rule_modification.yml @@ -1,7 +1,7 @@ name: Windows Firewall Rule Modification id: fe7efbf7-5f82-44b9-8c33-316189ab2393 -version: 1 -date: '2025-03-19' +version: 2 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml index d195ac6452..5d417deb96 100644 --- a/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml +++ b/detections/endpoint/windows_forest_discovery_with_getforestdomain.yml @@ -1,7 +1,7 @@ name: Windows Forest Discovery with GetForestDomain id: a14803b2-4bd9-4c08-8b57-c37980edebe8 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_gather_victim_host_information_camera.yml b/detections/endpoint/windows_gather_victim_host_information_camera.yml index ae137132ae..f990f17cb1 100644 --- a/detections/endpoint/windows_gather_victim_host_information_camera.yml +++ b/detections/endpoint/windows_gather_victim_host_information_camera.yml @@ -1,7 +1,7 @@ name: Windows Gather Victim Host Information Camera id: e4df4676-ea41-4397-b160-3ee0140dc332 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_gather_victim_identity_sam_info.yml b/detections/endpoint/windows_gather_victim_identity_sam_info.yml index cdacf4908b..fa2f26084b 100644 --- a/detections/endpoint/windows_gather_victim_identity_sam_info.yml +++ b/detections/endpoint/windows_gather_victim_identity_sam_info.yml @@ -1,7 +1,7 @@ name: Windows Gather Victim Identity SAM Info id: a18e85d7-8b98-4399-820c-d46a1ca3516f -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml index 2283d539a6..1288c17714 100644 --- a/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_get_adcomputer_unconstrained_delegation_discovery.yml @@ -1,7 +1,7 @@ name: Windows Get-AdComputer Unconstrained Delegation Discovery id: c8640777-469f-4638-ab44-c34a3233ffac -version: '7' -date: '2025-03-14' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml index 8172983947..c355d373f6 100644 --- a/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml +++ b/detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml @@ -1,7 +1,7 @@ name: Windows Get Local Admin with FindLocalAdminAccess id: d2988160-3ce9-4310-b59d-905334920cdd -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_global_object_access_audit_list_cleared_via_auditpol.yml b/detections/endpoint/windows_global_object_access_audit_list_cleared_via_auditpol.yml index 004fa3e7ee..f21687e8a8 100644 --- a/detections/endpoint/windows_global_object_access_audit_list_cleared_via_auditpol.yml +++ b/detections/endpoint/windows_global_object_access_audit_list_cleared_via_auditpol.yml @@ -1,7 +1,7 @@ name: Windows Global Object Access Audit List Cleared Via Auditpol id: 802a0930-0a4a-4451-bf6c-6366c6b6d9e7 -version: 2 -date: '2025-01-27' +version: 3 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_group_discovery_via_net.yml b/detections/endpoint/windows_group_discovery_via_net.yml index 44c686f5b6..6e6e42d82c 100644 --- a/detections/endpoint/windows_group_discovery_via_net.yml +++ b/detections/endpoint/windows_group_discovery_via_net.yml @@ -1,7 +1,7 @@ name: Windows Group Discovery Via Net id: c5c8e0f3-147a-43da-bf04-4cfaec27dc44 -version: '3' -date: '2025-03-14' +version: 4 +date: '2025-05-02' author: Michael Haag, Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_group_policy_object_created.yml b/detections/endpoint/windows_group_policy_object_created.yml index 6709762ab5..5003734536 100644 --- a/detections/endpoint/windows_group_policy_object_created.yml +++ b/detections/endpoint/windows_group_policy_object_created.yml @@ -1,7 +1,7 @@ name: Windows Group Policy Object Created id: 23add2a8-ea22-4fd4-8bc0-8c0b822373a1 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco status: production type: TTP diff --git a/detections/endpoint/windows_hidden_schedule_task_settings.yml b/detections/endpoint/windows_hidden_schedule_task_settings.yml index bf9f1edfe6..08f86a37d4 100644 --- a/detections/endpoint/windows_hidden_schedule_task_settings.yml +++ b/detections/endpoint/windows_hidden_schedule_task_settings.yml @@ -1,7 +1,7 @@ name: Windows Hidden Schedule Task Settings id: 0b730470-5fe8-4b13-93a7-fe0ad014d0cc -version: 6 -date: '2025-03-19' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_hide_notification_features_through_registry.yml b/detections/endpoint/windows_hide_notification_features_through_registry.yml index 1e85d7105a..84a391ce7a 100644 --- a/detections/endpoint/windows_hide_notification_features_through_registry.yml +++ b/detections/endpoint/windows_hide_notification_features_through_registry.yml @@ -1,7 +1,7 @@ name: Windows Hide Notification Features Through Registry id: cafa4bce-9f06-11ec-a7b2-acde48001122 -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml index 2f137bedbd..35c13c1d64 100644 --- a/detections/endpoint/windows_high_file_deletion_frequency.yml +++ b/detections/endpoint/windows_high_file_deletion_frequency.yml @@ -1,7 +1,7 @@ name: Windows High File Deletion Frequency id: 45b125c4-866f-11eb-a95a-acde48001122 -version: 7 -date: '2025-03-27' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index 164fe89a69..1971a24abe 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -1,7 +1,7 @@ name: Windows Hijack Execution Flow Version Dll Side Load id: 8351340b-ac0e-41ec-8b07-dd01bf32d6ea -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml index 69c7cdc0f2..41565e5f23 100644 --- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -1,7 +1,7 @@ name: Windows HTTP Network Communication From MSIExec id: b0fd38c7-f71a-43a2-870e-f3ca06bcdd99 -version: 4 -date: '2025-04-22' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml index f1a6084c62..120d363d62 100644 --- a/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_hunting_system_account_targeting_lsass.yml @@ -1,7 +1,7 @@ name: Windows Hunting System Account Targeting Lsass id: 1c6abb08-73d1-11ec-9ca0-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml b/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml index dd2523b526..3ac784ec3d 100644 --- a/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml +++ b/detections/endpoint/windows_identify_powershell_web_access_iis_pool.yml @@ -1,7 +1,7 @@ name: Windows Identify PowerShell Web Access IIS Pool id: d8419343-f0f8-4d8e-91cc-18bb531df87d -version: 3 -date: '2024-11-13' +version: 4 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Windows Event Log Security 4648 diff --git a/detections/endpoint/windows_identify_protocol_handlers.yml b/detections/endpoint/windows_identify_protocol_handlers.yml index 399aa24885..7d170b5682 100644 --- a/detections/endpoint/windows_identify_protocol_handlers.yml +++ b/detections/endpoint/windows_identify_protocol_handlers.yml @@ -1,7 +1,7 @@ name: Windows Identify Protocol Handlers id: bd5c311e-a6ea-48ae-a289-19a3398e3648 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml index a4d78bed01..ec0789649e 100644 --- a/detections/endpoint/windows_iis_components_add_new_module.yml +++ b/detections/endpoint/windows_iis_components_add_new_module.yml @@ -1,7 +1,7 @@ name: Windows IIS Components Add New Module id: 38fe731c-1f13-43d4-b878-a5bbe44807e3 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml b/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml index 67cbd0e5c9..f99e7b0e43 100644 --- a/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml +++ b/detections/endpoint/windows_iis_components_get_webglobalmodule_module_query.yml @@ -1,7 +1,7 @@ name: Windows IIS Components Get-WebGlobalModule Module Query id: 20db5f70-34b4-4e83-8926-fa26119de173 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_iis_components_module_failed_to_load.yml b/detections/endpoint/windows_iis_components_module_failed_to_load.yml index 292c33dcc8..3199eee210 100644 --- a/detections/endpoint/windows_iis_components_module_failed_to_load.yml +++ b/detections/endpoint/windows_iis_components_module_failed_to_load.yml @@ -1,7 +1,7 @@ name: Windows IIS Components Module Failed to Load id: 40c2ba5b-dd6a-496b-9e6e-c9524d0be167 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_iis_components_new_module_added.yml b/detections/endpoint/windows_iis_components_new_module_added.yml index 3042160dcc..6be57c1552 100644 --- a/detections/endpoint/windows_iis_components_new_module_added.yml +++ b/detections/endpoint/windows_iis_components_new_module_added.yml @@ -1,7 +1,7 @@ name: Windows IIS Components New Module Added id: 55f22929-cfd3-4388-ba5c-4d01fac7ee7e -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml index 8b92995704..29c367e205 100644 --- a/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml +++ b/detections/endpoint/windows_impair_defense_add_xml_applocker_rules.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Add Xml Applocker Rules id: 467ed9d9-8035-470e-ad5e-ae5189283033 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml index ad8099b7db..da61e55571 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_health_check_intervals.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Change Win Defender Health Check Intervals id: 5211c260-820e-4366-b983-84bbfb5c263a -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml index 4e0979fdcb..5efd2ed8b2 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_quick_scan_interval.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Change Win Defender Quick Scan Interval id: 783f0798-f679-4c17-b3b3-187febf0b9b8 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml index 1369ba7093..5d614b2d76 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_throttle_rate.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Change Win Defender Throttle Rate id: f7da5fca-9261-43de-a4d0-130dad1e4f4d -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml index d24a8027ff..109e391a65 100644 --- a/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml +++ b/detections/endpoint/windows_impair_defense_change_win_defender_tracing_level.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Change Win Defender Tracing Level id: fe9391cd-952a-4c64-8f56-727cb0d4f2d4 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml index 3d2424ebc0..d9054d77f1 100644 --- a/detections/endpoint/windows_impair_defense_configure_app_install_control.yml +++ b/detections/endpoint/windows_impair_defense_configure_app_install_control.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Configure App Install Control id: c54b7439-cfb1-44c3-bb35-b0409553077c -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml index dbb3348739..34250ab8a3 100644 --- a/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml +++ b/detections/endpoint/windows_impair_defense_define_win_defender_threat_action.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Define Win Defender Threat Action id: 7215831c-8252-4ae3-8d43-db588e82f952 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml index 9db3e963e3..982c929f07 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_context_menu.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Delete Win Defender Context Menu id: 395ed5fe-ad13-4366-9405-a228427bdd91 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml index 0ecfe0c238..9528894fd1 100644 --- a/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml +++ b/detections/endpoint/windows_impair_defense_delete_win_defender_profile_registry.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Delete Win Defender Profile Registry id: 65d4b105-ec52-48ec-ac46-289d0fbf7d96 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml index cfa1c4c586..588c608d55 100644 --- a/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml +++ b/detections/endpoint/windows_impair_defense_deny_security_software_with_applocker.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Deny Security Software With Applocker id: e0b6ca60-9e29-4450-b51a-bba0abae2313 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml index 4d02c7f510..f013aebd08 100644 --- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml +++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Controlled Folder Access id: 3032741c-d6fc-4c69-8988-be8043d6478c -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml index 4660fd97f1..bd51b85ce1 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_firewall_and_network.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Defender Firewall And Network id: 8467d8cd-b0f9-46fa-ac84-a30ad138983e -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml index 519a9933ce..ffb37c3d36 100644 --- a/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml +++ b/detections/endpoint/windows_impair_defense_disable_defender_protocol_recognition.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Defender Protocol Recognition id: b2215bfb-6171-4137-af17-1a02fdd8d043 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml index 9cca136052..f3d63d8529 100644 --- a/detections/endpoint/windows_impair_defense_disable_pua_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_pua_protection.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable PUA Protection id: fbfef407-cfee-4866-88c1-f8de1c16147c -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml index 858752c29e..691e33245e 100644 --- a/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml +++ b/detections/endpoint/windows_impair_defense_disable_realtime_signature_delivery.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Realtime Signature Delivery id: ffd99aea-542f-448e-b737-091c1b417274 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml index 8d34f2c916..260703fdb6 100644 --- a/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml +++ b/detections/endpoint/windows_impair_defense_disable_web_evaluation.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Web Evaluation id: e234970c-dcf5-4f80-b6a9-3a562544ca5b -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml index 8f3b0cf42b..801002c88b 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_app_guard.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Win Defender App Guard id: 8b700d7e-54ad-4d7d-81cc-1456c4703306 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml index 8b6a3ed627..a061337e56 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_compute_file_hashes.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Win Defender Compute File Hashes id: fe52c280-98bd-4596-b6f6-a13bbf8ac7c6 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml index f948d8c4cd..b266b50642 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_gen_reports.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Win Defender Gen reports id: 93f114f6-cb1e-419b-ac3f-9e11a3045e70 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml index 8855ecf14e..9b751d6f10 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Win Defender Network Protection id: 8b6c15c7-5556-463d-83c7-986326c21f12 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml index 7ca5ecee6b..77d78bbfa0 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_report_infection.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Win Defender Report Infection id: 201946c6-b1d5-42bb-a7e0-5f7123f47fc4 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml index 1257b43b23..f03d2e14f8 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_scan_on_update.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Win Defender Scan On Update id: 0418e72f-e710-4867-b656-0688e1523e09 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml index caf53d3875..ae6b59fc0e 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_signature_retirement.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Disable Win Defender Signature Retirement id: 7567a72f-bada-489d-aef1-59743fb64a66 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml index c1d0ad92d7..3ebc2e87cf 100644 --- a/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml +++ b/detections/endpoint/windows_impair_defense_overide_win_defender_phishing_filter.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Overide Win Defender Phishing Filter id: 10ca081c-57b1-4a78-ba56-14a40a7e116a -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml index b1ab3a8839..64eff872b2 100644 --- a/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml +++ b/detections/endpoint/windows_impair_defense_override_smartscreen_prompt.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Override SmartScreen Prompt id: 08058866-7987-486f-b042-275715ef6e9d -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml index de521b8e3d..7caa746aff 100644 --- a/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml +++ b/detections/endpoint/windows_impair_defense_set_win_defender_smart_screen_level_to_warn.yml @@ -1,7 +1,7 @@ name: Windows Impair Defense Set Win Defender Smart Screen Level To Warn id: cc2a3425-2703-47e7-818f-3dca1b0bc56f -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml index c842b5bdda..dee7ca713a 100644 --- a/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml +++ b/detections/endpoint/windows_impair_defenses_disable_auto_logger_session.yml @@ -1,7 +1,7 @@ name: Windows Impair Defenses Disable Auto Logger Session id: dc6a5613-d024-47e7-9997-ab6477a483d3 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml index 5d2b6222f1..7bfa9ca924 100644 --- a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml +++ b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml @@ -1,7 +1,7 @@ name: Windows Impair Defenses Disable AV AutoStart via Registry id: 31a13f43-812e-4752-a6ca-c6c87bf03e83 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 diff --git a/detections/endpoint/windows_impair_defenses_disable_hvci.yml b/detections/endpoint/windows_impair_defenses_disable_hvci.yml index 0bf147f3c4..a586c79957 100644 --- a/detections/endpoint/windows_impair_defenses_disable_hvci.yml +++ b/detections/endpoint/windows_impair_defenses_disable_hvci.yml @@ -1,7 +1,7 @@ name: Windows Impair Defenses Disable HVCI id: b061dfcc-f0aa-42cc-a6d4-a87f172acb79 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml index f865b69ace..d4ab58702c 100644 --- a/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml +++ b/detections/endpoint/windows_impair_defenses_disable_win_defender_auto_logging.yml @@ -1,7 +1,7 @@ name: Windows Impair Defenses Disable Win Defender Auto Logging id: 76406a0f-f5e0-4167-8e1f-337fdc0f1b0c -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_important_audit_policy_disabled.yml b/detections/endpoint/windows_important_audit_policy_disabled.yml index 130b866aae..3e879fedb2 100644 --- a/detections/endpoint/windows_important_audit_policy_disabled.yml +++ b/detections/endpoint/windows_important_audit_policy_disabled.yml @@ -1,7 +1,7 @@ name: Windows Important Audit Policy Disabled id: 1bf500e5-1226-41d9-af5d-ed1f577929f2 -version: 1 -date: '2025-01-27' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_increase_in_group_or_object_modification_activity.yml b/detections/endpoint/windows_increase_in_group_or_object_modification_activity.yml index 51f33607d6..18db4bdb23 100644 --- a/detections/endpoint/windows_increase_in_group_or_object_modification_activity.yml +++ b/detections/endpoint/windows_increase_in_group_or_object_modification_activity.yml @@ -1,7 +1,7 @@ name: Windows Increase in Group or Object Modification Activity id: 4f9564dd-a204-4f22-b375-4dfca3a68731 -version: 3 -date: '2025-01-21' +version: 4 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_increase_in_user_modification_activity.yml b/detections/endpoint/windows_increase_in_user_modification_activity.yml index f3fcfca207..3545b00660 100644 --- a/detections/endpoint/windows_increase_in_user_modification_activity.yml +++ b/detections/endpoint/windows_increase_in_user_modification_activity.yml @@ -1,7 +1,7 @@ name: Windows Increase in User Modification Activity id: 0995fca1-f346-432f-b0bf-a66d14e6b428 -version: 3 -date: '2025-01-21' +version: 4 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_indicator_removal_via_rmdir.yml b/detections/endpoint/windows_indicator_removal_via_rmdir.yml index 1655103c0c..910d6fc600 100644 --- a/detections/endpoint/windows_indicator_removal_via_rmdir.yml +++ b/detections/endpoint/windows_indicator_removal_via_rmdir.yml @@ -1,7 +1,7 @@ name: Windows Indicator Removal Via Rmdir id: c4566d2c-b094-48a1-9c59-d66e22065560 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml index 26070a5722..30deb7e956 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_forfiles.yml @@ -1,7 +1,7 @@ name: Windows Indirect Command Execution Via forfiles id: 1fdf31c9-ff4d-4c48-b799-0e8666e08787 -version: 6 -date: '2025-02-19' +version: 7 +date: '2025-05-02' author: Eric McGinnis, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml index 44aa7aae12..f352001fc5 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_pcalua.yml @@ -1,7 +1,7 @@ name: Windows Indirect Command Execution Via pcalua id: 3428ac18-a410-4823-816c-ce697d26f7a8 -version: 6 -date: '2025-02-19' +version: 7 +date: '2025-05-02' author: Eric McGinnis, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml index 00b8293730..58aaed89e8 100644 --- a/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml +++ b/detections/endpoint/windows_indirect_command_execution_via_series_of_forfiles.yml @@ -1,7 +1,7 @@ name: Windows Indirect Command Execution Via Series Of Forfiles id: bfdaabe7-3db8-48c5-80c1-220f9b8f22be -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_information_discovery_fsutil.yml b/detections/endpoint/windows_information_discovery_fsutil.yml index 73d5f98364..94109195be 100644 --- a/detections/endpoint/windows_information_discovery_fsutil.yml +++ b/detections/endpoint/windows_information_discovery_fsutil.yml @@ -1,7 +1,7 @@ name: Windows Information Discovery Fsutil id: 2181f261-93e6-4166-a5a9-47deac58feff -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml index 88bd01a65f..7bf3fc26cb 100644 --- a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml +++ b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml @@ -1,7 +1,7 @@ name: Windows Ingress Tool Transfer Using Explorer id: 76753bab-f116-4ea3-8fb9-89b638be58a9 -version: 8 -date: '2024-11-13' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml index b6451a7c63..39e9192256 100644 --- a/detections/endpoint/windows_inprocserver32_new_outlook_form.yml +++ b/detections/endpoint/windows_inprocserver32_new_outlook_form.yml @@ -1,7 +1,7 @@ name: Windows InProcServer32 New Outlook Form id: fedb49c4-4bd7-4d42-8fd9-f8c8538c73c4 -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Sysmon EventID 13 diff --git a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml index 9fcd27a8d8..f675b2a5e9 100644 --- a/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml +++ b/detections/endpoint/windows_input_capture_using_credential_ui_dll.yml @@ -1,7 +1,7 @@ name: Windows Input Capture Using Credential UI Dll id: 406c21d6-6c75-4e9f-9ca9-48049a1dd90e -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_installutil_credential_theft.yml b/detections/endpoint/windows_installutil_credential_theft.yml index c2bf24f82c..74a46a1f99 100644 --- a/detections/endpoint/windows_installutil_credential_theft.yml +++ b/detections/endpoint/windows_installutil_credential_theft.yml @@ -1,7 +1,7 @@ name: Windows InstallUtil Credential Theft id: ccfeddec-43ec-11ec-b494-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Mauricio Velazo, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_installutil_in_non_standard_path.yml b/detections/endpoint/windows_installutil_in_non_standard_path.yml index 3b4000d2dd..0d00fd00a3 100644 --- a/detections/endpoint/windows_installutil_in_non_standard_path.yml +++ b/detections/endpoint/windows_installutil_in_non_standard_path.yml @@ -1,7 +1,7 @@ name: Windows InstallUtil in Non Standard Path id: dcf74b22-7933-11ec-857c-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml index a7c8b70286..7cd6f2a39c 100644 --- a/detections/endpoint/windows_installutil_remote_network_connection.yml +++ b/detections/endpoint/windows_installutil_remote_network_connection.yml @@ -1,7 +1,7 @@ name: Windows InstallUtil Remote Network Connection id: 4fbf9270-43da-11ec-9486-acde48001122 -version: 13 -date: '2025-04-22' +version: 14 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_installutil_uninstall_option.yml b/detections/endpoint/windows_installutil_uninstall_option.yml index 7a7a39ad87..ba2ef9c12b 100644 --- a/detections/endpoint/windows_installutil_uninstall_option.yml +++ b/detections/endpoint/windows_installutil_uninstall_option.yml @@ -1,7 +1,7 @@ name: Windows InstallUtil Uninstall Option id: cfa7b9ac-43f0-11ec-9b48-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml index f082b063f8..f65912f4fa 100644 --- a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml +++ b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml @@ -1,7 +1,7 @@ name: Windows InstallUtil Uninstall Option with Network id: 1a52c836-43ef-11ec-a36c-acde48001122 -version: 11 -date: '2025-04-22' +version: 12 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_installutil_url_in_command_line.yml b/detections/endpoint/windows_installutil_url_in_command_line.yml index bd7b2a8423..9681700f1c 100644 --- a/detections/endpoint/windows_installutil_url_in_command_line.yml +++ b/detections/endpoint/windows_installutil_url_in_command_line.yml @@ -1,7 +1,7 @@ name: Windows InstallUtil URL in Command Line id: 28e06670-43df-11ec-a569-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_iso_lnk_file_creation.yml b/detections/endpoint/windows_iso_lnk_file_creation.yml index ddbe3ca536..34d9d3df87 100644 --- a/detections/endpoint/windows_iso_lnk_file_creation.yml +++ b/detections/endpoint/windows_iso_lnk_file_creation.yml @@ -1,7 +1,7 @@ name: Windows ISO LNK File Creation id: d7c2c09b-9569-4a9e-a8b6-6a39a99c1d32 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_java_spawning_shells.yml b/detections/endpoint/windows_java_spawning_shells.yml index 48c0960c80..d71eed573f 100644 --- a/detections/endpoint/windows_java_spawning_shells.yml +++ b/detections/endpoint/windows_java_spawning_shells.yml @@ -1,7 +1,7 @@ name: Windows Java Spawning Shells id: 28c81306-5c47-11ec-bfea-acde48001122 version: 10 -date: '2025-04-28' +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: TTP diff --git a/detections/endpoint/windows_kerberos_local_successful_logon.yml b/detections/endpoint/windows_kerberos_local_successful_logon.yml index 09ecaa1bd0..da3ce60a62 100644 --- a/detections/endpoint/windows_kerberos_local_successful_logon.yml +++ b/detections/endpoint/windows_kerberos_local_successful_logon.yml @@ -1,7 +1,7 @@ name: Windows Kerberos Local Successful Logon id: 8309c3a8-4d34-48ae-ad66-631658214653 -version: 7 -date: '2024-12-10' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_known_abused_dll_created.yml b/detections/endpoint/windows_known_abused_dll_created.yml index 533baddb51..c0fd1aac52 100644 --- a/detections/endpoint/windows_known_abused_dll_created.yml +++ b/detections/endpoint/windows_known_abused_dll_created.yml @@ -1,7 +1,7 @@ name: Windows Known Abused DLL Created id: ea91651a-772a-4b02-ac3d-985b364a5f07 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml index 5ad6b9cce9..eb35525617 100644 --- a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml +++ b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml @@ -1,7 +1,7 @@ name: Windows Known Abused DLL Loaded Suspiciously id: dd6d1f16-adc0-4e87-9c34-06189516b803 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml index c7892b6e3a..8b823b701a 100644 --- a/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml +++ b/detections/endpoint/windows_known_graphicalproton_loaded_modules.yml @@ -1,7 +1,7 @@ name: Windows Known GraphicalProton Loaded Modules id: bf471c94-0324-4b19-a113-d02749b969bc -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_krbrelayup_service_creation.yml b/detections/endpoint/windows_krbrelayup_service_creation.yml index c3c847f745..be25ef418d 100644 --- a/detections/endpoint/windows_krbrelayup_service_creation.yml +++ b/detections/endpoint/windows_krbrelayup_service_creation.yml @@ -1,7 +1,7 @@ name: Windows KrbRelayUp Service Creation id: e40ef542-8241-4419-9af4-6324582ea60a -version: 6 -date: '2024-12-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml index dd6da85598..b8b311928b 100644 --- a/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml +++ b/detections/endpoint/windows_large_number_of_computer_service_tickets_requested.yml @@ -1,7 +1,7 @@ name: Windows Large Number of Computer Service Tickets Requested id: 386ad394-c9a7-4b4f-b66f-586252de20f0 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk type: Anomaly status: production diff --git a/detections/endpoint/windows_ldifde_directory_object_behavior.yml b/detections/endpoint/windows_ldifde_directory_object_behavior.yml index c1e92fc05d..791529f2b4 100644 --- a/detections/endpoint/windows_ldifde_directory_object_behavior.yml +++ b/detections/endpoint/windows_ldifde_directory_object_behavior.yml @@ -1,7 +1,7 @@ name: Windows Ldifde Directory Object Behavior id: 35cd29ca-f08c-4489-8815-f715c45460d3 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml index cc4769d2d7..af3a265d83 100644 --- a/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml +++ b/detections/endpoint/windows_linked_policies_in_adsi_discovery.yml @@ -1,7 +1,7 @@ name: Windows Linked Policies In ADSI Discovery id: 510ea428-4731-4d2f-8829-a28293e427aa -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml index 4da44dd0e7..338d8e790e 100644 --- a/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml +++ b/detections/endpoint/windows_list_env_variables_via_set_command_from_uncommon_parent.yml @@ -1,7 +1,7 @@ name: Windows List ENV Variables Via SET Command From Uncommon Parent id: aec157f4-8783-4584-aca6-754c4dc7fba9 -version: 2 -date: '2025-01-17' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_local_administrator_credential_stuffing.yml b/detections/endpoint/windows_local_administrator_credential_stuffing.yml index 2e10d857de..e069ba8f47 100644 --- a/detections/endpoint/windows_local_administrator_credential_stuffing.yml +++ b/detections/endpoint/windows_local_administrator_credential_stuffing.yml @@ -1,7 +1,7 @@ name: Windows Local Administrator Credential Stuffing id: 09555511-aca6-484a-b6ab-72cd03d73c34 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml index d5eeab741d..527b30c5d3 100644 --- a/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml +++ b/detections/endpoint/windows_lolbas_executed_as_renamed_file.yml @@ -1,7 +1,7 @@ name: Windows LOLBAS Executed As Renamed File id: fd496996-7d9e-4894-8d40-bb85b6192dc6 -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml index 82bcea77d7..fd0ea62330 100644 --- a/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml +++ b/detections/endpoint/windows_lolbas_executed_outside_expected_path.yml @@ -1,7 +1,7 @@ name: Windows LOLBAS Executed Outside Expected Path id: 326fdf44-b90c-4d2e-adca-1fd140b10536 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml index cda7bd4fed..ff88981ce8 100644 --- a/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml +++ b/detections/endpoint/windows_lsa_secrets_nolmhash_registry.yml @@ -1,7 +1,7 @@ name: Windows LSA Secrets NoLMhash Registry id: 48cc1605-538c-4223-8382-e36bee5b540d -version: 7 -date: '2025-01-21' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml index 637bc023a1..f5bbae64d9 100644 --- a/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_mail_protocol_in_non_common_process_path.yml @@ -1,7 +1,7 @@ name: Windows Mail Protocol In Non-Common Process Path id: ac3311f5-661d-4e99-bd1f-3ec665b05441 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_mark_of_the_web_bypass.yml b/detections/endpoint/windows_mark_of_the_web_bypass.yml index 7a9535be91..f1c47c04c3 100644 --- a/detections/endpoint/windows_mark_of_the_web_bypass.yml +++ b/detections/endpoint/windows_mark_of_the_web_bypass.yml @@ -1,7 +1,7 @@ name: Windows Mark Of The Web Bypass id: 8ca13343-7405-4916-a2d1-ae34ce0c28ae -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml index d16db3ee55..a9fc8a575e 100644 --- a/detections/endpoint/windows_masquerading_explorer_as_child_process.yml +++ b/detections/endpoint/windows_masquerading_explorer_as_child_process.yml @@ -1,7 +1,7 @@ name: Windows Masquerading Explorer As Child Process id: 61490da9-52a1-4855-a0c5-28233c88c481 -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_masquerading_msdtc_process.yml b/detections/endpoint/windows_masquerading_msdtc_process.yml index c18801336a..0dcd37f570 100644 --- a/detections/endpoint/windows_masquerading_msdtc_process.yml +++ b/detections/endpoint/windows_masquerading_msdtc_process.yml @@ -1,7 +1,7 @@ name: Windows Masquerading Msdtc Process id: 238f3a07-8440-480b-b26f-462f41d9a47c -version: 6 -date: '2024-12-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_mimikatz_binary_execution.yml b/detections/endpoint/windows_mimikatz_binary_execution.yml index f8f7143d0a..8aa729eae7 100644 --- a/detections/endpoint/windows_mimikatz_binary_execution.yml +++ b/detections/endpoint/windows_mimikatz_binary_execution.yml @@ -1,7 +1,7 @@ name: Windows Mimikatz Binary Execution id: a9e0d6d3-9676-4e26-994d-4e0406bb4467 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml index dd12dd1613..abc0e34e6b 100644 --- a/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml +++ b/detections/endpoint/windows_mimikatz_crypto_export_file_extensions.yml @@ -1,7 +1,7 @@ name: Windows Mimikatz Crypto Export File Extensions id: 3a9a6806-16a8-4cda-8d73-b49d10a05b16 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml index 335f0b72ca..cde24f4744 100644 --- a/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml +++ b/detections/endpoint/windows_modify_registry_authenticationleveloverride.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry AuthenticationLevelOverride id: 6410a403-36bb-490f-a06a-11c3be7d2a41 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml index b976fee7eb..1f4d732b2a 100644 --- a/detections/endpoint/windows_modify_registry_auto_minor_updates.yml +++ b/detections/endpoint/windows_modify_registry_auto_minor_updates.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Auto Minor Updates id: be498b9f-d804-4bbf-9fc0-d5448466b313 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_modify_registry_auto_update_notif.yml b/detections/endpoint/windows_modify_registry_auto_update_notif.yml index 11d674f71e..2a9823c95d 100644 --- a/detections/endpoint/windows_modify_registry_auto_update_notif.yml +++ b/detections/endpoint/windows_modify_registry_auto_update_notif.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Auto Update Notif id: 4d1409df-40c7-4b11-aec4-bd0e709dfc12 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml index 64bc8ef092..eba2ff2b1f 100644 --- a/detections/endpoint/windows_modify_registry_configure_bitlocker.yml +++ b/detections/endpoint/windows_modify_registry_configure_bitlocker.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Configure BitLocker id: bd1c770f-1b55-411e-b49e-20d07bcac5f8 -version: 5 -date: '2025-04-22' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 diff --git a/detections/endpoint/windows_modify_registry_default_icon_setting.yml b/detections/endpoint/windows_modify_registry_default_icon_setting.yml index 809b834bcc..31485dfaf9 100644 --- a/detections/endpoint/windows_modify_registry_default_icon_setting.yml +++ b/detections/endpoint/windows_modify_registry_default_icon_setting.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Default Icon Setting id: a7a7afdb-3c58-45b6-9bff-63e5acfd9d40 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml index 8afd7910c4..78cae05867 100644 --- a/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml +++ b/detections/endpoint/windows_modify_registry_delete_firewall_rules.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Delete Firewall Rules id: 41c61539-98ca-4750-b3ec-7c29a2f06343 -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 12 diff --git a/detections/endpoint/windows_modify_registry_disable_rdp.yml b/detections/endpoint/windows_modify_registry_disable_rdp.yml index f30c8c71aa..8a6a728241 100644 --- a/detections/endpoint/windows_modify_registry_disable_rdp.yml +++ b/detections/endpoint/windows_modify_registry_disable_rdp.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable RDP id: 11ed764f-eb9c-4be7-bdad-2209b9d33ee1 -version: 5 -date: '2025-04-22' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 diff --git a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml index 3c4baa5688..8b125a304b 100644 --- a/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml +++ b/detections/endpoint/windows_modify_registry_disable_restricted_admin.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable Restricted Admin id: cee573a0-7587-48e6-ae99-10e8c657e89a -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml index 03d6ef59ab..9a6ebb5b8c 100644 --- a/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_toast_notifications.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable Toast Notifications id: ed4eeacb-8d5a-488e-bc97-1ce6ded63b84 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml index 90c2eaf905..cccc97d72b 100644 --- a/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_win_defender_raw_write_notif.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable Win Defender Raw Write Notif id: 0e5e25c3-32f4-46f7-ba4a-5b95c3b90f5b -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml index 2212198db4..c2c90cb545 100644 --- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable WinDefender Notifications id: 8e207707-ad40-4eb3-b865-3a52aec91f26 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml index 4fd9628eb8..4f4e41ba9f 100644 --- a/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml +++ b/detections/endpoint/windows_modify_registry_disable_windows_security_center_notif.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable Windows Security Center Notif id: 27ed3e79-6d86-44dd-b9ab-524451c97a7b -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml index 50a8ba399e..c476fe6693 100644 --- a/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml +++ b/detections/endpoint/windows_modify_registry_disableremotedesktopantialias.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry DisableRemoteDesktopAntiAlias id: 4927c6f1-4667-42e6-bd7a-f5222116386b -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml index eda3c797dd..32e9c8f56f 100644 --- a/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml +++ b/detections/endpoint/windows_modify_registry_disablesecuritysettings.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry DisableSecuritySettings id: 989019b4-b7aa-418a-9a17-2293e91288b6 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml index 958d6bf90d..8981dfe601 100644 --- a/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml +++ b/detections/endpoint/windows_modify_registry_disabling_wer_settings.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disabling WER Settings id: 21cbcaf1-b51f-496d-a0c1-858ff3070452 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml index b73402eaba..1dde3b81c8 100644 --- a/detections/endpoint/windows_modify_registry_disallow_windows_app.yml +++ b/detections/endpoint/windows_modify_registry_disallow_windows_app.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry DisAllow Windows App id: 4bc788d3-c83a-48c5-a4e2-e0c6dba57889 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml index efb0eaf1c0..ebcbb2f88a 100644 --- a/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml +++ b/detections/endpoint/windows_modify_registry_do_not_connect_to_win_update.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Do Not Connect To Win Update id: e09c598e-8dd0-4e73-b740-4b96b689199e -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_dontshowui.yml b/detections/endpoint/windows_modify_registry_dontshowui.yml index 0ca8dee44b..7e7cab8c7d 100644 --- a/detections/endpoint/windows_modify_registry_dontshowui.yml +++ b/detections/endpoint/windows_modify_registry_dontshowui.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry DontShowUI id: 4ff9767b-fdf2-489c-83a5-c6c34412d72e -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml index 792b7bccfb..a03626a1d1 100644 --- a/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml +++ b/detections/endpoint/windows_modify_registry_enablelinkedconnections.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry EnableLinkedConnections id: 93048164-3358-4af0-8680-aa5f38440516 -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_modify_registry_longpathsenabled.yml b/detections/endpoint/windows_modify_registry_longpathsenabled.yml index 40178a824a..02f737464e 100644 --- a/detections/endpoint/windows_modify_registry_longpathsenabled.yml +++ b/detections/endpoint/windows_modify_registry_longpathsenabled.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry LongPathsEnabled id: 36f9626c-4272-4808-aadd-267acce681c0 -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml index 848d6137f6..5b7e23de80 100644 --- a/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml +++ b/detections/endpoint/windows_modify_registry_maxconnectionperserver.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry MaxConnectionPerServer id: 064cd09f-1ff4-4823-97e0-45c2f5b087ec -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml index abdc013568..b33163745a 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_reboot_with_logon_user.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry No Auto Reboot With Logon User id: 6a12fa9f-580d-4627-8c7f-313e359bdc6a -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_no_auto_update.yml b/detections/endpoint/windows_modify_registry_no_auto_update.yml index e109beceea..1f324c5428 100644 --- a/detections/endpoint/windows_modify_registry_no_auto_update.yml +++ b/detections/endpoint/windows_modify_registry_no_auto_update.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry No Auto Update id: fbd4f333-17bb-4eab-89cb-860fa2e0600e -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml index 3956ee8b41..5a57617659 100644 --- a/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml +++ b/detections/endpoint/windows_modify_registry_nochangingwallpaper.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry NoChangingWallPaper id: a2276412-e254-4e9a-9082-4d92edb6a3e0 -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml index 0455612400..d1d6fbb4a9 100644 --- a/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml +++ b/detections/endpoint/windows_modify_registry_on_smart_card_group_policy.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry on Smart Card Group Policy id: 1522145a-8e86-4f83-89a8-baf62a8f489d -version: 5 -date: '2025-04-22' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 diff --git a/detections/endpoint/windows_modify_registry_proxyenable.yml b/detections/endpoint/windows_modify_registry_proxyenable.yml index c9ca50803a..fb886685f5 100644 --- a/detections/endpoint/windows_modify_registry_proxyenable.yml +++ b/detections/endpoint/windows_modify_registry_proxyenable.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry ProxyEnable id: b27f20bd-ef20-41d1-a1e9-25dedd5bf2f5 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_proxyserver.yml b/detections/endpoint/windows_modify_registry_proxyserver.yml index ac8cc305e7..ed6af1061c 100644 --- a/detections/endpoint/windows_modify_registry_proxyserver.yml +++ b/detections/endpoint/windows_modify_registry_proxyserver.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry ProxyServer id: 12bdaa0b-3c59-4489-aae1-bff6d67746ef -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml index 0547cd66ad..1faa95c204 100644 --- a/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml +++ b/detections/endpoint/windows_modify_registry_qakbot_binary_data_registry.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Qakbot Binary Data Registry id: 2e768497-04e0-4188-b800-70dd2be0e30d -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml index 41701c6e43..dff0dd83f7 100644 --- a/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml +++ b/detections/endpoint/windows_modify_registry_regedit_silent_reg_import.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Regedit Silent Reg Import id: 824dd598-71be-4203-bc3b-024f4cda340e -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_risk_behavior.yml b/detections/endpoint/windows_modify_registry_risk_behavior.yml index da4ba80067..1832ecd823 100644 --- a/detections/endpoint/windows_modify_registry_risk_behavior.yml +++ b/detections/endpoint/windows_modify_registry_risk_behavior.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Risk Behavior id: 5eb479b1-a5ea-4e01-8365-780078613776 -version: 5 -date: '2025-04-16' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Correlation diff --git a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml index 575020a9a2..eb76fc9c36 100644 --- a/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml +++ b/detections/endpoint/windows_modify_registry_suppress_win_defender_notif.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Suppress Win Defender Notif id: e3b42daf-fff4-429d-bec8-2a199468cea9 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_tamper_protection.yml b/detections/endpoint/windows_modify_registry_tamper_protection.yml index d08ffdf575..283a0495ad 100644 --- a/detections/endpoint/windows_modify_registry_tamper_protection.yml +++ b/detections/endpoint/windows_modify_registry_tamper_protection.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Tamper Protection id: 12094335-88fc-4c3a-b55f-e62dd8c93c23 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml index 2e443fed5a..05b396733f 100644 --- a/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml +++ b/detections/endpoint/windows_modify_registry_to_add_or_modify_firewall_rule.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry to Add or Modify Firewall Rule id: 43254751-e2ce-409a-b6b4-4f851e8dcc26 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 diff --git a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml index d9f015b52c..cfdae8439d 100644 --- a/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml +++ b/detections/endpoint/windows_modify_registry_updateserviceurlalternate.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry UpdateServiceUrlAlternate id: ca4e94fb-7969-4d63-8630-3625809a1f70 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_modify_registry_usewuserver.yml b/detections/endpoint/windows_modify_registry_usewuserver.yml index 9129b422fd..68ac61ac49 100644 --- a/detections/endpoint/windows_modify_registry_usewuserver.yml +++ b/detections/endpoint/windows_modify_registry_usewuserver.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry USeWuServer id: c427bafb-0b2c-4b18-ad85-c03c6fed9e75 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_modify_registry_utilize_progids.yml b/detections/endpoint/windows_modify_registry_utilize_progids.yml index 8cfc59d5df..83c16ab8c8 100644 --- a/detections/endpoint/windows_modify_registry_utilize_progids.yml +++ b/detections/endpoint/windows_modify_registry_utilize_progids.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Utilize ProgIDs id: 64fa82dd-fd11-472a-9e94-c221fffa591d -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 diff --git a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml index c210c9a573..1fab8cbb38 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry ValleyRAT C2 Config id: ac59298a-8d81-4c02-8c9b-ffdac993891f -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 diff --git a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml index 88c4397f92..14947fee43 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry ValleyRat PWN Reg Entry id: 6947c44e-be1f-4dd9-b198-bc42be5be196 -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 13 diff --git a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml index 6f73c081c0..c6d19e9e49 100644 --- a/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml +++ b/detections/endpoint/windows_modify_registry_with_md5_reg_key_name.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry With MD5 Reg Key Name id: 4662c6b1-0754-455e-b9ff-3ee730af3ba8 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_modify_registry_wuserver.yml b/detections/endpoint/windows_modify_registry_wuserver.yml index 08f8560fa5..f8005b5412 100644 --- a/detections/endpoint/windows_modify_registry_wuserver.yml +++ b/detections/endpoint/windows_modify_registry_wuserver.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry WuServer id: a02ad386-e26d-44ce-aa97-6a46cee31439 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_modify_registry_wustatusserver.yml b/detections/endpoint/windows_modify_registry_wustatusserver.yml index 145fb004f7..54cbfc73e7 100644 --- a/detections/endpoint/windows_modify_registry_wustatusserver.yml +++ b/detections/endpoint/windows_modify_registry_wustatusserver.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry wuStatusServer id: 073e69d0-68b2-4142-aa90-a7ee6f590676 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml index 9dd34be412..1889f466e0 100644 --- a/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml +++ b/detections/endpoint/windows_modify_show_compress_color_and_info_tip_registry.yml @@ -1,7 +1,7 @@ name: Windows Modify Show Compress Color And Info Tip Registry id: b7548c2e-9a10-11ec-99e3-acde48001122 -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml index 7d395ca5e8..f659d3f695 100644 --- a/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml +++ b/detections/endpoint/windows_modify_system_firewall_with_notable_process_path.yml @@ -1,7 +1,7 @@ name: Windows Modify System Firewall with Notable Process Path id: cd6d7410-9146-4471-a418-49edba6dadc4 -version: '7' -date: '2025-03-14' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Will Metcalf, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml index d30cd02719..2102b1be9e 100644 --- a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml +++ b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml @@ -1,7 +1,7 @@ name: Windows MOF Event Triggered Execution via WMI id: e59b5a73-32bf-4467-a585-452c36ae10c1 -version: 9 -date: '2024-12-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml index 6477fcb500..fc514c2afc 100644 --- a/detections/endpoint/windows_moveit_transfer_writing_aspx.yml +++ b/detections/endpoint/windows_moveit_transfer_writing_aspx.yml @@ -1,7 +1,7 @@ name: Windows MOVEit Transfer Writing ASPX id: c0ed2aca-5666-45b3-813f-ddfac3f3eda0 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: TTP diff --git a/detections/endpoint/windows_msc_eviltwin_directory_path_manipulation.yml b/detections/endpoint/windows_msc_eviltwin_directory_path_manipulation.yml index bd514f9048..e0fceff752 100644 --- a/detections/endpoint/windows_msc_eviltwin_directory_path_manipulation.yml +++ b/detections/endpoint/windows_msc_eviltwin_directory_path_manipulation.yml @@ -1,7 +1,7 @@ name: Windows MSC EvilTwin Directory Path Manipulation id: 7f6b8a95-3fb7-429a-8c53-e5d4f8d92a10 -version: 3 -date: '2025-04-17' +version: 4 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml index 2f260890a9..539c33ff5d 100644 --- a/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml +++ b/detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml @@ -1,7 +1,7 @@ name: Windows MSExchange Management Mailbox Cmdlet Usage id: 396de86f-25e7-4b0e-be09-a330be35249d -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_mshta_execution_in_registry.yml b/detections/endpoint/windows_mshta_execution_in_registry.yml index f0ec6e2213..f1d62fba97 100644 --- a/detections/endpoint/windows_mshta_execution_in_registry.yml +++ b/detections/endpoint/windows_mshta_execution_in_registry.yml @@ -1,7 +1,7 @@ name: Windows Mshta Execution In Registry id: e13ceade-b673-4d34-adc4-4d9c01729753 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml index 66b5c4a9da..75eab98c9f 100644 --- a/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml +++ b/detections/endpoint/windows_mshta_writing_to_world_writable_path.yml @@ -1,7 +1,7 @@ name: Windows MSHTA Writing to World Writable Path id: efbcf8ee-bc75-47f1-8985-a5c638c4faf0 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Sysmon EventID 11 diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml index 0fef996e02..ac746862da 100644 --- a/detections/endpoint/windows_msiexec_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_dllregisterserver.yml @@ -1,7 +1,7 @@ name: Windows MSIExec DLLRegisterServer id: fdb59aef-d88f-4909-8369-ec2afbd2c398 -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml index adb2ad97a5..96ec53c0f6 100644 --- a/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml +++ b/detections/endpoint/windows_msiexec_hidewindow_rundll32_execution.yml @@ -1,7 +1,7 @@ name: Windows MsiExec HideWindow Rundll32 Execution id: 9683271d-92e4-43b5-a907-1983bfb9f7fd -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index b1679fde89..c4a17e03c1 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -1,7 +1,7 @@ name: Windows MSIExec Remote Download id: 6aa49ff2-3c92-4586-83e0-d83eb693dfda -version: 8 -date: '2025-04-22' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml index ef90b82190..20ac6ffcbb 100644 --- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml +++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml @@ -1,7 +1,7 @@ name: Windows MSIExec Spawn Discovery Command id: e9d05aa2-32f0-411b-930c-5b8ca5c4fcee -version: 9 -date: '2025-04-22' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_msiexec_spawn_windbg.yml b/detections/endpoint/windows_msiexec_spawn_windbg.yml index d296935767..d52ba9f0be 100644 --- a/detections/endpoint/windows_msiexec_spawn_windbg.yml +++ b/detections/endpoint/windows_msiexec_spawn_windbg.yml @@ -1,7 +1,7 @@ name: Windows MSIExec Spawn WinDBG id: 9a18f7c2-1fe3-47b8-9467-8b3976770a30 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml index 650f01c384..e0ef89ee94 100644 --- a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml @@ -1,7 +1,7 @@ name: Windows MSIExec Unregister DLLRegisterServer id: a27db3c5-1a9a-46df-a577-765d3f1a3c24 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_mstsc_rdp_commandline.yml b/detections/endpoint/windows_mstsc_rdp_commandline.yml index 4f5354a200..5e9e8c8c2a 100644 --- a/detections/endpoint/windows_mstsc_rdp_commandline.yml +++ b/detections/endpoint/windows_mstsc_rdp_commandline.yml @@ -1,7 +1,7 @@ name: Windows MSTSC RDP Commandline id: 3718549b-867e-4084-b770-790e8dab6ab8 -version: 1 -date: '2025-03-17' +version: 2 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_multiple_account_passwords_changed.yml b/detections/endpoint/windows_multiple_account_passwords_changed.yml index 481f0b6b9f..53a4814b78 100644 --- a/detections/endpoint/windows_multiple_account_passwords_changed.yml +++ b/detections/endpoint/windows_multiple_account_passwords_changed.yml @@ -1,7 +1,7 @@ name: Windows Multiple Account Passwords Changed id: faefb681-14be-4f0d-9cac-0bc0160c7280 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4724 diff --git a/detections/endpoint/windows_multiple_accounts_deleted.yml b/detections/endpoint/windows_multiple_accounts_deleted.yml index 9a05ad8bcf..6e643209e1 100644 --- a/detections/endpoint/windows_multiple_accounts_deleted.yml +++ b/detections/endpoint/windows_multiple_accounts_deleted.yml @@ -1,7 +1,7 @@ name: Windows Multiple Accounts Deleted id: 49c0d4d6-c55d-4d3a-b3d5-7709fafed70d -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4726 diff --git a/detections/endpoint/windows_multiple_accounts_disabled.yml b/detections/endpoint/windows_multiple_accounts_disabled.yml index ed272245c8..4ca6180eda 100644 --- a/detections/endpoint/windows_multiple_accounts_disabled.yml +++ b/detections/endpoint/windows_multiple_accounts_disabled.yml @@ -1,7 +1,7 @@ name: Windows Multiple Accounts Disabled id: 5d93894e-befa-4429-abde-7fc541020b7b -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4725 diff --git a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml index f4082732ee..a43d49f16c 100644 --- a/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml +++ b/detections/endpoint/windows_multiple_disabled_users_failed_to_authenticate_wth_kerberos.yml @@ -1,7 +1,7 @@ name: Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos id: 98f22d82-9d62-11eb-9fcf-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml index e984b75b4a..e20c5565a7 100644 --- a/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml +++ b/detections/endpoint/windows_multiple_invalid_users_fail_to_authenticate_using_kerberos.yml @@ -1,7 +1,7 @@ name: Windows Multiple Invalid Users Fail To Authenticate Using Kerberos id: 001266a6-9d5b-11eb-829b-acde48001122 -date: '2025-02-10' -version: 7 +date: '2025-05-02' +version: 8 type: TTP status: production author: Mauricio Velazco, Splunk diff --git a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml index 70a29bab40..c3fda034ae 100644 --- a/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_invalid_users_failed_to_authenticate_using_ntlm.yml @@ -1,12 +1,12 @@ name: Windows Multiple Invalid Users Failed To Authenticate Using NTLM id: 57ad5a64-9df7-11eb-a290-acde48001122 type: TTP -version: 8 +version: 9 author: Mauricio Velazco, Splunk status: production data_source: - Windows Event Log Security 4776 -date: '2025-02-10' +date: '2025-05-02' description: The following analytic detects a single source endpoint failing to authenticate with 30 unique invalid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC0000064, which indicates diff --git a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml index cbd8a9f3e0..3aef18483f 100644 --- a/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml +++ b/detections/endpoint/windows_multiple_ntlm_null_domain_authentications.yml @@ -1,7 +1,7 @@ name: Windows Multiple NTLM Null Domain Authentications id: c187ce2c-c88e-4cec-8a1c-607ca0dedd78 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml index 5cf8a777dd..9f4822f1c9 100644 --- a/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_multiple_users_fail_to_authenticate_wth_explicitcredentials.yml @@ -1,12 +1,12 @@ name: Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials id: e61918fa-9ca4-11eb-836c-acde48001122 type: TTP -version: 8 +version: 9 status: production author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4648 -date: '2025-02-10' +date: '2025-05-02' description: The following analytic identifies a source user failing to authenticate with 30 unique users using explicit credentials on a host. It leverages Windows Event 4648, which is generated when a process attempts an account logon by explicitly diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml index 4fa3eb78ad..ca06632bd1 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_host_using_ntlm.yml @@ -3,10 +3,10 @@ id: 7ed272a4-9c77-11eb-af22-acde48001122 author: Mauricio Velazco, Splunk type: TTP status: production -version: 8 +version: 9 data_source: - Windows Event Log Security 4776 -date: '2025-02-10' +date: '2025-05-02' description: The following analytic identifies a single source endpoint failing to authenticate with 30 unique valid users using the NTLM protocol. It leverages EventCode 4776 from Domain Controller logs, focusing on error code 0xC000006A, which indicates diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml index 538ccb75cf..2d442731ae 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_from_process.yml @@ -1,12 +1,12 @@ name: Windows Multiple Users Failed To Authenticate From Process id: 9015385a-9c84-11eb-bef2-acde48001122 type: TTP -version: 8 +version: 9 status: production author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 -date: '2025-02-10' +date: '2025-05-02' description: The following analytic detects a source process failing to authenticate with 30 unique users, indicating a potential Password Spraying attack. It leverages Windows Event 4625 with Logon Type 2, collected from domain controllers, member diff --git a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml index fa7bb5d110..d2d3eeaf41 100644 --- a/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml +++ b/detections/endpoint/windows_multiple_users_failed_to_authenticate_using_kerberos.yml @@ -1,8 +1,8 @@ name: Windows Multiple Users Failed To Authenticate Using Kerberos id: 3a91a212-98a9-11eb-b86a-acde48001122 type: TTP -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' status: production author: Mauricio Velazco, Splunk data_source: diff --git a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml index 5b3add2ed9..54ab842db6 100644 --- a/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml +++ b/detections/endpoint/windows_multiple_users_remotely_failed_to_authenticate_from_host.yml @@ -3,8 +3,8 @@ id: 80f9d53e-9ca1-11eb-b0d6-acde48001122 author: Mauricio Velazco, Splunk type: TTP status: production -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' data_source: - Windows Event Log Security 4625 description: The following analytic identifies a source host failing to authenticate diff --git a/detections/endpoint/windows_network_connection_discovery_via_net.yml b/detections/endpoint/windows_network_connection_discovery_via_net.yml index e49609ead4..c3ad01baf9 100644 --- a/detections/endpoint/windows_network_connection_discovery_via_net.yml +++ b/detections/endpoint/windows_network_connection_discovery_via_net.yml @@ -1,7 +1,7 @@ name: Windows Network Connection Discovery Via Net id: 86a5b949-679b-4197-8d4c-9c180a818c45 -version: 2 -date: '2025-01-13' +version: 3 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_network_share_interaction_via_net.yml b/detections/endpoint/windows_network_share_interaction_via_net.yml index 90cdba60c0..2d93a17f21 100644 --- a/detections/endpoint/windows_network_share_interaction_via_net.yml +++ b/detections/endpoint/windows_network_share_interaction_via_net.yml @@ -1,7 +1,7 @@ name: Windows Network Share Interaction Via Net id: e51fbdb0-0be0-474f-92ea-d289f71a695e -version: 2 -date: '2025-01-20' +version: 3 +date: '2025-05-02' author: Dean Luxton status: production type: Anomaly diff --git a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml index e2551b1dc2..be2e1d0591 100644 --- a/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml +++ b/detections/endpoint/windows_new_custom_security_descriptor_set_on_eventlog_channel.yml @@ -1,7 +1,7 @@ name: Windows New Custom Security Descriptor Set On EventLog Channel id: c0e5dd5a-2117-41d5-a04c-82a762a86a38 -version: 3 -date: '2025-01-07' +version: 4 +date: '2025-05-02' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_new_default_file_association_value_set.yml b/detections/endpoint/windows_new_default_file_association_value_set.yml index 74809b6e75..faf94da092 100644 --- a/detections/endpoint/windows_new_default_file_association_value_set.yml +++ b/detections/endpoint/windows_new_default_file_association_value_set.yml @@ -1,7 +1,7 @@ name: Windows New Default File Association Value Set id: 7d1f031f-f1c9-43be-8b0b-c4e3e8a8928a -version: 2 -date: '2025-02-10' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml index 5c38b91742..db4dde3e9c 100644 --- a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml +++ b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml @@ -1,7 +1,7 @@ name: Windows New Deny Permission Set On Service SD Via Sc.EXE id: d0f6a5e5-dbfd-46e1-8bd5-2e2905947c33 -version: 3 -date: '2025-01-07' +version: 4 +date: '2025-05-02' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml index 64ea66f1e1..1559ae23f1 100644 --- a/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml +++ b/detections/endpoint/windows_new_eventlog_channelaccess_registry_value_set.yml @@ -1,7 +1,7 @@ name: Windows New EventLog ChannelAccess Registry Value Set id: 16eb11bc-ef42-42e8-9d0c-d21e0fa15725 -version: 3 -date: '2025-01-07' +version: 4 +date: '2025-05-02' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_new_inprocserver32_added.yml b/detections/endpoint/windows_new_inprocserver32_added.yml index 3f5d60bc3b..835680440e 100644 --- a/detections/endpoint/windows_new_inprocserver32_added.yml +++ b/detections/endpoint/windows_new_inprocserver32_added.yml @@ -1,7 +1,7 @@ name: Windows New InProcServer32 Added id: 0fa86e31-0f73-4ec7-9ca3-dc88e117f1db -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Sysmon EventID 13 diff --git a/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml b/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml index 9f8abeb132..fca93d60cb 100644 --- a/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml +++ b/detections/endpoint/windows_new_service_security_descriptor_set_via_sc_exe.yml @@ -1,7 +1,7 @@ name: Windows New Service Security Descriptor Set Via Sc.EXE id: cde00c31-042a-4307-bf70-25e471da56e9 -version: 3 -date: '2025-01-07' +version: 4 +date: '2025-05-02' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml index c95ab19161..657d0e8af9 100644 --- a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml @@ -1,7 +1,7 @@ name: Windows Ngrok Reverse Proxy Usage id: e2549f2c-0aef-408a-b0c1-e0f270623436 -version: 8 -date: '2024-11-13' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_nirsoft_advancedrun.yml b/detections/endpoint/windows_nirsoft_advancedrun.yml index d5b900249d..c663010cb0 100644 --- a/detections/endpoint/windows_nirsoft_advancedrun.yml +++ b/detections/endpoint/windows_nirsoft_advancedrun.yml @@ -1,7 +1,7 @@ name: Windows NirSoft AdvancedRun id: bb4f3090-7ae4-11ec-897f-acde48001122 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_nirsoft_utilities.yml b/detections/endpoint/windows_nirsoft_utilities.yml index e0f8792d82..c4905354c7 100644 --- a/detections/endpoint/windows_nirsoft_utilities.yml +++ b/detections/endpoint/windows_nirsoft_utilities.yml @@ -1,7 +1,7 @@ name: Windows NirSoft Utilities id: 5b2f4596-7d4c-11ec-88a7-acde48001122 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml index a16a4ca549..50bb907a25 100644 --- a/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml +++ b/detections/endpoint/windows_njrat_fileless_storage_via_registry.yml @@ -1,7 +1,7 @@ name: Windows Njrat Fileless Storage via Registry id: a5fffbbd-271f-4980-94ed-4fbf17f0af1c -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index df8ce72c4c..5afc088ecd 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -1,7 +1,7 @@ name: Windows Non Discord App Access Discord LevelDB id: 1166360c-d495-45ac-87a6-8948aac1fa07 -version: 5 -date: '2024-11-22' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Windows Event Log Security 4663 diff --git a/detections/endpoint/windows_non_system_account_targeting_lsass.yml b/detections/endpoint/windows_non_system_account_targeting_lsass.yml index 75b0600e06..04fef33283 100644 --- a/detections/endpoint/windows_non_system_account_targeting_lsass.yml +++ b/detections/endpoint/windows_non_system_account_targeting_lsass.yml @@ -1,7 +1,7 @@ name: Windows Non-System Account Targeting Lsass id: b1ce9a72-73cf-11ec-981b-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml index 52fdf52f61..f8023fbcdd 100644 --- a/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml +++ b/detections/endpoint/windows_obfuscated_files_or_information_via_rar_sfx.yml @@ -1,7 +1,7 @@ name: Windows Obfuscated Files or Information via RAR SFX id: 4ab6862b-ce88-4223-96c0-f6da2cffb898 -version: 3 -date: '2025-02-17' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 11 diff --git a/detections/endpoint/windows_odbcconf_hunting.yml b/detections/endpoint/windows_odbcconf_hunting.yml index 8bf400fcb4..57c8e45c24 100644 --- a/detections/endpoint/windows_odbcconf_hunting.yml +++ b/detections/endpoint/windows_odbcconf_hunting.yml @@ -1,7 +1,7 @@ name: Windows Odbcconf Hunting id: 0562ad4b-fdaa-4882-b12f-7b8e0034cd72 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_odbcconf_load_dll.yml b/detections/endpoint/windows_odbcconf_load_dll.yml index 3029733086..72e838e32d 100644 --- a/detections/endpoint/windows_odbcconf_load_dll.yml +++ b/detections/endpoint/windows_odbcconf_load_dll.yml @@ -1,7 +1,7 @@ name: Windows Odbcconf Load DLL id: 141e7fca-a9f0-40fd-a539-9aac8be41f1b -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_odbcconf_load_response_file.yml b/detections/endpoint/windows_odbcconf_load_response_file.yml index 2c14735771..63014e123b 100644 --- a/detections/endpoint/windows_odbcconf_load_response_file.yml +++ b/detections/endpoint/windows_odbcconf_load_response_file.yml @@ -1,7 +1,7 @@ name: Windows Odbcconf Load Response File id: 1acafff9-1347-4b40-abae-f35aa4ba85c1 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml index c492ae63e3..fecbed2b19 100644 --- a/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml +++ b/detections/endpoint/windows_office_product_dropped_cab_or_inf_file.yml @@ -1,7 +1,7 @@ name: Windows Office Product Dropped Cab or Inf File id: dbdd251e-dd45-4ec9-a555-f5e151391746 -version: 4 -date: '2025-04-22' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_office_product_dropped_uncommon_file.yml b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml index 9f178e97e1..0d983435ee 100644 --- a/detections/endpoint/windows_office_product_dropped_uncommon_file.yml +++ b/detections/endpoint/windows_office_product_dropped_uncommon_file.yml @@ -1,7 +1,7 @@ name: Windows Office Product Dropped Uncommon File id: 7ac0fced-9eae-4381-a748-90dcd1aa9393 -version: 4 -date: '2025-04-22' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Michael Haag, Splunk, TheLawsOfChaos, Github status: production type: Anomaly diff --git a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml index 097c7add7d..a14df84000 100644 --- a/detections/endpoint/windows_office_product_loaded_mshtml_module.yml +++ b/detections/endpoint/windows_office_product_loaded_mshtml_module.yml @@ -1,7 +1,7 @@ name: Windows Office Product Loaded MSHTML Module id: 4cc015c9-687c-40d2-adcc-46350f66e10c -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Michael Haag, Mauricio Velazco, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_office_product_loading_taskschd_dll.yml b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml index 9917e59163..7caf75fbb3 100644 --- a/detections/endpoint/windows_office_product_loading_taskschd_dll.yml +++ b/detections/endpoint/windows_office_product_loading_taskschd_dll.yml @@ -1,7 +1,7 @@ name: Windows Office Product Loading Taskschd DLL id: d7297cfa-1f04-4714-bfbe-3679e0666959 -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml index ec9e26ddef..886522ae25 100644 --- a/detections/endpoint/windows_office_product_loading_vbe7_dll.yml +++ b/detections/endpoint/windows_office_product_loading_vbe7_dll.yml @@ -1,7 +1,7 @@ name: Windows Office Product Loading VBE7 DLL id: 7cfec906-2697-43f7-898b-83634a051d9a -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml index ca679c3213..4154d3cde1 100644 --- a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml +++ b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml @@ -1,7 +1,7 @@ name: Windows Office Product Spawned Child Process For Download id: f02b64b8-cbea-4f75-bf77-7a05111566b1 -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_office_product_spawned_control.yml b/detections/endpoint/windows_office_product_spawned_control.yml index 0dab8031e3..701f8f8762 100644 --- a/detections/endpoint/windows_office_product_spawned_control.yml +++ b/detections/endpoint/windows_office_product_spawned_control.yml @@ -1,7 +1,7 @@ name: Windows Office Product Spawned Control id: 081c485d-ac8d-4bee-ad4c-525772fead4d -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_office_product_spawned_msdt.yml b/detections/endpoint/windows_office_product_spawned_msdt.yml index fd33aac461..b8734a5526 100644 --- a/detections/endpoint/windows_office_product_spawned_msdt.yml +++ b/detections/endpoint/windows_office_product_spawned_msdt.yml @@ -1,7 +1,7 @@ name: Windows Office Product Spawned MSDT id: a3148fad-3734-4b7f-9a71-62f08d39fab1 -version: 4 -date: '2025-02-10' +version: 5 +date: '2025-05-02' author: Michael Haag, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml index 0cd7017143..45d8d4934a 100644 --- a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml +++ b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml @@ -1,7 +1,7 @@ name: Windows Office Product Spawned Rundll32 With No DLL id: f28e787e-69ca-480e-9f98-ab970e6d4bcc -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml index b7191fc8f4..8f3fedf71d 100644 --- a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml +++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml @@ -1,7 +1,7 @@ name: Windows Office Product Spawned Uncommon Process id: 55d8741c-fa32-4692-8109-410304961eb8 -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Michael Haag, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_outlook_webview_registry_modification.yml b/detections/endpoint/windows_outlook_webview_registry_modification.yml index 44f6bbe726..41e1ed389a 100644 --- a/detections/endpoint/windows_outlook_webview_registry_modification.yml +++ b/detections/endpoint/windows_outlook_webview_registry_modification.yml @@ -1,7 +1,7 @@ name: Windows Outlook WebView Registry Modification id: 6e1ad5d4-d9af-496a-96ec-f31c11cd09f2 -version: 5 -date: '2025-04-22' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Sysmon EventID 13 diff --git a/detections/endpoint/windows_papercut_ng_spawn_shell.yml b/detections/endpoint/windows_papercut_ng_spawn_shell.yml index 06ce9fd0d2..9b6c90d90b 100644 --- a/detections/endpoint/windows_papercut_ng_spawn_shell.yml +++ b/detections/endpoint/windows_papercut_ng_spawn_shell.yml @@ -1,7 +1,7 @@ name: Windows PaperCut NG Spawn Shell id: a602d9a2-aaea-45f8-bf0f-d851168d61ca -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml index e1fa497628..15af5a7680 100644 --- a/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml +++ b/detections/endpoint/windows_parent_pid_spoofing_with_explorer.yml @@ -1,7 +1,7 @@ name: Windows Parent PID Spoofing with Explorer id: 17f8f69c-5d00-4c88-9c6f-493bbdef20a1 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_password_managers_discovery.yml b/detections/endpoint/windows_password_managers_discovery.yml index 1fbb801b3c..64b8727007 100644 --- a/detections/endpoint/windows_password_managers_discovery.yml +++ b/detections/endpoint/windows_password_managers_discovery.yml @@ -1,7 +1,7 @@ name: Windows Password Managers Discovery id: a3b3bc96-1c4f-4eba-8218-027cac739a48 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_password_policy_discovery_with_net.yml b/detections/endpoint/windows_password_policy_discovery_with_net.yml index a0f178e3ff..f509f97584 100644 --- a/detections/endpoint/windows_password_policy_discovery_with_net.yml +++ b/detections/endpoint/windows_password_policy_discovery_with_net.yml @@ -1,7 +1,7 @@ name: Windows Password Policy Discovery with Net id: e52f7865-be78-46bf-b7ed-150fbe447613 -version: 2 -date: '2025-01-13' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Nasreddine Bencherchali, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml index 6540a39b8c..122409a59f 100644 --- a/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml +++ b/detections/endpoint/windows_phishing_outlook_drop_dll_in_form_dir.yml @@ -1,7 +1,7 @@ name: Windows Phishing Outlook Drop Dll In FORM Dir id: fca01769-5163-4b3a-ae44-de874adfc9bc -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 AND Sysmon EventID 11 diff --git a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml index f3593f20b4..e6bdd1bbdf 100644 --- a/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml +++ b/detections/endpoint/windows_phishing_pdf_file_executes_url_link.yml @@ -1,7 +1,7 @@ name: Windows Phishing PDF File Executes URL Link id: 2fa9dec8-9d8e-46d3-96c1-202c06f0e6e1 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml index 2a962f747b..66d1942836 100644 --- a/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml +++ b/detections/endpoint/windows_phishing_recent_iso_exec_registry.yml @@ -1,7 +1,7 @@ name: Windows Phishing Recent ISO Exec Registry id: cb38ee66-8ae5-47de-bd66-231c7bbc0b2c -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_possible_credential_dumping.yml b/detections/endpoint/windows_possible_credential_dumping.yml index cd8bc18e39..8e42f95ac7 100644 --- a/detections/endpoint/windows_possible_credential_dumping.yml +++ b/detections/endpoint/windows_possible_credential_dumping.yml @@ -1,7 +1,7 @@ name: Windows Possible Credential Dumping id: e4723b92-7266-11ec-af45-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_post_exploitation_risk_behavior.yml b/detections/endpoint/windows_post_exploitation_risk_behavior.yml index ea3e64c0dc..d017c6c13d 100644 --- a/detections/endpoint/windows_post_exploitation_risk_behavior.yml +++ b/detections/endpoint/windows_post_exploitation_risk_behavior.yml @@ -1,7 +1,7 @@ name: Windows Post Exploitation Risk Behavior id: edb930df-64c2-4bb7-9b5c-889ed53fb973 -version: 5 -date: '2025-04-16' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Correlation diff --git a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml index ff98aec5e0..567dcd5ed6 100644 --- a/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml +++ b/detections/endpoint/windows_powershell_add_module_to_global_assembly_cache.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Add Module to Global Assembly Cache id: 3fc16961-97e5-4a5b-a079-e4ab0d9763eb -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_powershell_cryptography_namespace.yml b/detections/endpoint/windows_powershell_cryptography_namespace.yml index f211f67389..181f33ed0e 100644 --- a/detections/endpoint/windows_powershell_cryptography_namespace.yml +++ b/detections/endpoint/windows_powershell_cryptography_namespace.yml @@ -1,7 +1,7 @@ name: Windows Powershell Cryptography Namespace id: f8b482f4-6d62-49fa-a905-dfa15698317b -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_powershell_disable_http_logging.yml b/detections/endpoint/windows_powershell_disable_http_logging.yml index 4f86464121..e1f2ebbc66 100644 --- a/detections/endpoint/windows_powershell_disable_http_logging.yml +++ b/detections/endpoint/windows_powershell_disable_http_logging.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Disable HTTP Logging id: 27958de0-2857-43ca-9d4c-b255cf59dcab -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_powershell_export_certificate.yml b/detections/endpoint/windows_powershell_export_certificate.yml index 2d013aa1e4..8ebdda230e 100644 --- a/detections/endpoint/windows_powershell_export_certificate.yml +++ b/detections/endpoint/windows_powershell_export_certificate.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Export Certificate id: 5e38ded4-c964-41f4-8cb6-4a1a53c6929f -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_powershell_export_pfxcertificate.yml b/detections/endpoint/windows_powershell_export_pfxcertificate.yml index 810324ebeb..ed2418f450 100644 --- a/detections/endpoint/windows_powershell_export_pfxcertificate.yml +++ b/detections/endpoint/windows_powershell_export_pfxcertificate.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Export PfxCertificate id: ed06725f-6da6-439f-9dcc-ab30e891297c -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml index 7eb878ca39..05fc90a72e 100644 --- a/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml +++ b/detections/endpoint/windows_powershell_get_ciminstance_remote_computer.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Get CIMInstance Remote Computer id: d8c972eb-ed84-431a-8869-ca4bd83257d1 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk type: Anomaly status: production diff --git a/detections/endpoint/windows_powershell_history_file_deletion.yml b/detections/endpoint/windows_powershell_history_file_deletion.yml index 459df806eb..913cb0c157 100644 --- a/detections/endpoint/windows_powershell_history_file_deletion.yml +++ b/detections/endpoint/windows_powershell_history_file_deletion.yml @@ -1,7 +1,7 @@ name: Windows Powershell History File Deletion id: f1369394-48e1-4327-bf6d-14377f4b8687 -version: 1 -date: '2025-03-17' +version: 2 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml index 8d44678edd..c31ada330a 100644 --- a/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml +++ b/detections/endpoint/windows_powershell_iis_components_webglobalmodule_usage.yml @@ -1,7 +1,7 @@ name: Windows PowerShell IIS Components WebGlobalModule Usage id: 33fc9f6f-0ce7-4696-924e-a69ec61a3d57 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_powershell_import_applocker_policy.yml b/detections/endpoint/windows_powershell_import_applocker_policy.yml index 2f68c33e50..eab0c5fdcc 100644 --- a/detections/endpoint/windows_powershell_import_applocker_policy.yml +++ b/detections/endpoint/windows_powershell_import_applocker_policy.yml @@ -1,7 +1,7 @@ name: Windows Powershell Import Applocker Policy id: 102af98d-0ca3-4aa4-98d6-7ab2b98b955a -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml b/detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml index d7329ecd95..66a8dabf44 100644 --- a/detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml +++ b/detections/endpoint/windows_powershell_invoke_restmethod_ip_information_collection.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Invoke-RestMethod IP Information Collection id: 8db47e12-9c3e-4f5a-b0d6-e42a1895cd4f -version: 1 -date: '2025-04-17' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_powershell_invoke_sqlcmd_execution.yml b/detections/endpoint/windows_powershell_invoke_sqlcmd_execution.yml index 2d478b39e0..14cc721a8c 100644 --- a/detections/endpoint/windows_powershell_invoke_sqlcmd_execution.yml +++ b/detections/endpoint/windows_powershell_invoke_sqlcmd_execution.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Invoke-Sqlcmd Execution id: 5eb76fe2-a869-4865-8c4c-8cff424b18a1 -version: 1 -date: '2025-02-03' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_powershell_logoff_user_via_quser.yml b/detections/endpoint/windows_powershell_logoff_user_via_quser.yml index 116ab5c17a..a3a98743b2 100644 --- a/detections/endpoint/windows_powershell_logoff_user_via_quser.yml +++ b/detections/endpoint/windows_powershell_logoff_user_via_quser.yml @@ -1,7 +1,7 @@ name: Windows Powershell Logoff User via Quser id: 6d70780d-4cfe-4820-bafd-1b43941986b5 -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Powershell Script Block Logging 4104 diff --git a/detections/endpoint/windows_powershell_process_with_malicious_string.yml b/detections/endpoint/windows_powershell_process_with_malicious_string.yml index 5e85f877ad..2d086301bc 100644 --- a/detections/endpoint/windows_powershell_process_with_malicious_string.yml +++ b/detections/endpoint/windows_powershell_process_with_malicious_string.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Process With Malicious String id: 5df35d50-e1a3-4a52-a337-92e69d9b1b8a -version: 3 -date: '2025-03-27' +version: 4 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_powershell_remotesigned_file.yml b/detections/endpoint/windows_powershell_remotesigned_file.yml index 08179bdc71..92e3930ac4 100644 --- a/detections/endpoint/windows_powershell_remotesigned_file.yml +++ b/detections/endpoint/windows_powershell_remotesigned_file.yml @@ -1,7 +1,7 @@ name: Windows Powershell RemoteSigned File id: f7f7456b-470d-4a95-9703-698250645ff4 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_powershell_scheduletask.yml b/detections/endpoint/windows_powershell_scheduletask.yml index a64d2a663c..90cc7f20db 100644 --- a/detections/endpoint/windows_powershell_scheduletask.yml +++ b/detections/endpoint/windows_powershell_scheduletask.yml @@ -1,7 +1,7 @@ name: Windows PowerShell ScheduleTask id: ddf82fcb-e9ee-40e3-8712-a50b5bf323fc -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml b/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml index 3f127db3a5..dfd5af47a5 100644 --- a/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml +++ b/detections/endpoint/windows_powershell_script_block_with_malicious_string.yml @@ -1,7 +1,7 @@ name: Windows PowerShell Script Block With Malicious String id: 0f09cedd-10f1-4b9f-bdea-7a8b06ea575d -version: 2 -date: '2024-12-19' +version: 3 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml index 23f393878a..187bdb7b83 100644 --- a/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml +++ b/detections/endpoint/windows_powershell_wmi_win32_scheduledjob.yml @@ -1,7 +1,7 @@ name: Windows PowerShell WMI Win32 ScheduledJob id: 47c69803-2c09-408b-b40a-063c064cbb16 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_powersploit_gpp_discovery.yml b/detections/endpoint/windows_powersploit_gpp_discovery.yml index 0a08d6999f..ed8bdd70ef 100644 --- a/detections/endpoint/windows_powersploit_gpp_discovery.yml +++ b/detections/endpoint/windows_powersploit_gpp_discovery.yml @@ -1,7 +1,7 @@ name: Windows PowerSploit GPP Discovery id: 0130a0df-83a1-4647-9011-841e950ff302 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml index 10bba77c66..e8dd9a38c2 100644 --- a/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml +++ b/detections/endpoint/windows_powerview_ad_access_control_list_enumeration.yml @@ -1,7 +1,7 @@ name: Windows PowerView AD Access Control List Enumeration id: 39405650-c364-4e1e-a740-32a63ef042a6 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml index 116cbd2094..5e67cf580e 100644 --- a/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml +++ b/detections/endpoint/windows_powerview_constrained_delegation_discovery.yml @@ -1,7 +1,7 @@ name: Windows PowerView Constrained Delegation Discovery id: 86dc8176-6e6c-42d6-9684-5444c6557ab3 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml index 877bc3cdeb..0eb13eb8ee 100644 --- a/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml +++ b/detections/endpoint/windows_powerview_kerberos_service_ticket_request.yml @@ -1,7 +1,7 @@ name: Windows PowerView Kerberos Service Ticket Request id: 970455a1-4ac2-47e1-a9a5-9e75443ddcb9 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_powerview_spn_discovery.yml b/detections/endpoint/windows_powerview_spn_discovery.yml index 3508d4f543..f21006eab9 100644 --- a/detections/endpoint/windows_powerview_spn_discovery.yml +++ b/detections/endpoint/windows_powerview_spn_discovery.yml @@ -1,7 +1,7 @@ name: Windows PowerView SPN Discovery id: a7093c28-796c-4ebb-9997-e2c18b870837 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml index d6ff7099f1..f302764b2c 100644 --- a/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml +++ b/detections/endpoint/windows_powerview_unconstrained_delegation_discovery.yml @@ -1,7 +1,7 @@ name: Windows PowerView Unconstrained Delegation Discovery id: fbf9e47f-e531-4fea-942d-5c95af7ed4d6 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_private_keys_discovery.yml b/detections/endpoint/windows_private_keys_discovery.yml index 41a48215ee..13879deb6b 100644 --- a/detections/endpoint/windows_private_keys_discovery.yml +++ b/detections/endpoint/windows_private_keys_discovery.yml @@ -1,7 +1,7 @@ name: Windows Private Keys Discovery id: 5c1c2877-06c0-40ee-a1a2-db71f1372b5b -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml index 6994b12557..7b91acbef6 100644 --- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml +++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml @@ -1,7 +1,7 @@ name: Windows Privilege Escalation Suspicious Process Elevation id: 6a80300a-9f8a-4f22-bd3e-09ca577cfdfc -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml index f5a19732a0..a5a0473934 100644 --- a/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml +++ b/detections/endpoint/windows_privilege_escalation_system_process_without_system_parent.yml @@ -1,7 +1,7 @@ name: Windows Privilege Escalation System Process Without System Parent id: 5a5351cd-ba7e-499e-ad82-2ce160ffa637 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml index a28177f659..8c58815535 100644 --- a/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml +++ b/detections/endpoint/windows_privilege_escalation_user_process_spawn_system_process.yml @@ -1,7 +1,7 @@ name: Windows Privilege Escalation User Process Spawn System Process id: c9687a28-39ad-43c6-8bcf-eaf061ba0cbe -version: 6 -date: '2024-12-10' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_privileged_group_modification.yml b/detections/endpoint/windows_privileged_group_modification.yml index ce9f44c5be..32864a79e1 100644 --- a/detections/endpoint/windows_privileged_group_modification.yml +++ b/detections/endpoint/windows_privileged_group_modification.yml @@ -1,7 +1,7 @@ name: Windows Privileged Group Modification id: b8cbef2c-2cc3-4550-b0fc-9715b7852df9 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Brandon Sternfield, Optiv + ClearShark data_source: - Windows Event Log Security 4727 diff --git a/detections/endpoint/windows_process_commandline_discovery.yml b/detections/endpoint/windows_process_commandline_discovery.yml index 58107cacaf..850db3f443 100644 --- a/detections/endpoint/windows_process_commandline_discovery.yml +++ b/detections/endpoint/windows_process_commandline_discovery.yml @@ -1,7 +1,7 @@ name: Windows Process Commandline Discovery id: 67d2a52e-a7e2-4a5d-ae44-a21212048bc2 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_process_executed_from_removable_media.yml b/detections/endpoint/windows_process_executed_from_removable_media.yml index 11aad3169f..c330bf47c3 100644 --- a/detections/endpoint/windows_process_executed_from_removable_media.yml +++ b/detections/endpoint/windows_process_executed_from_removable_media.yml @@ -1,7 +1,7 @@ name: Windows Process Executed From Removable Media id: b483804a-4cc0-49a4-9f00-ac29ba844d08 -version: 3 -date: '2025-03-27' +version: 4 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_process_execution_from_programdata.yml b/detections/endpoint/windows_process_execution_from_programdata.yml index ae0b14501e..200a1a5975 100644 --- a/detections/endpoint/windows_process_execution_from_programdata.yml +++ b/detections/endpoint/windows_process_execution_from_programdata.yml @@ -1,7 +1,7 @@ name: Windows Process Execution From ProgramData id: 237016fa-d8e6-47b4-80f9-70c4d42c72c0 -version: 2 -date: '2025-03-27' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_process_execution_in_temp_dir.yml b/detections/endpoint/windows_process_execution_in_temp_dir.yml index d03c4d54d5..7b7fa7335b 100644 --- a/detections/endpoint/windows_process_execution_in_temp_dir.yml +++ b/detections/endpoint/windows_process_execution_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows Process Execution in Temp Dir id: f6fbe929-4187-4ba4-901e-8a34be838443 -version: 2 -date: '2025-01-27' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml index cd8c16435f..852abb04eb 100644 --- a/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml +++ b/detections/endpoint/windows_process_injection_in_non_service_searchindexer.yml @@ -1,7 +1,7 @@ name: Windows Process Injection In Non-Service SearchIndexer id: d131673f-ede1-47f2-93a1-0108d3e7fafd -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml b/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml index 018d13e4cb..04bd55f0a2 100644 --- a/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml +++ b/detections/endpoint/windows_process_injection_into_commonly_abused_processes.yml @@ -1,7 +1,7 @@ name: Windows Process Injection into Commonly Abused Processes id: 1e1dedc6-f6f3-41a0-9dd7-a1245904fe75 version: 3 -date: '2025-04-28' +date: '2025-05-02' author: 0xC0FFEEEE, Github Community type: Anomaly status: production diff --git a/detections/endpoint/windows_process_injection_into_notepad.yml b/detections/endpoint/windows_process_injection_into_notepad.yml index 17a4631184..e84f46ba9e 100644 --- a/detections/endpoint/windows_process_injection_into_notepad.yml +++ b/detections/endpoint/windows_process_injection_into_notepad.yml @@ -1,7 +1,7 @@ name: Windows Process Injection into Notepad id: b8340d0f-ba48-4391-bea7-9e793c5aae36 -version: 8 -date: '2025-04-16' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk type: Anomaly status: production diff --git a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml index b7d84afb5d..67732c37f6 100644 --- a/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml +++ b/detections/endpoint/windows_process_injection_of_wermgr_to_known_browser.yml @@ -1,7 +1,7 @@ name: Windows Process Injection Of Wermgr to Known Browser id: aec755a5-3a2c-4be0-ab34-6540e68644e9 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_process_injection_remote_thread.yml b/detections/endpoint/windows_process_injection_remote_thread.yml index 0fc96cd91b..28cc8dc82e 100644 --- a/detections/endpoint/windows_process_injection_remote_thread.yml +++ b/detections/endpoint/windows_process_injection_remote_thread.yml @@ -1,7 +1,7 @@ name: Windows Process Injection Remote Thread id: 8a618ade-ca8f-4d04-b972-2d526ba59924 -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_process_injection_wermgr_child_process.yml b/detections/endpoint/windows_process_injection_wermgr_child_process.yml index adf3f7710c..03f29ba135 100644 --- a/detections/endpoint/windows_process_injection_wermgr_child_process.yml +++ b/detections/endpoint/windows_process_injection_wermgr_child_process.yml @@ -1,7 +1,7 @@ name: Windows Process Injection Wermgr Child Process id: 360ae6b0-38b5-4328-9e2b-bc9436cddb17 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_process_injection_with_public_source_path.yml b/detections/endpoint/windows_process_injection_with_public_source_path.yml index 221aba0834..b4c3e4ea6c 100644 --- a/detections/endpoint/windows_process_injection_with_public_source_path.yml +++ b/detections/endpoint/windows_process_injection_with_public_source_path.yml @@ -1,7 +1,7 @@ name: Windows Process Injection With Public Source Path id: 492f09cf-5d60-4d87-99dd-0bc325532dda -version: 8 -date: '2025-04-16' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_process_with_namedpipe_commandline.yml b/detections/endpoint/windows_process_with_namedpipe_commandline.yml index 4f2630f753..e5069026bf 100644 --- a/detections/endpoint/windows_process_with_namedpipe_commandline.yml +++ b/detections/endpoint/windows_process_with_namedpipe_commandline.yml @@ -1,7 +1,7 @@ name: Windows Process With NamedPipe CommandLine id: e64399d4-94a8-11ec-a9da-acde48001122 version: 6 -date: '2025-04-24' +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index f9635d3604..9bf25ce3e5 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -1,7 +1,7 @@ name: Windows Process With NetExec Command Line Parameters id: adbff89c-c1f2-4a2e-88a4-b5e645856510 -version: 6 -date: '2025-03-27' +version: 7 +date: '2025-05-02' author: Steven Dick, Github Community status: production type: TTP diff --git a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml index 3693a60cd8..ca988f5e8a 100644 --- a/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml +++ b/detections/endpoint/windows_process_writing_file_to_world_writable_path.yml @@ -1,7 +1,7 @@ name: Windows Process Writing File to World Writable Path id: c051b68c-60f7-4022-b3ad-773bec7a225b -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk data_source: [] type: Hunting diff --git a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml index eae5e9142c..7feb10adf2 100644 --- a/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml +++ b/detections/endpoint/windows_processes_killed_by_industroyer2_malware.yml @@ -1,7 +1,7 @@ name: Windows Processes Killed By Industroyer2 Malware id: d8bea5ca-9d4a-4249-8b56-64a619109835 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml index 31a5b892bc..db766dd883 100644 --- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml +++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml @@ -1,7 +1,7 @@ name: Windows Protocol Tunneling with Plink id: 8aac5e1e-0fab-4437-af0b-c6e60af23eed -version: 8 -date: '2024-11-13' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_proxy_via_netsh.yml b/detections/endpoint/windows_proxy_via_netsh.yml index f732f7faea..c4bca1a5b5 100644 --- a/detections/endpoint/windows_proxy_via_netsh.yml +++ b/detections/endpoint/windows_proxy_via_netsh.yml @@ -1,7 +1,7 @@ name: Windows Proxy Via Netsh id: c137bfe8-6036-4cff-b77b-4e327dd0a1cf -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_proxy_via_registry.yml b/detections/endpoint/windows_proxy_via_registry.yml index 81f617119a..739940bbd2 100644 --- a/detections/endpoint/windows_proxy_via_registry.yml +++ b/detections/endpoint/windows_proxy_via_registry.yml @@ -1,7 +1,7 @@ name: Windows Proxy Via Registry id: 0270455b-1385-4579-9ac5-e77046c508ae -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_query_registry_browser_list_application.yml b/detections/endpoint/windows_query_registry_browser_list_application.yml index 77d905faa0..044b5d333b 100644 --- a/detections/endpoint/windows_query_registry_browser_list_application.yml +++ b/detections/endpoint/windows_query_registry_browser_list_application.yml @@ -1,7 +1,7 @@ name: Windows Query Registry Browser List Application id: 45ebd21c-f4bf-4ced-bd49-d25b6526cebb version: 7 -date: '2025-04-24' +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_query_registry_uninstall_program_list.yml b/detections/endpoint/windows_query_registry_uninstall_program_list.yml index 7a3e64c8f2..2289f76f19 100644 --- a/detections/endpoint/windows_query_registry_uninstall_program_list.yml +++ b/detections/endpoint/windows_query_registry_uninstall_program_list.yml @@ -1,7 +1,7 @@ name: Windows Query Registry UnInstall Program List id: 535fd4fc-7151-4062-9d7e-e896bea77bf6 -version: 5 -date: '2024-12-10' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml index 02b297052a..ad39dc67d3 100644 --- a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml +++ b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml @@ -1,7 +1,7 @@ name: Windows Raccine Scheduled Task Deletion id: c9f010da-57ab-11ec-82bd-acde48001122 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml index 76c8696a7b..7b57e89d13 100644 --- a/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml +++ b/detections/endpoint/windows_rapid_authentication_on_multiple_hosts.yml @@ -1,7 +1,7 @@ name: Windows Rapid Authentication On Multiple Hosts id: 62606c77-d53d-4182-9371-b02cdbbbcef7 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_rasautou_dll_execution.yml b/detections/endpoint/windows_rasautou_dll_execution.yml index 3424051032..bbcd9125c2 100644 --- a/detections/endpoint/windows_rasautou_dll_execution.yml +++ b/detections/endpoint/windows_rasautou_dll_execution.yml @@ -1,7 +1,7 @@ name: Windows Rasautou DLL Execution id: 6f42b8be-8e96-11ec-ad5a-acde48001122 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml index e75eecf66f..f56b6c8acc 100644 --- a/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml +++ b/detections/endpoint/windows_raw_access_to_disk_volume_partition.yml @@ -1,7 +1,7 @@ name: Windows Raw Access To Disk Volume Partition id: a85aa37e-9647-11ec-90c5-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml index fe4070e592..ba37fdb95a 100644 --- a/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml +++ b/detections/endpoint/windows_raw_access_to_master_boot_record_drive.yml @@ -1,7 +1,7 @@ name: Windows Raw Access To Master Boot Record Drive id: 7b83f666-900c-11ec-a2d9-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_rdp_connection_successful.yml b/detections/endpoint/windows_rdp_connection_successful.yml index 6d9f87d34c..67e5bf08d3 100644 --- a/detections/endpoint/windows_rdp_connection_successful.yml +++ b/detections/endpoint/windows_rdp_connection_successful.yml @@ -1,7 +1,7 @@ name: Windows RDP Connection Successful id: ceaed840-56b3-4a70-b8e1-d762b1c5c08c -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_rdp_file_execution.yml b/detections/endpoint/windows_rdp_file_execution.yml index 2b6682a1e9..aada13e19b 100644 --- a/detections/endpoint/windows_rdp_file_execution.yml +++ b/detections/endpoint/windows_rdp_file_execution.yml @@ -1,7 +1,7 @@ name: Windows RDP File Execution id: 0b6b12b9-8ba9-48fe-b3b8-b4e3e1cd22b4 -version: 3 -date: '2025-01-21' +version: 4 +date: '2025-05-02' author: Michael Haag, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_rdpclient_connection_sequence_events.yml b/detections/endpoint/windows_rdpclient_connection_sequence_events.yml index f50b20c891..816d2a935e 100644 --- a/detections/endpoint/windows_rdpclient_connection_sequence_events.yml +++ b/detections/endpoint/windows_rdpclient_connection_sequence_events.yml @@ -1,7 +1,7 @@ name: Windows RDPClient Connection Sequence Events id: 67340df1-3f1d-4470-93c8-9ac7249d11b0 -version: 2 -date: '2025-01-21' +version: 3 +date: '2025-05-02' author: Michael Haag, Splunk type: Anomaly status: production diff --git a/detections/endpoint/windows_registry_bootexecute_modification.yml b/detections/endpoint/windows_registry_bootexecute_modification.yml index fd878a408f..2f51562867 100644 --- a/detections/endpoint/windows_registry_bootexecute_modification.yml +++ b/detections/endpoint/windows_registry_bootexecute_modification.yml @@ -1,7 +1,7 @@ name: Windows Registry BootExecute Modification id: eabbac3a-45aa-4659-920f-6b8cff383fb8 -version: 8 -date: '2024-12-16' +version: 9 +date: '2025-05-02' author: Michael Haag, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_registry_certificate_added.yml b/detections/endpoint/windows_registry_certificate_added.yml index 7ebd73e3d9..0330f2d301 100644 --- a/detections/endpoint/windows_registry_certificate_added.yml +++ b/detections/endpoint/windows_registry_certificate_added.yml @@ -1,7 +1,7 @@ name: Windows Registry Certificate Added id: 5ee98b2f-8b9e-457a-8bdc-dd41aaba9e87 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Teodeerick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_registry_delete_task_sd.yml b/detections/endpoint/windows_registry_delete_task_sd.yml index 4a5318042e..9744ba2424 100644 --- a/detections/endpoint/windows_registry_delete_task_sd.yml +++ b/detections/endpoint/windows_registry_delete_task_sd.yml @@ -1,7 +1,7 @@ name: Windows Registry Delete Task SD id: ffeb7893-ff06-446f-815b-33ca73224e92 -version: 7 -date: '2025-01-21' +version: 8 +date: '2025-05-02' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml b/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml index 7a12993b89..54b9bca399 100644 --- a/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml +++ b/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml @@ -1,7 +1,7 @@ name: Windows Registry Dotnet ETW Disabled Via ENV Variable id: 55502381-5cce-491b-9277-7cb1d10bc0df -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_registry_entries_exported_via_reg.yml b/detections/endpoint/windows_registry_entries_exported_via_reg.yml index fac417f476..9c17c1602b 100644 --- a/detections/endpoint/windows_registry_entries_exported_via_reg.yml +++ b/detections/endpoint/windows_registry_entries_exported_via_reg.yml @@ -1,7 +1,7 @@ name: Windows Registry Entries Exported Via Reg id: 466379bc-0f47-476c-8202-16ef38112e0d -version: 2 -date: '2025-01-15' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_registry_entries_restored_via_reg.yml b/detections/endpoint/windows_registry_entries_restored_via_reg.yml index 823f030c79..232a82c169 100644 --- a/detections/endpoint/windows_registry_entries_restored_via_reg.yml +++ b/detections/endpoint/windows_registry_entries_restored_via_reg.yml @@ -1,7 +1,7 @@ name: Windows Registry Entries Restored Via Reg id: a17af481-e2ad-494c-9da6-afb4d243a019 -version: 2 -date: '2025-01-14' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml index 589c93ded5..47f091e8f4 100644 --- a/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml +++ b/detections/endpoint/windows_registry_modification_for_safe_mode_persistence.yml @@ -1,7 +1,7 @@ name: Windows Registry Modification for Safe Mode Persistence id: c6149154-c9d8-11eb-9da7-acde48001122 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_registry_payload_injection.yml b/detections/endpoint/windows_registry_payload_injection.yml index 4a2434a175..a012bbd88c 100644 --- a/detections/endpoint/windows_registry_payload_injection.yml +++ b/detections/endpoint/windows_registry_payload_injection.yml @@ -1,7 +1,7 @@ name: Windows Registry Payload Injection id: c6b2d80f-179a-41a1-b95e-ce5601d7427a -version: 7 -date: '2025-04-15' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_registry_sip_provider_modification.yml b/detections/endpoint/windows_registry_sip_provider_modification.yml index 2215edb719..f5d17bca4d 100644 --- a/detections/endpoint/windows_registry_sip_provider_modification.yml +++ b/detections/endpoint/windows_registry_sip_provider_modification.yml @@ -1,7 +1,7 @@ name: Windows Registry SIP Provider Modification id: 3b4e18cb-497f-4073-85ad-1ada7c2107ab -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_regsvr32_renamed_binary.yml b/detections/endpoint/windows_regsvr32_renamed_binary.yml index d3467ad576..3ce43943eb 100644 --- a/detections/endpoint/windows_regsvr32_renamed_binary.yml +++ b/detections/endpoint/windows_regsvr32_renamed_binary.yml @@ -1,7 +1,7 @@ name: Windows Regsvr32 Renamed Binary id: 7349a9e9-3cf6-4171-bb0c-75607a8dcd1a -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml index 1e236b2f62..586ed8859f 100644 --- a/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml +++ b/detections/endpoint/windows_remote_access_software_brc4_loaded_dll.yml @@ -1,7 +1,7 @@ name: Windows Remote Access Software BRC4 Loaded Dll id: 73cf5dcb-cf36-4167-8bbe-384fe5384d05 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_remote_access_software_rms_registry.yml b/detections/endpoint/windows_remote_access_software_rms_registry.yml index d9f3500a0e..cec020a736 100644 --- a/detections/endpoint/windows_remote_access_software_rms_registry.yml +++ b/detections/endpoint/windows_remote_access_software_rms_registry.yml @@ -1,7 +1,7 @@ name: Windows Remote Access Software RMS Registry id: e5b7b5a9-e471-4be8-8c5d-4083983ba329 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_remote_assistance_spawning_process.yml b/detections/endpoint/windows_remote_assistance_spawning_process.yml index 857d331384..571a0289bc 100644 --- a/detections/endpoint/windows_remote_assistance_spawning_process.yml +++ b/detections/endpoint/windows_remote_assistance_spawning_process.yml @@ -1,7 +1,7 @@ name: Windows Remote Assistance Spawning Process id: ced50492-8849-11ec-9f68-acde48001122 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml index 36d6a9e737..be43dffe24 100644 --- a/detections/endpoint/windows_remote_create_service.yml +++ b/detections/endpoint/windows_remote_create_service.yml @@ -1,7 +1,7 @@ name: Windows Remote Create Service id: 0dc44d03-8c00-482d-ba7c-796ba7ab18c9 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_remote_host_computer_management_access.yml b/detections/endpoint/windows_remote_host_computer_management_access.yml index 72fb3a50a3..183600a92c 100644 --- a/detections/endpoint/windows_remote_host_computer_management_access.yml +++ b/detections/endpoint/windows_remote_host_computer_management_access.yml @@ -1,7 +1,7 @@ name: Windows Remote Host Computer Management Access id: 455da527-0047-4610-a3ca-b4a005c2d346 -version: 1 -date: '2025-03-17' +version: 2 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_remote_management_execute_shell.yml b/detections/endpoint/windows_remote_management_execute_shell.yml index dc6c3e148e..34eed55262 100644 --- a/detections/endpoint/windows_remote_management_execute_shell.yml +++ b/detections/endpoint/windows_remote_management_execute_shell.yml @@ -1,7 +1,7 @@ name: Windows Remote Management Execute Shell id: 28b80028-851d-4b8d-88a5-375ba115418a -version: 2 -date: '2024-12-12' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 1 diff --git a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml index bd26f500e7..90fb92d47f 100644 --- a/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml +++ b/detections/endpoint/windows_remote_service_rdpwinst_tool_execution.yml @@ -1,7 +1,7 @@ name: Windows Remote Service Rdpwinst Tool Execution id: c8127f87-c7c9-4036-89ed-8fe4b30e678c -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml index d4f8abb91e..b45be32e6f 100644 --- a/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml +++ b/detections/endpoint/windows_remote_services_allow_rdp_in_firewall.yml @@ -1,7 +1,7 @@ name: Windows Remote Services Allow Rdp In Firewall id: 9170cb54-ea15-41e1-9dfc-9f3363ce9b02 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml index eadd104d3a..52d4cefb5f 100644 --- a/detections/endpoint/windows_remote_services_allow_remote_assistance.yml +++ b/detections/endpoint/windows_remote_services_allow_remote_assistance.yml @@ -1,7 +1,7 @@ name: Windows Remote Services Allow Remote Assistance id: 9bce3a97-bc97-4e89-a1aa-ead151c82fbb -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_remote_services_rdp_enable.yml b/detections/endpoint/windows_remote_services_rdp_enable.yml index 536c46670e..f296c25800 100644 --- a/detections/endpoint/windows_remote_services_rdp_enable.yml +++ b/detections/endpoint/windows_remote_services_rdp_enable.yml @@ -1,7 +1,7 @@ name: Windows Remote Services Rdp Enable id: 8fbd2e88-4ea5-40b9-9217-fd0855e08cc0 -version: '6' -date: '2025-03-14' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_replication_through_removable_media.yml b/detections/endpoint/windows_replication_through_removable_media.yml index 9661ee7e63..d009f870bd 100644 --- a/detections/endpoint/windows_replication_through_removable_media.yml +++ b/detections/endpoint/windows_replication_through_removable_media.yml @@ -1,7 +1,7 @@ name: Windows Replication Through Removable Media id: 60df805d-4605-41c8-bbba-57baa6a4eb97 -version: 9 -date: '2025-03-27' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml index 897a9f0df7..a036a9a9da 100644 --- a/detections/endpoint/windows_root_domain_linked_policies_discovery.yml +++ b/detections/endpoint/windows_root_domain_linked_policies_discovery.yml @@ -1,7 +1,7 @@ name: Windows Root Domain linked policies Discovery id: 80ffaede-1f12-49d5-a86e-b4b599b68b3c -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml index 0ea69a1e87..9dfa97ace7 100644 --- a/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml +++ b/detections/endpoint/windows_rundll32_apply_user_settings_changes.yml @@ -1,7 +1,7 @@ name: Windows Rundll32 Apply User Settings Changes id: b9fb8d97-dbc9-4a09-804c-ff0e3862bb2d -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_rundll32_webdav_request.yml b/detections/endpoint/windows_rundll32_webdav_request.yml index 20aae0c3d0..7201e3f800 100644 --- a/detections/endpoint/windows_rundll32_webdav_request.yml +++ b/detections/endpoint/windows_rundll32_webdav_request.yml @@ -1,7 +1,7 @@ name: Windows Rundll32 WebDAV Request id: 320099b7-7eb1-4153-a2b4-decb53267de2 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml index 8ef7992823..6bda115d21 100644 --- a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml +++ b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml @@ -1,7 +1,7 @@ name: Windows Rundll32 WebDav With Network Connection id: f03355e0-28b5-4e9b-815a-6adffc63b38c -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk type: TTP status: experimental diff --git a/detections/endpoint/windows_runmru_command_execution.yml b/detections/endpoint/windows_runmru_command_execution.yml index 1f8c6fc811..9c537a7773 100644 --- a/detections/endpoint/windows_runmru_command_execution.yml +++ b/detections/endpoint/windows_runmru_command_execution.yml @@ -1,7 +1,7 @@ name: Windows RunMRU Command Execution id: a15aa1ab-2b79-467f-8201-65e0f32d5b1a -version: 5 -date: '2025-04-10' +version: 6 +date: '2025-05-02' author: Nasreddine Bencherchali, Michael Haag, Splunk data_source: - Sysmon EventID 12 diff --git a/detections/endpoint/windows_scheduled_task_created_via_xml.yml b/detections/endpoint/windows_scheduled_task_created_via_xml.yml index bd0e0060ff..5aedb96873 100644 --- a/detections/endpoint/windows_scheduled_task_created_via_xml.yml +++ b/detections/endpoint/windows_scheduled_task_created_via_xml.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task Created Via XML id: 7e03b682-3965-4598-8e91-a60a40a3f7e4 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml b/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml index 248aa193a6..253c5f7c23 100644 --- a/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml +++ b/detections/endpoint/windows_scheduled_task_dll_module_loaded.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task DLL Module Loaded id: bc5b2304-f241-419b-874a-e927f667b7b6 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 diff --git a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml index fcc756b03f..d13687fde9 100644 --- a/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml +++ b/detections/endpoint/windows_scheduled_task_service_spawned_shell.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task Service Spawned Shell id: d8120352-3b62-4e3c-8cb6-7b47584dd5e8 -version: 6 -date: '2025-02-19' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 2ea3c9f444..e59a403a80 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task with Highest Privileges id: 2f15e1a4-0fc2-49dd-919e-cbbe60699218 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml index b8ed1bb96b..fd443f4714 100644 --- a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml +++ b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml @@ -1,76 +1,76 @@ -name: Windows Scheduled Task with Suspicious Command -id: 1f44c126-c26a-4dd3-83bb-0f9a0f03ecc3 -version: 2 -date: '2025-03-24' -author: Steven Dick -status: production -type: TTP -description: The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript or from public folders such as Users, Temp, or ProgramData. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, enabled, or modified. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment. -data_source: -- Windows Event Log Security 4698 -- Windows Event Log Security 4700 -- Windows Event Log Security 4702 -search: |- - `wineventlog_security` EventCode IN (4698,4700,4702) - | eval TaskContent = case(isnotnull(TaskContentNew),TaskContentNew,true(),TaskContent) - | xmlkv TaskContent - | stats count min(_time) as firstTime max(_time) as lastTime latest(Arguments) as Arguments latest(Author) as Author by Computer, Caller_User_Name, TaskName, Command, Enabled, Hidden, EventCode - | lookup windows_suspicious_tasks task_command as Command - | where tool == "shell command use" OR tool == "suspicious paths" - | eval command=TaskName, process=Command+if(isnotnull(Arguments)," ".Arguments,""), src_user=Author, user = Caller_User_Name, dest = Computer, signature_id = EventCode - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_scheduled_task_with_suspicious_command_filter` -how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -known_false_positives: False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately. Windows Defender, Google Chrome, and MS Edge updates may trigger this detection. -references: -- https://attack.mitre.org/techniques/T1053/005/ -- https://www.ic3.gov/CSA/2023/231213.pdf -- https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/ -- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_tasks_list.csv -drilldown_searches: -- name: View the detection results for - "$dest$" and "$user$" - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate schedule tasks on $dest$ - search: '`wineventlog_security` EventCode IN (4698,4700,4702) Computer="$dest$" Caller_User_Name="$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: A suspicious windows scheduled task named [$TaskName$] was detected on $dest$, this may be an indicator of [$tool$] - risk_objects: - - field: dest - type: system - score: 70 - - field: user - type: user - score: 70 - threat_objects: - - field: Command - type: signature -tags: - analytic_story: - - Scheduled Tasks - - Windows Persistence Techniques - - Ransomware - - Ryuk Ransomware - - Seashell Blizzard - asset_type: Endpoint - mitre_attack_id: - - T1053.005 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log - source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog +name: Windows Scheduled Task with Suspicious Command +id: 1f44c126-c26a-4dd3-83bb-0f9a0f03ecc3 +version: 3 +date: '2025-05-02' +author: Steven Dick +status: production +type: TTP +description: The following analytic detects the creation of scheduled tasks designed to execute commands using native Windows shells like PowerShell, Cmd, Wscript, or Cscript or from public folders such as Users, Temp, or ProgramData. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, enabled, or modified. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment. +data_source: +- Windows Event Log Security 4698 +- Windows Event Log Security 4700 +- Windows Event Log Security 4702 +search: |- + `wineventlog_security` EventCode IN (4698,4700,4702) + | eval TaskContent = case(isnotnull(TaskContentNew),TaskContentNew,true(),TaskContent) + | xmlkv TaskContent + | stats count min(_time) as firstTime max(_time) as lastTime latest(Arguments) as Arguments latest(Author) as Author by Computer, Caller_User_Name, TaskName, Command, Enabled, Hidden, EventCode + | lookup windows_suspicious_tasks task_command as Command + | where tool == "shell command use" OR tool == "suspicious paths" + | eval command=TaskName, process=Command+if(isnotnull(Arguments)," ".Arguments,""), src_user=Author, user = Caller_User_Name, dest = Computer, signature_id = EventCode + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_scheduled_task_with_suspicious_command_filter` +how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. +known_false_positives: False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately. Windows Defender, Google Chrome, and MS Edge updates may trigger this detection. +references: +- https://attack.mitre.org/techniques/T1053/005/ +- https://www.ic3.gov/CSA/2023/231213.pdf +- https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/ +- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_tasks_list.csv +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate schedule tasks on $dest$ + search: '`wineventlog_security` EventCode IN (4698,4700,4702) Computer="$dest$" Caller_User_Name="$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A suspicious windows scheduled task named [$TaskName$] was detected on $dest$, this may be an indicator of [$tool$] + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: + - field: Command + type: signature +tags: + analytic_story: + - Scheduled Tasks + - Windows Persistence Techniques + - Ransomware + - Ryuk Ransomware + - Seashell Blizzard + asset_type: Endpoint + mitre_attack_id: + - T1053.005 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_created_to_spawn_shell/windows-xml.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml index 9c039ab87b..679187b07c 100644 --- a/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml +++ b/detections/endpoint/windows_scheduled_task_with_suspicious_name.yml @@ -1,75 +1,75 @@ -name: Windows Scheduled Task with Suspicious Name -id: 9e9ab4e3-c9d0-4967-a197-6d755e8a7e6e -version: 1 -date: '2025-02-07' -author: Steven Dick -status: production -type: TTP -description: The following analytic detects the creation, modification, or enabling of scheduled tasks with known suspicious or malicious task names. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, modified, or enabled. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment. -data_source: -- Windows Event Log Security 4698 -- Windows Event Log Security 4700 -- Windows Event Log Security 4702 -search: |- - `wineventlog_security` EventCode IN (4698,4700,4702) - | eval TaskContent = case(isnotnull(TaskContentNew),TaskContentNew,true(),TaskContent) - | xmlkv TaskContent - | stats count min(_time) as firstTime max(_time) as lastTime latest(Arguments) as Arguments latest(Author) as Author by Computer, TaskName, Command, Enabled, Hidden,Caller_User_Name, EventCode - | lookup windows_suspicious_tasks task_name as TaskName - | where isnotnull(tool_type) - | eval command=TaskName, process=Command+if(isnotnull(Arguments)," ".Arguments,""), src_user=Author, user = Caller_User_Name, dest = Computer - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_scheduled_task_with_suspicious_name_filter` -how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. -known_false_positives: False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately. -references: -- https://attack.mitre.org/techniques/T1053/005/ -- https://www.ic3.gov/CSA/2023/231213.pdf -- https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/ -- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_tasks_list.csv -drilldown_searches: -- name: View the detection results for - "$dest$" and "$user$" - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate schedule tasks on $dest$ - search: '`wineventlog_security` EventCode IN (4698,4700,4702) | xmlkv TaskContent | search dest="$dest$" AND TaskName = "$TaskName$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: A windows scheduled task was created with known suspicious task name [$TaskName$] on $dest$, this may be a [$tool$] indicator - risk_objects: - - field: dest - type: system - score: 70 - - field: user - type: user - score: 70 - threat_objects: - - field: Command - type: signature -tags: - analytic_story: - - Scheduled Tasks - - Windows Persistence Techniques - - Ransomware - - Ryuk Ransomware - asset_type: Endpoint - mitre_attack_id: - - T1053.005 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.log - source: XmlWinEventLog:Security - sourcetype: XmlWinEventLog +name: Windows Scheduled Task with Suspicious Name +id: 9e9ab4e3-c9d0-4967-a197-6d755e8a7e6e +version: 2 +date: '2025-05-02' +author: Steven Dick +status: production +type: TTP +description: The following analytic detects the creation, modification, or enabling of scheduled tasks with known suspicious or malicious task names. It leverages Windows Security EventCode 4698, 4700, and 4702 to identify when such tasks are registered, modified, or enabled. This activity is significant as it may indicate an attempt to establish persistence or execute malicious commands on a system. If confirmed malicious, this could allow an attacker to maintain access, execute arbitrary code, or escalate privileges, posing a severe threat to the environment. +data_source: +- Windows Event Log Security 4698 +- Windows Event Log Security 4700 +- Windows Event Log Security 4702 +search: |- + `wineventlog_security` EventCode IN (4698,4700,4702) + | eval TaskContent = case(isnotnull(TaskContentNew),TaskContentNew,true(),TaskContent) + | xmlkv TaskContent + | stats count min(_time) as firstTime max(_time) as lastTime latest(Arguments) as Arguments latest(Author) as Author by Computer, TaskName, Command, Enabled, Hidden,Caller_User_Name, EventCode + | lookup windows_suspicious_tasks task_name as TaskName + | where isnotnull(tool_type) + | eval command=TaskName, process=Command+if(isnotnull(Arguments)," ".Arguments,""), src_user=Author, user = Caller_User_Name, dest = Computer + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_scheduled_task_with_suspicious_name_filter` +how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. +known_false_positives: False positives are possible if legitimate applications are allowed to register tasks that call a shell to be spawned. Filter as needed based on command-line or processes that are used legitimately. +references: +- https://attack.mitre.org/techniques/T1053/005/ +- https://www.ic3.gov/CSA/2023/231213.pdf +- https://news.sophos.com/en-us/2024/11/06/bengal-cat-lovers-in-australia-get-psspsspssd-in-google-driven-gootloader-campaign/ +- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_tasks_list.csv +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate schedule tasks on $dest$ + search: '`wineventlog_security` EventCode IN (4698,4700,4702) | xmlkv TaskContent | search dest="$dest$" AND TaskName = "$TaskName$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A windows scheduled task was created with known suspicious task name [$TaskName$] on $dest$, this may be a [$tool$] indicator + risk_objects: + - field: dest + type: system + score: 70 + - field: user + type: user + score: 70 + threat_objects: + - field: Command + type: signature +tags: + analytic_story: + - Scheduled Tasks + - Windows Persistence Techniques + - Ransomware + - Ryuk Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1053.005 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_scheduled_task_with_suspect_name/windows-xml.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml index 9ed57c80d7..222e912e89 100644 --- a/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml +++ b/detections/endpoint/windows_scheduled_tasks_for_compmgmtlauncher_or_eventvwr.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Tasks for CompMgmtLauncher or Eventvwr id: feb43b86-8c38-46cd-865e-20ce8a96c26c -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Windows Event Log Security 4698 diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index 6686c18dd1..59fe9d2a76 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -1,7 +1,7 @@ name: Windows Schtasks Create Run As System id: 41a0e58e-884c-11ec-9976-acde48001122 -version: '7' -date: '2025-03-14' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml b/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml index 4868593dea..2f83575eb0 100644 --- a/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml +++ b/detections/endpoint/windows_scmanager_security_descriptor_tampering_via_sc_exe.yml @@ -1,7 +1,7 @@ name: Windows ScManager Security Descriptor Tampering Via Sc.EXE id: 04023928-0381-4935-82cb-03372b2ef644 -version: 3 -date: '2025-01-07' +version: 4 +date: '2025-05-02' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml index 98f6cad25b..74130fb62a 100644 --- a/detections/endpoint/windows_screen_capture_in_temp_folder.yml +++ b/detections/endpoint/windows_screen_capture_in_temp_folder.yml @@ -1,7 +1,7 @@ name: Windows Screen Capture in TEMP folder id: 00524d1f-a032-46f5-9108-e7d9f01bfb3c -version: 4 -date: '2025-02-17' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 11 diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml index b95bc42c46..e59338cfa3 100644 --- a/detections/endpoint/windows_screen_capture_via_powershell.yml +++ b/detections/endpoint/windows_screen_capture_via_powershell.yml @@ -1,7 +1,7 @@ name: Windows Screen Capture Via Powershell id: 5e0b1936-8f99-4399-8ee2-9edc5b32e170 -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_security_account_manager_stopped.yml b/detections/endpoint/windows_security_account_manager_stopped.yml index a9ef035370..b1cd77742b 100644 --- a/detections/endpoint/windows_security_account_manager_stopped.yml +++ b/detections/endpoint/windows_security_account_manager_stopped.yml @@ -1,7 +1,7 @@ name: Windows Security Account Manager Stopped id: 69c12d59-d951-431e-ab77-ec426b8d65e6 -version: 7 -date: '2024-12-10' +version: 8 +date: '2025-05-02' author: Rod Soto, Jose Hernandez, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_security_and_backup_services_stop.yml b/detections/endpoint/windows_security_and_backup_services_stop.yml index 45b5ea65c1..b9edc6845f 100644 --- a/detections/endpoint/windows_security_and_backup_services_stop.yml +++ b/detections/endpoint/windows_security_and_backup_services_stop.yml @@ -1,7 +1,7 @@ name: Windows Security And Backup Services Stop id: 9c24aef6-cad9-4931-acce-74318aa5663b -version: 2 -date: '2025-04-01' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_security_support_provider_reg_query.yml b/detections/endpoint/windows_security_support_provider_reg_query.yml index 0f0fb69923..e484680f8f 100644 --- a/detections/endpoint/windows_security_support_provider_reg_query.yml +++ b/detections/endpoint/windows_security_support_provider_reg_query.yml @@ -1,7 +1,7 @@ name: Windows Security Support Provider Reg Query id: 31302468-93c9-4eca-9ae3-2d41f53a4e2b -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_sensitive_group_discovery_with_net.yml b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml index 52141dd191..381501d743 100644 --- a/detections/endpoint/windows_sensitive_group_discovery_with_net.yml +++ b/detections/endpoint/windows_sensitive_group_discovery_with_net.yml @@ -1,7 +1,7 @@ name: Windows Sensitive Group Discovery With Net id: d9eb7cda-5622-4722-bc88-7f2442f4b5af -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml index 402c3dfe51..a511beb77c 100644 --- a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml +++ b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml @@ -1,7 +1,7 @@ name: Windows Sensitive Registry Hive Dump Via CommandLine id: 5aaff29d-0cce-405b-9ee8-5d06b49d045e -version: 4 -date: '2025-03-24' +version: 5 +date: '2025-05-02' author: Michael Haag, Patrick Bareiss, Nasreddine Bencherchali, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml index c78d373060..2a5ea58abc 100644 --- a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml +++ b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml @@ -1,7 +1,7 @@ name: Windows Server Software Component GACUtil Install to GAC id: 7c025ef0-9e65-4c57-be39-1c13dbb1613e -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_service_create_kernel_mode_driver.yml b/detections/endpoint/windows_service_create_kernel_mode_driver.yml index 3bd536a3c1..f406ba9596 100644 --- a/detections/endpoint/windows_service_create_kernel_mode_driver.yml +++ b/detections/endpoint/windows_service_create_kernel_mode_driver.yml @@ -1,7 +1,7 @@ name: Windows Service Create Kernel Mode Driver id: 0b4e3b06-1b2b-4885-b752-cf06d12a90cb -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_service_create_remcomsvc.yml b/detections/endpoint/windows_service_create_remcomsvc.yml index 642022aaff..0c4d51c18c 100644 --- a/detections/endpoint/windows_service_create_remcomsvc.yml +++ b/detections/endpoint/windows_service_create_remcomsvc.yml @@ -1,7 +1,7 @@ name: Windows Service Create RemComSvc id: 0be4b5d6-c449-4084-b945-2392b519c33b -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk type: Anomaly status: production diff --git a/detections/endpoint/windows_service_create_sliverc2.yml b/detections/endpoint/windows_service_create_sliverc2.yml index d9279cedf9..ffb24121a7 100644 --- a/detections/endpoint/windows_service_create_sliverc2.yml +++ b/detections/endpoint/windows_service_create_sliverc2.yml @@ -1,7 +1,7 @@ name: Windows Service Create SliverC2 id: 89dad3ee-57ec-43dc-9044-131c4edd663f -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_service_create_with_tscon.yml b/detections/endpoint/windows_service_create_with_tscon.yml index 360ab8bb3b..c074d15fc7 100644 --- a/detections/endpoint/windows_service_create_with_tscon.yml +++ b/detections/endpoint/windows_service_create_with_tscon.yml @@ -1,7 +1,7 @@ name: Windows Service Create with Tscon id: c13b3d74-6b63-4db5-a841-4206f0370077 -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml index 7ef91be4c2..d7b3ccec41 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_name.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_name.yml @@ -1,75 +1,75 @@ -name: Windows Service Created with Suspicious Service Name -id: 35eb6d19-a497-400c-93c5-645562804b11 -version: 2 -date: '2025-03-26' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment. -data_source: -- Windows Event Log System 7045 -search: |- - `wineventlog_system` EventCode=7045 - | stats values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID - | eval process_name = replace(mvindex(split(process,"\\"),-1), "\"", "") - | rename Computer as dest, ServiceName as object_name, ServiceType as object_type, UserID as user_id - | lookup windows_suspicious_services service_name as object_name - | where isnotnull(tool_name) - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_service_created_with_suspicious_service_name_filter` -how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. -known_false_positives: Legitimate applications may install services with uncommon services paths. -references: -- https://attack.mitre.org/techniques/T1569/002/ -- https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16 -- https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ -- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_services_names_list.csv -drilldown_searches: -- name: View the detection results for - "$dest$"" - search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: Investigate service events on $dest$ - search: '`wineventlog_system` EventCode=7045 ServiceName = "$object_name$" dest = "$dest$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: A known malicious service name $object_name$ was created using $process$ on $dest$, this may indicate the presence of [$tool_name$] - risk_objects: - - field: dest - type: system - score: 75 - threat_objects: - - field: process - type: process - - field: object_name - type: signature -tags: - analytic_story: - - Active Directory Lateral Movement - - Brute Ratel C4 - - CISA AA23-347A - - Clop Ransomware - - Flax Typhoon - - PlugX - - Qakbot - - Snake Malware - asset_type: Endpoint - mitre_attack_id: - - T1569.002 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log - source: XmlWinEventLog:System - sourcetype: XmlWinEventLog +name: Windows Service Created with Suspicious Service Name +id: 35eb6d19-a497-400c-93c5-645562804b11 +version: 3 +date: '2025-05-02' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects the creation of a Windows Service with a known suspicious or malicious name using Windows Event ID 7045. It leverages logs from the `wineventlog_system` to identify these services installations. This activity is significant as adversaries, including those deploying Clop ransomware, often create malicious services for lateral movement, remote code execution, persistence, and execution. If confirmed malicious, this could allow attackers to maintain persistence, execute arbitrary code, and potentially escalate privileges, posing a severe threat to the environment. +data_source: +- Windows Event Log System 7045 +search: |- + `wineventlog_system` EventCode=7045 + | stats values(ImagePath) as process, count, min(_time) as firstTime, max(_time) as lastTime values(EventCode) as signature by Computer, ServiceName, StartType, ServiceType, UserID + | eval process_name = replace(mvindex(split(process,"\\"),-1), "\"", "") + | rename Computer as dest, ServiceName as object_name, ServiceType as object_type, UserID as user_id + | lookup windows_suspicious_services service_name as object_name + | where isnotnull(tool_name) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_service_created_with_suspicious_service_name_filter` +how_to_implement: To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints. +known_false_positives: Legitimate applications may install services with uncommon services paths. +references: +- https://attack.mitre.org/techniques/T1569/002/ +- https://github.com/BishopFox/sliver/blob/71f94928bf36c1557ea5fbeffa161b71116f56b2/client/command/exec/psexec.go#LL61C5-L61C16 +- https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/ +- https://github.com/mthcht/awesome-lists/blob/main/Lists/suspicious_windows_services_names_list.csv +drilldown_searches: +- name: View the detection results for - "$dest$"" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate service events on $dest$ + search: '`wineventlog_system` EventCode=7045 ServiceName = "$object_name$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A known malicious service name $object_name$ was created using $process$ on $dest$, this may indicate the presence of [$tool_name$] + risk_objects: + - field: dest + type: system + score: 75 + threat_objects: + - field: process + type: process + - field: object_name + type: signature +tags: + analytic_story: + - Active Directory Lateral Movement + - Brute Ratel C4 + - CISA AA23-347A + - Clop Ransomware + - Flax Typhoon + - PlugX + - Qakbot + - Snake Malware + asset_type: Endpoint + mitre_attack_id: + - T1569.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1055/sliver/sliver_windows-system.log + source: XmlWinEventLog:System + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml index 11d6a0e95f..1e1ce48088 100644 --- a/detections/endpoint/windows_service_created_with_suspicious_service_path.yml +++ b/detections/endpoint/windows_service_created_with_suspicious_service_path.yml @@ -1,7 +1,7 @@ name: Windows Service Created with Suspicious Service Path id: 429141be-8311-11eb-adb6-acde48001122 -version: '14' -date: '2025-03-19' +version: 15 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml index d893e7cae3..e9a29da606 100644 --- a/detections/endpoint/windows_service_creation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_creation_on_remote_endpoint.yml @@ -1,7 +1,7 @@ name: Windows Service Creation on Remote Endpoint id: e0eea4fa-4274-11ec-882b-3e22fbd008af -version: 8 -date: '2025-03-27' +version: 9 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index f3eacbc039..c1f2466404 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 -version: 14 -date: '2025-03-27' +version: 15 +date: '2025-05-02' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_service_deletion_in_registry.yml b/detections/endpoint/windows_service_deletion_in_registry.yml index 20d54693e8..29351e4989 100644 --- a/detections/endpoint/windows_service_deletion_in_registry.yml +++ b/detections/endpoint/windows_service_deletion_in_registry.yml @@ -1,7 +1,7 @@ name: Windows Service Deletion In Registry id: daed6823-b51c-4843-a6ad-169708f1323e -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_service_execution_remcom.yml b/detections/endpoint/windows_service_execution_remcom.yml index 7ab8fc5706..c7adfb89de 100644 --- a/detections/endpoint/windows_service_execution_remcom.yml +++ b/detections/endpoint/windows_service_execution_remcom.yml @@ -1,7 +1,7 @@ name: Windows Service Execution RemCom id: 7e3d68db-ea4d-419b-adbd-e14a525ecf09 -version: 4 -date: '2025-01-07' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml index 310fc2fbfb..9b341a0643 100644 --- a/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml +++ b/detections/endpoint/windows_service_initiation_on_remote_endpoint.yml @@ -1,7 +1,7 @@ name: Windows Service Initiation on Remote Endpoint id: 3f519894-4276-11ec-ab02-3e22fbd008af -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_service_stop_attempt.yml b/detections/endpoint/windows_service_stop_attempt.yml index c4d746770f..e3aa1ab1a9 100644 --- a/detections/endpoint/windows_service_stop_attempt.yml +++ b/detections/endpoint/windows_service_stop_attempt.yml @@ -1,7 +1,7 @@ name: Windows Service Stop Attempt id: dd0f07ea-f08f-4d88-96e5-cb58156e82b6 -version: 2 -date: '2025-01-13' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_service_stop_by_deletion.yml b/detections/endpoint/windows_service_stop_by_deletion.yml index 405504e52b..5910c67f65 100644 --- a/detections/endpoint/windows_service_stop_by_deletion.yml +++ b/detections/endpoint/windows_service_stop_by_deletion.yml @@ -1,7 +1,7 @@ name: Windows Service Stop By Deletion id: 196ff536-58d9-4d1b-9686-b176b04e430b -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_service_stop_win_updates.yml b/detections/endpoint/windows_service_stop_win_updates.yml index c28122bc0e..1d67a3c05c 100644 --- a/detections/endpoint/windows_service_stop_win_updates.yml +++ b/detections/endpoint/windows_service_stop_win_updates.yml @@ -1,7 +1,7 @@ name: Windows Service Stop Win Updates id: 0dc25c24-6fcf-456f-b08b-dd55a183e4de -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml b/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml index c3c49353a0..5954408df5 100644 --- a/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml +++ b/detections/endpoint/windows_set_account_password_policy_to_unlimited_via_net.yml @@ -1,7 +1,7 @@ name: Windows Set Account Password Policy To Unlimited Via Net id: 11f93009-8083-43fd-82a7-821fcbdc8342 -version: 2 -date: '2025-01-13' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_shell_process_from_crushftp.yml b/detections/endpoint/windows_shell_process_from_crushftp.yml index b88a289397..14dbed6d85 100644 --- a/detections/endpoint/windows_shell_process_from_crushftp.yml +++ b/detections/endpoint/windows_shell_process_from_crushftp.yml @@ -1,7 +1,7 @@ name: Windows Shell Process from CrushFTP id: 459628e3-1b00-4e9b-9e5b-7da8961aea35 -version: 1 -date: '2025-04-03' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_sip_provider_inventory.yml b/detections/endpoint/windows_sip_provider_inventory.yml index a162a19b68..b341c856dd 100644 --- a/detections/endpoint/windows_sip_provider_inventory.yml +++ b/detections/endpoint/windows_sip_provider_inventory.yml @@ -1,7 +1,7 @@ name: Windows SIP Provider Inventory id: 21c5af91-1a4a-4511-8603-64fb41df3fad -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml index 1b4e98a8fa..0109f66a1e 100644 --- a/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml +++ b/detections/endpoint/windows_sip_winverifytrust_failed_trust_validation.yml @@ -1,7 +1,7 @@ name: Windows SIP WinVerifyTrust Failed Trust Validation id: 6ffc7f88-415b-4278-a80d-b957d6539e1a -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml index 365d86bb69..78b84216dd 100644 --- a/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml +++ b/detections/endpoint/windows_snake_malware_file_modification_crmlog.yml @@ -1,7 +1,7 @@ name: Windows Snake Malware File Modification Crmlog id: 27187e0e-c221-471d-a7bd-04f698985ff6 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml index 01f68d85f7..da2eb3d9ca 100644 --- a/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml +++ b/detections/endpoint/windows_snake_malware_kernel_driver_comadmin.yml @@ -1,7 +1,7 @@ name: Windows Snake Malware Kernel Driver Comadmin id: 628d9c7c-3242-43b5-9620-7234c080a726 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml index 16554fffee..621f8e5be2 100644 --- a/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml +++ b/detections/endpoint/windows_snake_malware_registry_modification_wav_openwithprogids.yml @@ -1,7 +1,7 @@ name: Windows Snake Malware Registry Modification wav OpenWithProgIds id: 13cf8b79-805d-443c-bf52-f55bd7610dfd -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_snake_malware_service_create.yml b/detections/endpoint/windows_snake_malware_service_create.yml index 9e25ca43fe..40d57186cd 100644 --- a/detections/endpoint/windows_snake_malware_service_create.yml +++ b/detections/endpoint/windows_snake_malware_service_create.yml @@ -1,7 +1,7 @@ name: Windows Snake Malware Service Create id: 64eb091f-8cab-4b41-9b09-8fb4942377df -version: 5 -date: '2024-12-10' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_snappybee_create_test_registry.yml b/detections/endpoint/windows_snappybee_create_test_registry.yml index 8e846bdee3..7d78d2faaa 100644 --- a/detections/endpoint/windows_snappybee_create_test_registry.yml +++ b/detections/endpoint/windows_snappybee_create_test_registry.yml @@ -1,7 +1,7 @@ name: Windows SnappyBee Create Test Registry id: 80402396-d78a-4c6e-ade5-7697ea670adf -version: 3 -date: '2025-04-22' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_soaphound_binary_execution.yml b/detections/endpoint/windows_soaphound_binary_execution.yml index 26ef4227aa..23215328fd 100644 --- a/detections/endpoint/windows_soaphound_binary_execution.yml +++ b/detections/endpoint/windows_soaphound_binary_execution.yml @@ -1,7 +1,7 @@ name: Windows SOAPHound Binary Execution id: 8e53f839-e127-4d6d-a54d-a2f67044a57f -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml index b75eb83d19..33d88d0332 100644 --- a/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml +++ b/detections/endpoint/windows_spearphishing_attachment_onenote_spawn_mshta.yml @@ -1,7 +1,7 @@ name: Windows Spearphishing Attachment Onenote Spawn Mshta id: 35aeb0e7-7de5-444a-ac45-24d6788796ec -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml index 6f163201b7..8b6c5c2c70 100644 --- a/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml +++ b/detections/endpoint/windows_special_privileged_logon_on_multiple_hosts.yml @@ -1,7 +1,7 @@ name: Windows Special Privileged Logon On Multiple Hosts id: 4c461f5a-c2cc-4e86-b132-c262fc9edca7 -version: 7 -date: '2024-12-10' +version: 8 +date: '2025-05-02' author: Mauricio Velazco, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_sql_server_configuration_option_hunt.yml b/detections/endpoint/windows_sql_server_configuration_option_hunt.yml index c2097a031c..b97822aa6b 100644 --- a/detections/endpoint/windows_sql_server_configuration_option_hunt.yml +++ b/detections/endpoint/windows_sql_server_configuration_option_hunt.yml @@ -1,7 +1,7 @@ name: Windows SQL Server Configuration Option Hunt id: 8dc9efd5-805a-460e-889e-bc79e5477af9 -version: 1 -date: '2025-02-06' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_sql_server_critical_procedures_enabled.yml b/detections/endpoint/windows_sql_server_critical_procedures_enabled.yml index fde5c9f7ef..e2cbbf60a1 100644 --- a/detections/endpoint/windows_sql_server_critical_procedures_enabled.yml +++ b/detections/endpoint/windows_sql_server_critical_procedures_enabled.yml @@ -1,7 +1,7 @@ name: Windows SQL Server Critical Procedures Enabled id: d0434864-b043-41e3-8c08-30e53605e9cb -version: 1 -date: '2025-02-06' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_sql_server_extended_procedure_dll_loading_hunt.yml b/detections/endpoint/windows_sql_server_extended_procedure_dll_loading_hunt.yml index 4e47f47461..000945efcf 100644 --- a/detections/endpoint/windows_sql_server_extended_procedure_dll_loading_hunt.yml +++ b/detections/endpoint/windows_sql_server_extended_procedure_dll_loading_hunt.yml @@ -1,7 +1,7 @@ name: Windows SQL Server Extended Procedure DLL Loading Hunt id: 182ba99f-2dde-4cdb-8e5c-e3b1e251cb10 -version: 1 -date: '2025-02-10' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_sql_server_startup_procedure.yml b/detections/endpoint/windows_sql_server_startup_procedure.yml index ec7dcaeca4..6c61f2d671 100644 --- a/detections/endpoint/windows_sql_server_startup_procedure.yml +++ b/detections/endpoint/windows_sql_server_startup_procedure.yml @@ -1,7 +1,7 @@ name: Windows SQL Server Startup Procedure id: 7bec7c5c-2262-4adb-ba56-c8028512bc58 -version: 1 -date: '2025-02-06' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml b/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml index dc4a259316..2729248eca 100644 --- a/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml +++ b/detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml @@ -1,7 +1,7 @@ name: Windows SQL Server xp_cmdshell Config Change id: 5eb76fe2-a869-4865-8c4c-8cff424b18b1 -version: 3 -date: '2025-03-24' +version: 4 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_sql_spawning_certutil.yml b/detections/endpoint/windows_sql_spawning_certutil.yml index c35fa9efcc..708c0abeee 100644 --- a/detections/endpoint/windows_sql_spawning_certutil.yml +++ b/detections/endpoint/windows_sql_spawning_certutil.yml @@ -1,7 +1,7 @@ name: Windows SQL Spawning CertUtil id: dfc18a5a-946e-44ee-a373-c0f60d06e676 -version: 10 -date: '2025-04-16' +version: 11 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: TTP diff --git a/detections/endpoint/windows_sqlcmd_execution.yml b/detections/endpoint/windows_sqlcmd_execution.yml index e93304fde6..cdedfee354 100644 --- a/detections/endpoint/windows_sqlcmd_execution.yml +++ b/detections/endpoint/windows_sqlcmd_execution.yml @@ -1,7 +1,7 @@ name: Windows SQLCMD Execution id: 4e7c2f85-8f02-4bd2-a48b-5ec98a2c5f72 -version: 1 -date: '2025-02-03' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting @@ -192,6 +192,6 @@ tags: tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1059.003/atomic_red_team/sqlcmd_windows_sysmon.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.003/atomic_red_team/sqlcmd_windows_sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_sqlservr_spawning_shell.yml b/detections/endpoint/windows_sqlservr_spawning_shell.yml index 21724c77cf..a0990cb12c 100644 --- a/detections/endpoint/windows_sqlservr_spawning_shell.yml +++ b/detections/endpoint/windows_sqlservr_spawning_shell.yml @@ -1,7 +1,7 @@ name: Windows Sqlservr Spawning Shell id: d33aac9f-030c-4830-8701-0c2dd75bb6cb -version: 2 -date: '2025-03-27' +version: 3 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml index 4134c35c89..5d42b5b098 100644 --- a/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml +++ b/detections/endpoint/windows_sqlwriter_sqldumper_dll_sideload.yml @@ -1,7 +1,7 @@ name: Windows SqlWriter SQLDumper DLL Sideload id: 2ed89ba9-c6c7-46aa-9f08-a2a1c2955aa3 -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Michael Haag, Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 diff --git a/detections/endpoint/windows_ssh_proxy_command.yml b/detections/endpoint/windows_ssh_proxy_command.yml index 4dcf8ec6d2..93ef3922a2 100644 --- a/detections/endpoint/windows_ssh_proxy_command.yml +++ b/detections/endpoint/windows_ssh_proxy_command.yml @@ -1,7 +1,7 @@ name: Windows SSH Proxy Command id: ac520039-21f1-4567-b528-5b7133dba76f -version: 1 -date: '2025-03-24' +version: 2 +date: '2025-05-02' author: Michael Haag, AJ King, Splunk, Jesse Hunter, Splunk Community Contributor status: production type: Anomaly diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml index 3577834339..16d0c27513 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates - ESC1 Abuse id: cbe761fc-d945-4c8c-a71d-e26d12255d32 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml index 5fcaaba267..3748d2a95d 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates - ESC1 Authentication id: f0306acf-a6ab-437a-bbc6-8628f8d5c97e -version: 6 -date: '2024-12-10' +version: 7 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml index 8185750b89..168bae0148 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_issued.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates Certificate Issued id: 9b1a5385-0c31-4c39-9753-dc26b8ce64c2 -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml index a36d244b26..274b6899d9 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certificate_request.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates Certificate Request id: 747d7800-2eaa-422d-b994-04d8bb9e06d0 -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml index 76f08b9733..c52e331ba1 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates CertUtil Backup id: bac85b56-0b65-4ce5-aad5-d94880df0967 -version: 8 -date: '2025-04-16' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml index ab1ec9387f..3ef8d75ebe 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cryptoapi.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates CryptoAPI id: 905d5692-6d7c-432f-bc7e-a6b4f464d40e -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml index c1465d098d..b36fb400c3 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_cs_backup.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates CS Backup id: a2f4cc7f-6503-4078-b206-f83a29f408a7 -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml index 84436c3184..368c077349 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates Export Certificate id: e39dc429-c2a5-4f1f-9c3c-6b211af6b332 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml index a2d3704c47..f1282bd238 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml @@ -1,7 +1,7 @@ name: Windows Steal Authentication Certificates Export PfxCertificate id: 391329f3-c14b-4b8d-8b37-ac5012637360 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml index a4b3a718e5..91d26fe054 100644 --- a/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml +++ b/detections/endpoint/windows_steal_or_forge_kerberos_tickets_klist.yml @@ -1,7 +1,7 @@ name: Windows Steal or Forge Kerberos Tickets Klist id: 09d88404-1e29-46cb-806c-1eedbc85ad5d -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_subinacl_execution.yml b/detections/endpoint/windows_subinacl_execution.yml index 641a01b32e..5be4f68c1f 100644 --- a/detections/endpoint/windows_subinacl_execution.yml +++ b/detections/endpoint/windows_subinacl_execution.yml @@ -1,7 +1,7 @@ name: Windows SubInAcl Execution id: 12491419-1a6f-4af4-afc3-4e2052f0610e -version: 3 -date: '2025-01-07' +version: 4 +date: '2025-05-02' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml index c84b92d31b..41c672eaf0 100644 --- a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml +++ b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml @@ -1,7 +1,7 @@ name: Windows Suspect Process With Authentication Traffic id: 953322db-128a-4ce9-8e89-56e039e33d98 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml index 70b2745466..2cc2206214 100644 --- a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml +++ b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Child Process Spawned From WebServer id: 2d4470ef-7158-4b47-b68b-1f7f16382156 -version: '3' -date: '2025-03-14' +version: 4 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_suspicious_driver_loaded_path.yml b/detections/endpoint/windows_suspicious_driver_loaded_path.yml index 8e7e459157..2dcecbdd19 100644 --- a/detections/endpoint/windows_suspicious_driver_loaded_path.yml +++ b/detections/endpoint/windows_suspicious_driver_loaded_path.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Driver Loaded Path id: 2ca1c4a1-8342-4750-9363-905650e0c933 -version: 2 -date: '2025-02-03' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index 3427585121..2aafc6e0af 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml b/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml index e05050e153..4dd0285a47 100644 --- a/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml +++ b/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml @@ -1,7 +1,7 @@ name: Windows Svchost.exe Parent Process Anomaly id: 1d38e5e9-2ff8-4c47-872c-bf1657cefab5 -version: 3 -date: '2025-04-16' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml index 75f8fd4d8d..bbf92809a5 100644 --- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml @@ -1,7 +1,7 @@ name: Windows System Binary Proxy Execution Compiled HTML File Decompile id: 2acf0e19-4149-451c-a3f3-39cd3c77e37d -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml index ed0c176d2c..0c1879e904 100644 --- a/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml +++ b/detections/endpoint/windows_system_discovery_using_ldap_nslookup.yml @@ -1,7 +1,7 @@ name: Windows System Discovery Using ldap Nslookup id: 2418780f-7c3e-4c45-b8b4-996ea850cd49 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_system_discovery_using_qwinsta.yml b/detections/endpoint/windows_system_discovery_using_qwinsta.yml index 869c183ad4..2e31ba02fa 100644 --- a/detections/endpoint/windows_system_discovery_using_qwinsta.yml +++ b/detections/endpoint/windows_system_discovery_using_qwinsta.yml @@ -1,7 +1,7 @@ name: Windows System Discovery Using Qwinsta id: 2e765c1b-144a-49f0-93d0-1df4287cca04 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_system_file_on_disk.yml b/detections/endpoint/windows_system_file_on_disk.yml index d5379572b1..79fc66f390 100644 --- a/detections/endpoint/windows_system_file_on_disk.yml +++ b/detections/endpoint/windows_system_file_on_disk.yml @@ -1,7 +1,7 @@ name: Windows System File on Disk id: 993ce99d-9cdd-42c7-a2cf-733d5954e5a6 -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_system_logoff_commandline.yml b/detections/endpoint/windows_system_logoff_commandline.yml index 810814f08f..00fd3e0083 100644 --- a/detections/endpoint/windows_system_logoff_commandline.yml +++ b/detections/endpoint/windows_system_logoff_commandline.yml @@ -1,7 +1,7 @@ name: Windows System LogOff Commandline id: 74a8133f-93e7-4b71-9bd3-13a66124fd57 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml index 0139f2d364..3cb312ca3d 100644 --- a/detections/endpoint/windows_system_network_config_discovery_display_dns.yml +++ b/detections/endpoint/windows_system_network_config_discovery_display_dns.yml @@ -1,7 +1,7 @@ name: Windows System Network Config Discovery Display DNS id: e24f0a0e-41a9-419f-9999-eacab15efc36 -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index 253845d2c1..03bb969b7c 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -1,7 +1,7 @@ name: Windows System Network Connections Discovery Netsh id: abfb7cc5-c275-4a97-9029-62cd8d4ffeca -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_system_reboot_commandline.yml b/detections/endpoint/windows_system_reboot_commandline.yml index f05d820e02..310e64e50f 100644 --- a/detections/endpoint/windows_system_reboot_commandline.yml +++ b/detections/endpoint/windows_system_reboot_commandline.yml @@ -1,7 +1,7 @@ name: Windows System Reboot CommandLine id: 97fc2b60-c8eb-4711-93f7-d26fade3686f -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_system_remote_discovery_with_query.yml b/detections/endpoint/windows_system_remote_discovery_with_query.yml index ee947cda3e..c480f4e5c1 100644 --- a/detections/endpoint/windows_system_remote_discovery_with_query.yml +++ b/detections/endpoint/windows_system_remote_discovery_with_query.yml @@ -1,7 +1,7 @@ name: Windows System Remote Discovery With Query id: 94859172-a521-474f-97ac-4cf4b09634a3 -version: 3 -date: '2025-03-27' +version: 4 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml index 41381be888..8f4f338ee2 100644 --- a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml +++ b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml @@ -1,7 +1,7 @@ name: Windows System Script Proxy Execution Syncappvpublishingserver id: 8dd73f89-682d-444c-8b41-8e679966ad3c -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_system_shutdown_commandline.yml b/detections/endpoint/windows_system_shutdown_commandline.yml index 3d7bb37155..419704dc69 100644 --- a/detections/endpoint/windows_system_shutdown_commandline.yml +++ b/detections/endpoint/windows_system_shutdown_commandline.yml @@ -1,7 +1,7 @@ name: Windows System Shutdown CommandLine id: 4fee57b8-d825-4bf3-9ea8-bf405cdb614c -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml index 3424832beb..319e8dddad 100644 --- a/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml +++ b/detections/endpoint/windows_system_time_discovery_w32tm_delay.yml @@ -1,7 +1,7 @@ name: Windows System Time Discovery W32tm Delay id: b2cc69e7-11ba-42dc-a269-59c069a48870 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_system_user_discovery_via_quser.yml b/detections/endpoint/windows_system_user_discovery_via_quser.yml index be76276a35..8ea17deee7 100644 --- a/detections/endpoint/windows_system_user_discovery_via_quser.yml +++ b/detections/endpoint/windows_system_user_discovery_via_quser.yml @@ -1,7 +1,7 @@ name: Windows System User Discovery Via Quser id: 0c3f3e09-e47a-410e-856f-a02a5c5fafb0 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_system_user_privilege_discovery.yml b/detections/endpoint/windows_system_user_privilege_discovery.yml index a13b40ba80..28d4d6cc5d 100644 --- a/detections/endpoint/windows_system_user_privilege_discovery.yml +++ b/detections/endpoint/windows_system_user_privilege_discovery.yml @@ -1,7 +1,7 @@ name: Windows System User Privilege Discovery id: 8c9a06bc-9939-4425-9bb9-be2371f7fb7e -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_terminating_lsass_process.yml b/detections/endpoint/windows_terminating_lsass_process.yml index 5c3b5a659e..899760d500 100644 --- a/detections/endpoint/windows_terminating_lsass_process.yml +++ b/detections/endpoint/windows_terminating_lsass_process.yml @@ -1,7 +1,7 @@ name: Windows Terminating Lsass Process id: 7ab3c319-a4e7-4211-9e8c-40a049d0dba6 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml index d5b1b83733..e1a4c4d506 100644 --- a/detections/endpoint/windows_time_based_evasion.yml +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -1,7 +1,7 @@ name: Windows Time Based Evasion id: 34502357-deb1-499a-8261-ffe144abf561 -version: 7 -date: '2025-02-19' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml index 9575ea1ce9..a622d5c35d 100644 --- a/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml +++ b/detections/endpoint/windows_time_based_evasion_via_choice_exec.yml @@ -1,7 +1,7 @@ name: Windows Time Based Evasion via Choice Exec id: d5f54b38-10bf-4b3a-b6fc-85949862ed50 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml index cdebcdb890..b11b650cfe 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml @@ -1,7 +1,7 @@ name: Windows UAC Bypass Suspicious Child Process id: 453a6b0f-b0ea-48fa-9cf4-20537ffdd22c -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml index 6775a54f1f..8079e34b13 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml @@ -1,7 +1,7 @@ name: Windows UAC Bypass Suspicious Escalation Behavior id: 00d050d3-a5b4-4565-a6a5-a31f69681dc3 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Steven Dick status: production type: TTP diff --git a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml index 851179acf7..815eadc66b 100644 --- a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml +++ b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml @@ -1,7 +1,7 @@ name: Windows Unsecured Outlook Credentials Access In Registry id: 36334123-077d-47a2-b70c-6c7b3cc85049 -version: 5 -date: '2024-12-10' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index b1b8bec02f..153cd86371 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -1,7 +1,7 @@ name: Windows Unsigned DLL Side-Loading id: 5a83ce44-8e0f-4786-a775-8249a525c879 -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index 07254d28cd..6ce3d279a2 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -1,7 +1,7 @@ name: Windows Unsigned DLL Side-Loading In Same Process Path id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 diff --git a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml index acc502e342..7878c8e6b4 100644 --- a/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_ms_dll_side_loading.yml @@ -1,7 +1,7 @@ name: Windows Unsigned MS DLL Side-Loading id: 8d9e0e06-ba71-4dc5-be16-c1a46d58728c -version: 10 -date: '2025-04-22' +version: 11 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 7 diff --git a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml index 0fa924d07c..5bf01922dc 100644 --- a/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_disabled_users_failed_auth_using_kerberos.yml @@ -1,8 +1,8 @@ name: Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos id: f65aa026-b811-42ab-b4b9-d9088137648f -date: '2025-02-10' +date: '2025-05-02' type: Anomaly -version: 6 +version: 7 status: production author: Mauricio Velazco, Splunk data_source: diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml index e8713bd1db..2b02f85f59 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_fail_to_auth_using_kerberos.yml @@ -1,8 +1,8 @@ name: Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos id: f122cb2e-d773-4f11-8399-62a3572d8dd7 type: Anomaly -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' status: production author: Mauricio Velazco, Splunk data_source: diff --git a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml index fbfb9e6258..21748b4a50 100644 --- a/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_invalid_users_failed_to_auth_using_ntlm.yml @@ -1,9 +1,9 @@ name: Windows Unusual Count Of Invalid Users Failed To Auth Using NTLM id: 15603165-147d-4a6e-9778-bd0ff39e668f type: Anomaly -version: 7 +version: 8 status: production -date: '2025-02-10' +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 diff --git a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml index ec7051a13d..1afe9bd374 100644 --- a/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml +++ b/detections/endpoint/windows_unusual_count_of_users_fail_to_auth_wth_explicitcredentials.yml @@ -1,9 +1,9 @@ name: Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials id: 14f414cf-3080-4b9b-aaf6-55a4ce947b93 type: Anomaly -version: 7 +version: 8 status: production -date: '2025-02-10' +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4648 diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml index b452955d86..377e5497bb 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_auth_using_kerberos.yml @@ -1,8 +1,8 @@ name: Windows Unusual Count Of Users Failed To Auth Using Kerberos id: bc9cb715-08ba-40c3-9758-6e2b26e455cb -date: '2025-02-10' +date: '2025-05-02' type: Anomaly -version: 6 +version: 7 status: production author: Mauricio Velazco, Splunk data_source: diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml index c4401d6f47..97bdfeb5a1 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_from_process.yml @@ -1,9 +1,9 @@ name: Windows Unusual Count Of Users Failed To Authenticate From Process id: 25bdb6cb-2e49-4d34-a93c-d6c567c122fe type: Anomaly -version: 7 +version: 8 status: production -date: '2025-02-10' +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 diff --git a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml index 792688f973..8e25ae8bb8 100644 --- a/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml +++ b/detections/endpoint/windows_unusual_count_of_users_failed_to_authenticate_using_ntlm.yml @@ -1,9 +1,9 @@ name: Windows Unusual Count Of Users Failed To Authenticate Using NTLM id: 6f6c8fd7-6a6b-4af9-a0e9-57cfc47a58b4 type: Anomaly -version: 7 +version: 8 status: production -date: '2025-02-10' +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4776 diff --git a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml index eb28b8d512..9c70f9bde7 100644 --- a/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml +++ b/detections/endpoint/windows_unusual_count_of_users_remotely_failed_to_auth_from_host.yml @@ -1,9 +1,9 @@ name: Windows Unusual Count Of Users Remotely Failed To Auth From Host id: cf06a0ee-ffa9-4ed3-be77-0670ed9bab52 type: Anomaly -version: 7 +version: 8 status: production -date: '2025-02-10' +date: '2025-05-02' author: Mauricio Velazco, Splunk data_source: - Windows Event Log Security 4625 diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml index aa6cf02a30..ffde17a148 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_source.yml @@ -1,7 +1,7 @@ name: Windows Unusual NTLM Authentication Destinations By Source id: ae9b0df5-5fb0-477f-abc9-47faf42aa91d -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml index 55f73604d3..f9981c0939 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_destinations_by_user.yml @@ -1,7 +1,7 @@ name: Windows Unusual NTLM Authentication Destinations By User id: a4d86702-402b-4a4f-8d06-9d61e6c39cad -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml index a010d679cb..01b4f0ca14 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_destination.yml @@ -1,7 +1,7 @@ name: Windows Unusual NTLM Authentication Users By Destination id: 1120a204-8444-428b-8657-6ea4e1f3e840 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml index 63e8becc2e..16e0b44137 100644 --- a/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml +++ b/detections/endpoint/windows_unusual_ntlm_authentication_users_by_source.yml @@ -1,7 +1,7 @@ name: Windows Unusual NTLM Authentication Users By Source id: 80fcc4d4-fd90-488e-b55a-4e7190ae6ce2 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml b/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml index 8f085d06b0..ceae9da7e8 100644 --- a/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml +++ b/detections/endpoint/windows_unusual_syswow64_process_run_system32_executable.yml @@ -1,7 +1,7 @@ name: Windows Unusual SysWOW64 Process Run System32 Executable id: e4602172-db86-4315-86df-da66fb40bcde -version: 2 -date: '2025-03-27' +version: 3 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_usbstor_registry_key_modification.yml b/detections/endpoint/windows_usbstor_registry_key_modification.yml index 423db6e48d..ac81263fa6 100644 --- a/detections/endpoint/windows_usbstor_registry_key_modification.yml +++ b/detections/endpoint/windows_usbstor_registry_key_modification.yml @@ -1,7 +1,7 @@ name: Windows USBSTOR Registry Key Modification id: a345980a-417d-4ed3-9fb4-cac30c9405a0 -version: 2 -date: '2025-01-17' +version: 3 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/windows_user_deletion_via_net.yml b/detections/endpoint/windows_user_deletion_via_net.yml index e4792e9d25..78d63e9cb2 100644 --- a/detections/endpoint/windows_user_deletion_via_net.yml +++ b/detections/endpoint/windows_user_deletion_via_net.yml @@ -1,7 +1,7 @@ name: Windows User Deletion Via Net id: b0b6fd2c-8953-4d1b-8f7b-56075ea6ab3e -version: 3 -date: '2025-01-13' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_user_disabled_via_net.yml b/detections/endpoint/windows_user_disabled_via_net.yml index 5748936b2b..0c99ec5424 100644 --- a/detections/endpoint/windows_user_disabled_via_net.yml +++ b/detections/endpoint/windows_user_disabled_via_net.yml @@ -1,7 +1,7 @@ name: Windows User Disabled Via Net id: b0359e05-c87b-4354-83d8-aee0d890243f -version: 3 -date: '2025-01-13' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_user_discovery_via_net.yml b/detections/endpoint/windows_user_discovery_via_net.yml index b7ad757740..7e40065738 100644 --- a/detections/endpoint/windows_user_discovery_via_net.yml +++ b/detections/endpoint/windows_user_discovery_via_net.yml @@ -1,7 +1,7 @@ name: Windows User Discovery Via Net id: 7742987e-88c1-476b-a626-a869e088ab72 -version: '3' -date: '2025-03-14' +version: 4 +date: '2025-05-02' author: Mauricio Velazco, Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml index d4ebca8efb..26490c4440 100644 --- a/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml +++ b/detections/endpoint/windows_user_execution_malicious_url_shortcut_file.yml @@ -1,7 +1,7 @@ name: Windows User Execution Malicious URL Shortcut File id: 5c7ee6ad-baf4-44fb-b2f0-0cfeddf82dbc version: 7 -date: '2025-04-24' +date: '2025-05-02' author: Teoderick Contreras, Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_vulnerable_3cx_software.yml b/detections/endpoint/windows_vulnerable_3cx_software.yml index f8179ab443..fc3046c6b0 100644 --- a/detections/endpoint/windows_vulnerable_3cx_software.yml +++ b/detections/endpoint/windows_vulnerable_3cx_software.yml @@ -1,7 +1,7 @@ name: Windows Vulnerable 3CX Software id: f2cc1584-46ee-485b-b905-977c067f36de -version: 6 -date: '2024-11-13' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk type: TTP status: production diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml index 7fcf571c1a..22648436e9 100644 --- a/detections/endpoint/windows_vulnerable_driver_installed.yml +++ b/detections/endpoint/windows_vulnerable_driver_installed.yml @@ -1,7 +1,7 @@ name: Windows Vulnerable Driver Installed id: 1dda7586-57be-4a1b-8de1-a9ad802b9a7f -version: 4 -date: '2024-11-13' +version: 5 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/endpoint/windows_vulnerable_driver_loaded.yml b/detections/endpoint/windows_vulnerable_driver_loaded.yml index c682a0a8fe..ef46ef9086 100644 --- a/detections/endpoint/windows_vulnerable_driver_loaded.yml +++ b/detections/endpoint/windows_vulnerable_driver_loaded.yml @@ -1,7 +1,7 @@ name: Windows Vulnerable Driver Loaded id: a2b1f1ef-221f-4187-b2a4-d4b08ec745f4 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: Hunting diff --git a/detections/endpoint/windows_windbg_spawning_autoit3.yml b/detections/endpoint/windows_windbg_spawning_autoit3.yml index 077b4fb4e7..8ec5880f70 100644 --- a/detections/endpoint/windows_windbg_spawning_autoit3.yml +++ b/detections/endpoint/windows_windbg_spawning_autoit3.yml @@ -1,7 +1,7 @@ name: Windows WinDBG Spawning AutoIt3 id: 7aec015b-cd69-46c3-85ed-dac152056aa4 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/windows_winlogon_with_public_network_connection.yml b/detections/endpoint/windows_winlogon_with_public_network_connection.yml index 1aba5bb21d..291c32af9b 100644 --- a/detections/endpoint/windows_winlogon_with_public_network_connection.yml +++ b/detections/endpoint/windows_winlogon_with_public_network_connection.yml @@ -1,7 +1,7 @@ name: Windows WinLogon with Public Network Connection id: 65615b3a-62ea-4d65-bb9f-6f07c17df4ea -version: 7 -date: '2025-04-22' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: Hunting diff --git a/detections/endpoint/windows_wmi_impersonate_token.yml b/detections/endpoint/windows_wmi_impersonate_token.yml index 57fa9e531c..8e2fa65ac4 100644 --- a/detections/endpoint/windows_wmi_impersonate_token.yml +++ b/detections/endpoint/windows_wmi_impersonate_token.yml @@ -1,7 +1,7 @@ name: Windows WMI Impersonate Token id: cf192860-2d94-40db-9a51-c04a2e8a8f8b -version: 6 -date: '2025-04-22' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_wmi_process_and_service_list.yml b/detections/endpoint/windows_wmi_process_and_service_list.yml index 0b951966f1..d8baccc0ab 100644 --- a/detections/endpoint/windows_wmi_process_and_service_list.yml +++ b/detections/endpoint/windows_wmi_process_and_service_list.yml @@ -1,7 +1,7 @@ name: Windows WMI Process And Service List id: ef3c5ef2-3f6d-4087-aa75-49bf746dc907 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_wmi_process_call_create.yml b/detections/endpoint/windows_wmi_process_call_create.yml index 77f615e02b..7954fe00e4 100644 --- a/detections/endpoint/windows_wmi_process_call_create.yml +++ b/detections/endpoint/windows_wmi_process_call_create.yml @@ -1,7 +1,7 @@ name: Windows WMI Process Call Create id: 0661c2de-93de-11ec-9833-acde48001122 -version: 6 -date: '2025-04-18' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/windows_wmic_shadowcopy_delete.yml b/detections/endpoint/windows_wmic_shadowcopy_delete.yml index 00bb0b47d3..e3d439b9dc 100644 --- a/detections/endpoint/windows_wmic_shadowcopy_delete.yml +++ b/detections/endpoint/windows_wmic_shadowcopy_delete.yml @@ -1,7 +1,7 @@ name: Windows WMIC Shadowcopy Delete id: 0a8c4b26-a4e2-4ef1-b0d9-62af6d36bdc8 -version: 1 -date: '2025-03-18' +version: 2 +date: '2025-05-02' author: Michael Haag, AJ King, Splunk status: production type: Anomaly diff --git a/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml index 58f9d95f24..72d48eaadd 100644 --- a/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml +++ b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml @@ -1,7 +1,7 @@ name: Windows WPDBusEnum Registry Key Modification id: 52b48e8b-eb6e-48b0-b8f1-73273f6b134e -version: 2 -date: '2025-01-17' +version: 3 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml index 55fdc6590c..640cb98016 100644 --- a/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml +++ b/detections/endpoint/winevent_scheduled_task_created_to_spawn_shell.yml @@ -1,7 +1,7 @@ name: WinEvent Scheduled Task Created to Spawn Shell id: 203ef0ea-9bd8-11eb-8201-acde48001122 -version: 13 -date: '2025-04-16' +version: 14 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml index 5c2329f5f8..9b24d5c673 100644 --- a/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml +++ b/detections/endpoint/winevent_scheduled_task_created_within_public_path.yml @@ -1,7 +1,7 @@ name: WinEvent Scheduled Task Created Within Public Path id: 5d9c6eee-988c-11eb-8253-acde48001122 -version: 13 -date: '2025-04-16' +version: 14 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index 040059360b..dcada5b03f 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -1,7 +1,7 @@ name: WinEvent Windows Task Scheduler Event Action Started id: b3632472-310b-11ec-9aab-acde48001122 -version: 7 -date: '2025-02-28' +version: 8 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/winhlp32_spawning_a_process.yml b/detections/endpoint/winhlp32_spawning_a_process.yml index 5ba81f4dcf..f9e0927926 100644 --- a/detections/endpoint/winhlp32_spawning_a_process.yml +++ b/detections/endpoint/winhlp32_spawning_a_process.yml @@ -1,7 +1,7 @@ name: Winhlp32 Spawning a Process id: d17dae9e-2618-11ec-b9f5-acde48001122 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/winrar_spawning_shell_application.yml b/detections/endpoint/winrar_spawning_shell_application.yml index 45d3c5d31d..6799699221 100644 --- a/detections/endpoint/winrar_spawning_shell_application.yml +++ b/detections/endpoint/winrar_spawning_shell_application.yml @@ -1,7 +1,7 @@ name: WinRAR Spawning Shell Application id: d2f36034-37fa-4bd4-8801-26807c15540f -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/winrm_spawning_a_process.yml b/detections/endpoint/winrm_spawning_a_process.yml index 91cb465db0..665cb458cf 100644 --- a/detections/endpoint/winrm_spawning_a_process.yml +++ b/detections/endpoint/winrm_spawning_a_process.yml @@ -1,7 +1,7 @@ name: WinRM Spawning a Process id: a081836a-ba4d-11eb-8593-acde48001122 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Drew Church, Michael Haag, Splunk status: experimental type: TTP diff --git a/detections/endpoint/wmi_permanent_event_subscription.yml b/detections/endpoint/wmi_permanent_event_subscription.yml index d66bc7a9ba..41b473a98d 100644 --- a/detections/endpoint/wmi_permanent_event_subscription.yml +++ b/detections/endpoint/wmi_permanent_event_subscription.yml @@ -1,7 +1,7 @@ name: WMI Permanent Event Subscription id: 71bfdb13-f200-4c6c-b2c9-a2e07adf437d -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Rico Valdez, Splunk status: experimental type: TTP diff --git a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml index b2df018c3e..c1c779e0ea 100644 --- a/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml +++ b/detections/endpoint/wmi_permanent_event_subscription___sysmon.yml @@ -1,7 +1,7 @@ name: WMI Permanent Event Subscription - Sysmon id: ad05aae6-3b2a-4f73-af97-57bd26cee3b9 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Rico Valdez, Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/wmi_recon_running_process_or_services.yml b/detections/endpoint/wmi_recon_running_process_or_services.yml index 5166973e06..9e6b21d680 100644 --- a/detections/endpoint/wmi_recon_running_process_or_services.yml +++ b/detections/endpoint/wmi_recon_running_process_or_services.yml @@ -1,7 +1,7 @@ name: WMI Recon Running Process Or Services id: b5cd5526-cce7-11eb-b3bd-acde48001122 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/endpoint/wmi_temporary_event_subscription.yml b/detections/endpoint/wmi_temporary_event_subscription.yml index 3a378d03c4..d1980ecc9f 100644 --- a/detections/endpoint/wmi_temporary_event_subscription.yml +++ b/detections/endpoint/wmi_temporary_event_subscription.yml @@ -1,7 +1,7 @@ name: WMI Temporary Event Subscription id: 38cbd42c-1098-41bb-99cf-9d6d2b296d83 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Rico Valdez, Splunk status: experimental type: TTP diff --git a/detections/endpoint/wmic_group_discovery.yml b/detections/endpoint/wmic_group_discovery.yml index b233de99f3..521ae54799 100644 --- a/detections/endpoint/wmic_group_discovery.yml +++ b/detections/endpoint/wmic_group_discovery.yml @@ -1,7 +1,7 @@ name: Wmic Group Discovery id: 83317b08-155b-11ec-8e00-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml index b3cd150460..577a38605a 100644 --- a/detections/endpoint/wmic_noninteractive_app_uninstallation.yml +++ b/detections/endpoint/wmic_noninteractive_app_uninstallation.yml @@ -1,7 +1,7 @@ name: Wmic NonInteractive App Uninstallation id: bff0e7a0-317f-11ec-ab4e-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/endpoint/wmic_xsl_execution_via_url.yml b/detections/endpoint/wmic_xsl_execution_via_url.yml index 3cf8d44c39..238117825b 100644 --- a/detections/endpoint/wmic_xsl_execution_via_url.yml +++ b/detections/endpoint/wmic_xsl_execution_via_url.yml @@ -1,7 +1,7 @@ name: WMIC XSL Execution via URL id: 787e9dd0-4328-11ec-a029-acde48001122 -version: 8 -date: '2024-12-10' +version: 9 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml index 0258aa372f..335a210cc3 100644 --- a/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wmiprsve_lolbas_execution_process_spawn.yml @@ -1,7 +1,7 @@ name: Wmiprsve LOLBAS Execution Process Spawn id: 95a455f0-4c04-11ec-b8ac-3e22fbd008af -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml index 551bad38df..bb7cbcdb1d 100644 --- a/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml +++ b/detections/endpoint/wscript_or_cscript_suspicious_child_process.yml @@ -1,7 +1,7 @@ name: Wscript Or Cscript Suspicious Child Process id: 1f35e1da-267b-11ec-90a9-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml index b71e5f878d..b4a88f4173 100644 --- a/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml +++ b/detections/endpoint/wsmprovhost_lolbas_execution_process_spawn.yml @@ -1,7 +1,7 @@ name: Wsmprovhost LOLBAS Execution Process Spawn id: 2eed004c-4c0d-11ec-93e8-3e22fbd008af -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/endpoint/wsreset_uac_bypass.yml b/detections/endpoint/wsreset_uac_bypass.yml index 28fb931288..9c6233d4a2 100644 --- a/detections/endpoint/wsreset_uac_bypass.yml +++ b/detections/endpoint/wsreset_uac_bypass.yml @@ -1,7 +1,7 @@ name: WSReset UAC Bypass id: 8b5901bc-da63-11eb-be43-acde48001122 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: Steven Dick, Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/xmrig_driver_loaded.yml b/detections/endpoint/xmrig_driver_loaded.yml index f110804a47..7fb5f9e4f9 100644 --- a/detections/endpoint/xmrig_driver_loaded.yml +++ b/detections/endpoint/xmrig_driver_loaded.yml @@ -1,7 +1,7 @@ name: XMRIG Driver Loaded id: 90080fa6-a8df-11eb-91e4-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/xsl_script_execution_with_wmic.yml b/detections/endpoint/xsl_script_execution_with_wmic.yml index 322617c02e..35f3f8385e 100644 --- a/detections/endpoint/xsl_script_execution_with_wmic.yml +++ b/detections/endpoint/xsl_script_execution_with_wmic.yml @@ -1,7 +1,7 @@ name: XSL Script Execution With WMIC id: 004e32e2-146d-11ec-a83f-acde48001122 -version: 7 -date: '2024-11-13' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/network/3cx_supply_chain_attack_network_indicators.yml b/detections/network/3cx_supply_chain_attack_network_indicators.yml index 36d2446b20..f574ef6132 100644 --- a/detections/network/3cx_supply_chain_attack_network_indicators.yml +++ b/detections/network/3cx_supply_chain_attack_network_indicators.yml @@ -1,7 +1,7 @@ name: 3CX Supply Chain Attack Network Indicators id: 791b727c-deec-4fbe-a732-756131b3c5a1 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk type: TTP status: experimental diff --git a/detections/network/cisco_secure_firewall___binary_file_type_download.yml b/detections/network/cisco_secure_firewall___binary_file_type_download.yml index 6a6e9fbed5..7ae6a6b587 100644 --- a/detections/network/cisco_secure_firewall___binary_file_type_download.yml +++ b/detections/network/cisco_secure_firewall___binary_file_type_download.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Binary File Type Download id: 24b2c2e3-2ff7-4a23-b814-87f8a62028cd -version: 1 -date: '2025-04-03' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___bits_network_activity.yml b/detections/network/cisco_secure_firewall___bits_network_activity.yml index 8504df2d1b..0601655d27 100644 --- a/detections/network/cisco_secure_firewall___bits_network_activity.yml +++ b/detections/network/cisco_secure_firewall___bits_network_activity.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Bits Network Activity id: b08e69d4-b42d-494c-bd30-abaaa3571ba4 -version: 1 -date: '2025-04-01' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___blacklisted_ssl_certificate_fingerprint.yml b/detections/network/cisco_secure_firewall___blacklisted_ssl_certificate_fingerprint.yml index 7cd8050eb2..6206a97716 100644 --- a/detections/network/cisco_secure_firewall___blacklisted_ssl_certificate_fingerprint.yml +++ b/detections/network/cisco_secure_firewall___blacklisted_ssl_certificate_fingerprint.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint id: c43f7b49-2dab-4e76-892e-7f971c2f20f1 -version: 1 -date: '2025-04-02' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: TTP diff --git a/detections/network/cisco_secure_firewall___blocked_connection.yml b/detections/network/cisco_secure_firewall___blocked_connection.yml index 5ef85abe77..474ddf0e53 100644 --- a/detections/network/cisco_secure_firewall___blocked_connection.yml +++ b/detections/network/cisco_secure_firewall___blocked_connection.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Blocked Connection id: 17e9b764-3a2b-4d36-9751-32d13ce4718b -version: 1 -date: '2025-04-01' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml b/detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml index 2089875d4d..49df1b4894 100644 --- a/detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml +++ b/detections/network/cisco_secure_firewall___communication_over_suspicious_ports.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Communication Over Suspicious Ports id: d85c05c8-42c0-4e4a-87e7-4e1bb3e844e3 -version: 1 -date: '2025-04-02' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml b/detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml index e89aea5e49..2b65112d14 100644 --- a/detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml +++ b/detections/network/cisco_secure_firewall___connection_to_file_sharing_domain.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Connection to File Sharing Domain id: f7e5e792-d907-46c1-a58e-4ff974dc462a -version: 1 -date: '2025-04-01' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml b/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml index 6f38d3be2e..8d7806b14c 100644 --- a/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml +++ b/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - File Download Over Uncommon Port id: f26445a8-a6a2-4855-bec0-0c39e52e5b8f -version: 1 -date: '2025-04-07' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml b/detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml index 8f5223d653..3f94b98a69 100644 --- a/detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml +++ b/detections/network/cisco_secure_firewall___high_eve_threat_confidence.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - High EVE Threat Confidence id: 8c15183e-2e70-4db4-86c3-88f8d9129b66 -version: 1 -date: '2025-04-02' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml b/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml index 6c885c54b1..e1935eb00d 100644 --- a/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml +++ b/detections/network/cisco_secure_firewall___high_volume_of_intrusion_events_per_host.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - High Volume of Intrusion Events Per Host id: 9f2295a0-0dcb-4a5f-b013-8a6f2a3c11f6 -version: 1 -date: '2025-04-14' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___malware_file_downloaded.yml b/detections/network/cisco_secure_firewall___malware_file_downloaded.yml index 973fab4011..b9cda1571e 100644 --- a/detections/network/cisco_secure_firewall___malware_file_downloaded.yml +++ b/detections/network/cisco_secure_firewall___malware_file_downloaded.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Malware File Downloaded id: 3cc93f52-5aa6-4b7f-83b9-3430b1436813 -version: 1 -date: '2025-04-03' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___possibly_compromised_host.yml b/detections/network/cisco_secure_firewall___possibly_compromised_host.yml index ab8b0cc1a3..5989781237 100644 --- a/detections/network/cisco_secure_firewall___possibly_compromised_host.yml +++ b/detections/network/cisco_secure_firewall___possibly_compromised_host.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Possibly Compromised Host id: 244a77bb-3b2a-46f1-bf2c-b4f7cd29276d -version: 1 -date: '2025-04-14' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: experimental type: Anomaly diff --git a/detections/network/cisco_secure_firewall___potential_data_exfiltration.yml b/detections/network/cisco_secure_firewall___potential_data_exfiltration.yml index 19855048bc..5119c81658 100644 --- a/detections/network/cisco_secure_firewall___potential_data_exfiltration.yml +++ b/detections/network/cisco_secure_firewall___potential_data_exfiltration.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Potential Data Exfiltration id: 3d8536b6-52b4-4c3e-b695-3f2e90bb22be -version: 1 -date: '2025-04-02' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___rare_snort_rule_triggered.yml b/detections/network/cisco_secure_firewall___rare_snort_rule_triggered.yml index cd1550c640..3c4fda0950 100644 --- a/detections/network/cisco_secure_firewall___rare_snort_rule_triggered.yml +++ b/detections/network/cisco_secure_firewall___rare_snort_rule_triggered.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Rare Snort Rule Triggered id: e20313d2-7d63-4fcf-b2d9-d6e12c6c7bd7 -version: 1 -date: '2025-04-14' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Hunting diff --git a/detections/network/cisco_secure_firewall___repeated_blocked_connections.yml b/detections/network/cisco_secure_firewall___repeated_blocked_connections.yml index 57eb86c0f2..ea0a8a78b0 100644 --- a/detections/network/cisco_secure_firewall___repeated_blocked_connections.yml +++ b/detections/network/cisco_secure_firewall___repeated_blocked_connections.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Repeated Blocked Connections id: 1f57f10e-1dc5-47ea-852c-2e85b2503d79 -version: 1 -date: '2025-04-02' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___repeated_malware_downloads.yml b/detections/network/cisco_secure_firewall___repeated_malware_downloads.yml index b2757e52c1..849a39dba9 100644 --- a/detections/network/cisco_secure_firewall___repeated_malware_downloads.yml +++ b/detections/network/cisco_secure_firewall___repeated_malware_downloads.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Repeated Malware Downloads id: aeff2bb5-3483-48d4-9be8-c8976194be1e -version: 1 -date: '2025-04-09' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml b/detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml index 6dfd68a496..247c56e48c 100644 --- a/detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml +++ b/detections/network/cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts id: a4c76d0a-56b6-44be-814b-939746c4d406 -version: 1 -date: '2025-04-14' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/cisco_secure_firewall___wget_or_curl_download.yml b/detections/network/cisco_secure_firewall___wget_or_curl_download.yml index 35b4eba6e2..c9936680c6 100644 --- a/detections/network/cisco_secure_firewall___wget_or_curl_download.yml +++ b/detections/network/cisco_secure_firewall___wget_or_curl_download.yml @@ -1,7 +1,7 @@ name: Cisco Secure Firewall - Wget or Curl Download id: 173a1cb9-1814-4128-a9dc-f29dade89957 -version: 1 -date: '2025-04-01' +version: 2 +date: '2025-05-02' author: Nasreddine Bencherchali, Splunk status: production type: Anomaly diff --git a/detections/network/detect_arp_poisoning.yml b/detections/network/detect_arp_poisoning.yml index 1e3b9d8998..7e94e9597d 100644 --- a/detections/network/detect_arp_poisoning.yml +++ b/detections/network/detect_arp_poisoning.yml @@ -1,7 +1,7 @@ name: Detect ARP Poisoning id: b44bebd6-bd39-467b-9321-73971bcd1aac -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mikael Bjerkeland, Splunk status: experimental type: TTP diff --git a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml index 55d18f58b5..6c9c2e2f60 100644 --- a/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dga_domains_using_pretrained_model_in_dsdl.yml @@ -1,7 +1,7 @@ name: Detect DGA domains using pretrained model in DSDL id: 92e24f32-9b9a-4060-bba2-2a0eb31f3493 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk status: experimental type: Anomaly diff --git a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml index 10055327b4..052b9063e3 100644 --- a/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_dns_data_exfiltration_using_pretrained_model_in_dsdl.yml @@ -1,7 +1,7 @@ name: Detect DNS Data Exfiltration using pretrained model in DSDL id: 92f65c3a-168c-11ed-71eb-0242ac120012 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' status: experimental author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly diff --git a/detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml b/detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml index 0f12c92d4d..2e2822d3f1 100644 --- a/detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml +++ b/detections/network/detect_dns_query_to_decommissioned_s3_bucket.yml @@ -1,7 +1,7 @@ name: Detect DNS Query to Decommissioned S3 Bucket id: 2f1c5fd1-4b8a-4f5d-a0e9-7d6a8e2f5e1e -version: 2 -date: '2025-02-12' +version: 3 +date: '2025-05-02' author: Jose Hernandez, Splunk status: experimental type: Anomaly diff --git a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml index 19179c4a66..2b19761689 100644 --- a/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml +++ b/detections/network/detect_hosts_connecting_to_dynamic_domain_providers.yml @@ -1,7 +1,7 @@ name: Detect hosts connecting to dynamic domain providers id: a1e761ac-1344-4dbd-88b2-3f34c912d359 -version: 7 -date: '2024-11-15' +version: 8 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/network/detect_ipv6_network_infrastructure_threats.yml b/detections/network/detect_ipv6_network_infrastructure_threats.yml index 5be89b972e..f2504c5da8 100644 --- a/detections/network/detect_ipv6_network_infrastructure_threats.yml +++ b/detections/network/detect_ipv6_network_infrastructure_threats.yml @@ -1,7 +1,7 @@ name: Detect IPv6 Network Infrastructure Threats id: c3be767e-7959-44c5-8976-0e9c12a91ad2 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Mikael Bjerkeland, Splunk status: experimental type: TTP diff --git a/detections/network/detect_large_icmp_traffic.yml b/detections/network/detect_large_icmp_traffic.yml index 0590dc2aab..ddc10cf0db 100644 --- a/detections/network/detect_large_icmp_traffic.yml +++ b/detections/network/detect_large_icmp_traffic.yml @@ -1,7 +1,7 @@ name: Detect Large ICMP Traffic id: 9cd6d066-94d5-4ccd-a8b9-28c03ca91be8 -version: 1 -date: '2025-03-27' +version: 2 +date: '2025-05-02' author: Rico Valdez, Dean Luxton, Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml index 99cc44092d..72df45a53a 100644 --- a/detections/network/detect_outbound_ldap_traffic.yml +++ b/detections/network/detect_outbound_ldap_traffic.yml @@ -1,7 +1,7 @@ name: Detect Outbound LDAP Traffic id: 5e06e262-d7cd-4216-b2f8-27b437e18458 -version: 6 -date: '2025-03-27' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Johan Bjerke, Splunk status: production type: Hunting diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml index be0a4efcf9..35e6ae3f12 100644 --- a/detections/network/detect_outbound_smb_traffic.yml +++ b/detections/network/detect_outbound_smb_traffic.yml @@ -1,7 +1,7 @@ name: Detect Outbound SMB Traffic id: 1bed7774-304a-4e8f-9d72-d80e45ff492b -version: 9 -date: '2025-02-10' +version: 10 +date: '2025-05-02' author: Bhavin Patel, Stuart Hopkins, Patrick Bareiss status: experimental type: TTP diff --git a/detections/network/detect_port_security_violation.yml b/detections/network/detect_port_security_violation.yml index 0126710dbb..6fbb1edced 100644 --- a/detections/network/detect_port_security_violation.yml +++ b/detections/network/detect_port_security_violation.yml @@ -1,7 +1,7 @@ name: Detect Port Security Violation id: 2de3d5b8-a4fa-45c5-8540-6d071c194d24 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mikael Bjerkeland, Splunk status: experimental type: TTP diff --git a/detections/network/detect_remote_access_software_usage_dns.yml b/detections/network/detect_remote_access_software_usage_dns.yml index 8601276d56..6ad1557a6d 100644 --- a/detections/network/detect_remote_access_software_usage_dns.yml +++ b/detections/network/detect_remote_access_software_usage_dns.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage DNS id: a16b797d-e309-41bd-8ba0-5067dae2e4be -version: 7 -date: '2024-11-15' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/network/detect_remote_access_software_usage_traffic.yml b/detections/network/detect_remote_access_software_usage_traffic.yml index b655b82716..538121061b 100644 --- a/detections/network/detect_remote_access_software_usage_traffic.yml +++ b/detections/network/detect_remote_access_software_usage_traffic.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage Traffic id: 885ea672-07ee-475a-879e-60d28aa5dd42 -version: 7 -date: '2024-11-15' +version: 8 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/network/detect_rogue_dhcp_server.yml b/detections/network/detect_rogue_dhcp_server.yml index bd2155d10b..ebc1f43d74 100644 --- a/detections/network/detect_rogue_dhcp_server.yml +++ b/detections/network/detect_rogue_dhcp_server.yml @@ -1,7 +1,7 @@ name: Detect Rogue DHCP Server id: 6e1ada88-7a0d-4ac1-92c6-03d354686079 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Mikael Bjerkeland, Splunk status: experimental type: TTP diff --git a/detections/network/detect_snicat_sni_exfiltration.yml b/detections/network/detect_snicat_sni_exfiltration.yml index 764d23f8b2..c791c1ebc7 100644 --- a/detections/network/detect_snicat_sni_exfiltration.yml +++ b/detections/network/detect_snicat_sni_exfiltration.yml @@ -1,7 +1,7 @@ name: Detect SNICat SNI Exfiltration id: 82d06410-134c-11eb-adc1-0242ac120002 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Shannon Davis, Splunk status: experimental type: TTP diff --git a/detections/network/detect_software_download_to_network_device.yml b/detections/network/detect_software_download_to_network_device.yml index 5f16395c2c..ed6059ee67 100644 --- a/detections/network/detect_software_download_to_network_device.yml +++ b/detections/network/detect_software_download_to_network_device.yml @@ -1,7 +1,7 @@ name: Detect Software Download To Network Device id: cc590c66-f65f-48f2-986a-4797244762f8 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Mikael Bjerkeland, Splunk status: experimental type: TTP diff --git a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml index 65c406f40c..a76adf4688 100644 --- a/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml +++ b/detections/network/detect_suspicious_dns_txt_records_using_pretrained_model_in_dsdl.yml @@ -1,7 +1,7 @@ name: Detect suspicious DNS TXT records using pretrained model in DSDL id: 92f65c3a-968c-11ed-a1eb-0242ac120002 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk status: experimental type: Anomaly diff --git a/detections/network/detect_traffic_mirroring.yml b/detections/network/detect_traffic_mirroring.yml index b9982c9d34..93eb9cd137 100644 --- a/detections/network/detect_traffic_mirroring.yml +++ b/detections/network/detect_traffic_mirroring.yml @@ -1,7 +1,7 @@ name: Detect Traffic Mirroring id: 42b3b753-5925-49c5-9742-36fa40a73990 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Mikael Bjerkeland, Splunk status: experimental type: TTP diff --git a/detections/network/detect_unauthorized_assets_by_mac_address.yml b/detections/network/detect_unauthorized_assets_by_mac_address.yml index 8462ce9b21..2a6317f6a5 100644 --- a/detections/network/detect_unauthorized_assets_by_mac_address.yml +++ b/detections/network/detect_unauthorized_assets_by_mac_address.yml @@ -1,7 +1,7 @@ name: Detect Unauthorized Assets by MAC address id: dcfd6b40-42f9-469d-a433-2e53f7489ff4 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: TTP diff --git a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml index b38c1ece41..2720ab6feb 100644 --- a/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml +++ b/detections/network/detect_windows_dns_sigred_via_splunk_stream.yml @@ -1,7 +1,7 @@ name: Detect Windows DNS SIGRed via Splunk Stream id: babd8d10-d073-11ea-87d0-0242ac130003 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Shannon Davis, Splunk status: experimental type: TTP diff --git a/detections/network/detect_windows_dns_sigred_via_zeek.yml b/detections/network/detect_windows_dns_sigred_via_zeek.yml index 6b0df85392..cd0c18d6e3 100644 --- a/detections/network/detect_windows_dns_sigred_via_zeek.yml +++ b/detections/network/detect_windows_dns_sigred_via_zeek.yml @@ -1,7 +1,7 @@ name: Detect Windows DNS SIGRed via Zeek id: c5c622e4-d073-11ea-87d0-0242ac130003 -version: 6 -date: '2024-11-15' +version: 7 +date: '2025-05-02' author: Shannon Davis, Splunk status: experimental type: TTP diff --git a/detections/network/detect_zerologon_via_zeek.yml b/detections/network/detect_zerologon_via_zeek.yml index 33000d7d6b..12df034750 100644 --- a/detections/network/detect_zerologon_via_zeek.yml +++ b/detections/network/detect_zerologon_via_zeek.yml @@ -1,7 +1,7 @@ name: Detect Zerologon via Zeek id: bf7a06ec-f703-11ea-adc1-0242ac120002 -version: '5' -date: '2025-03-03' +version: 6 +date: '2025-05-02' author: Shannon Davis, Splunk status: experimental type: TTP diff --git a/detections/network/dns_query_length_outliers___mltk.yml b/detections/network/dns_query_length_outliers___mltk.yml index 2c4743e19d..57d7ed8998 100644 --- a/detections/network/dns_query_length_outliers___mltk.yml +++ b/detections/network/dns_query_length_outliers___mltk.yml @@ -1,7 +1,7 @@ name: DNS Query Length Outliers - MLTK id: 85fbcfe8-9718-4911-adf6-7000d077a3a9 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Rico Valdez, Splunk status: experimental type: Anomaly diff --git a/detections/network/dns_query_length_with_high_standard_deviation.yml b/detections/network/dns_query_length_with_high_standard_deviation.yml index 198faa4369..583a0f9382 100644 --- a/detections/network/dns_query_length_with_high_standard_deviation.yml +++ b/detections/network/dns_query_length_with_high_standard_deviation.yml @@ -1,7 +1,7 @@ name: DNS Query Length With High Standard Deviation id: 1a67f15a-f4ff-4170-84e9-08cf6f75d6f5 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/network/excessive_dns_failures.yml b/detections/network/excessive_dns_failures.yml index b809df4dbf..c7cf916538 100644 --- a/detections/network/excessive_dns_failures.yml +++ b/detections/network/excessive_dns_failures.yml @@ -1,7 +1,7 @@ name: Excessive DNS Failures id: 104658f4-afdc-499e-9719-17243f9826f1 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: bowesmana, Bhavin Patel, Splunk status: experimental type: Anomaly diff --git a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml index 572478664e..fd9d35d815 100644 --- a/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml +++ b/detections/network/f5_big_ip_icontrol_rest_vulnerability_cve_2022_1388.yml @@ -1,7 +1,7 @@ name: F5 BIG-IP iControl REST Vulnerability CVE-2022-1388 id: bb1c2c30-107a-4e56-a4b9-1f7022867bfe -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml b/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml index 86532055ed..2774a09a10 100644 --- a/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml +++ b/detections/network/hosts_receiving_high_volume_of_network_traffic_from_email_server.yml @@ -1,7 +1,7 @@ name: Hosts receiving high volume of network traffic from email server id: 7f5fb3e1-4209-4914-90db-0ec21b556368 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: Anomaly diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml index 87f81039c7..7a41837646 100644 --- a/detections/network/internal_horizontal_port_scan.yml +++ b/detections/network/internal_horizontal_port_scan.yml @@ -1,7 +1,7 @@ name: Internal Horizontal Port Scan id: 1ff9eb9a-7d72-4993-a55e-59a839e607f1 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml index 1dee1933a2..bb579e54fc 100644 --- a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml +++ b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml @@ -1,7 +1,7 @@ name: Internal Horizontal Port Scan NMAP Top 20 id: 3141a041-4f57-4277-9faa-9305ca1f8e5b -version: 3 -date: '2024-11-15' +version: 4 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml index bc04d556ce..8709d0c686 100644 --- a/detections/network/internal_vertical_port_scan.yml +++ b/detections/network/internal_vertical_port_scan.yml @@ -1,7 +1,7 @@ name: Internal Vertical Port Scan id: 40d2dc41-9bbf-421a-a34b-8611271a6770 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Dean Luxton status: production type: TTP diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml index a02dfe5494..86ae5b4a0c 100644 --- a/detections/network/internal_vulnerability_scan.yml +++ b/detections/network/internal_vulnerability_scan.yml @@ -1,7 +1,7 @@ name: Internal Vulnerability Scan id: 46f946ed-1c78-4e96-9906-c7a4be15e39b -version: 3 -date: '2024-11-15' +version: 4 +date: '2025-05-02' author: Dean Luxton status: experimental type: TTP diff --git a/detections/network/large_volume_of_dns_any_queries.yml b/detections/network/large_volume_of_dns_any_queries.yml index 1be208ea08..b95887131f 100644 --- a/detections/network/large_volume_of_dns_any_queries.yml +++ b/detections/network/large_volume_of_dns_any_queries.yml @@ -1,7 +1,7 @@ name: Large Volume of DNS ANY Queries id: 8fa891f7-a533-4b3c-af85-5aa2e7c1f1eb -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: Anomaly diff --git a/detections/network/ngrok_reverse_proxy_on_network.yml b/detections/network/ngrok_reverse_proxy_on_network.yml index c42fcaea18..046adf999f 100644 --- a/detections/network/ngrok_reverse_proxy_on_network.yml +++ b/detections/network/ngrok_reverse_proxy_on_network.yml @@ -1,7 +1,7 @@ name: Ngrok Reverse Proxy on Network id: 5790a766-53b8-40d3-a696-3547b978fcf0 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/network/prohibited_network_traffic_allowed.yml b/detections/network/prohibited_network_traffic_allowed.yml index 1cb7119d9c..58669d9df0 100644 --- a/detections/network/prohibited_network_traffic_allowed.yml +++ b/detections/network/prohibited_network_traffic_allowed.yml @@ -1,7 +1,7 @@ name: Prohibited Network Traffic Allowed id: ce5a0962-849f-4720-a678-753fe6674479 -version: 6 -date: '2024-11-15' +version: 7 +date: '2025-05-02' author: Rico Valdez, Splunk status: production type: TTP diff --git a/detections/network/protocol_or_port_mismatch.yml b/detections/network/protocol_or_port_mismatch.yml index 727748a951..754bd28776 100644 --- a/detections/network/protocol_or_port_mismatch.yml +++ b/detections/network/protocol_or_port_mismatch.yml @@ -1,7 +1,7 @@ name: Protocol or Port Mismatch id: 54dc1265-2f74-4b6d-b30d-49eb506a31b3 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Rico Valdez, Splunk status: experimental type: Anomaly diff --git a/detections/network/protocols_passing_authentication_in_cleartext.yml b/detections/network/protocols_passing_authentication_in_cleartext.yml index 33cf2063ad..f27835bbee 100644 --- a/detections/network/protocols_passing_authentication_in_cleartext.yml +++ b/detections/network/protocols_passing_authentication_in_cleartext.yml @@ -1,7 +1,7 @@ name: Protocols passing authentication in cleartext id: 6923cd64-17a0-453c-b945-81ac2d8c6db9 version: 7 -date: '2025-03-03' +date: '2025-05-02' author: Rico Valdez, Splunk status: experimental type: Anomaly diff --git a/detections/network/remote_desktop_network_traffic.yml b/detections/network/remote_desktop_network_traffic.yml index 47727cdb56..1e26472021 100644 --- a/detections/network/remote_desktop_network_traffic.yml +++ b/detections/network/remote_desktop_network_traffic.yml @@ -1,7 +1,7 @@ name: Remote Desktop Network Traffic id: 272b8407-842d-4b3d-bead-a704584003d3 -version: 10 -date: '2025-02-10' +version: 11 +date: '2025-05-02' author: David Dorsey, Splunk status: production type: Anomaly diff --git a/detections/network/rundll32_dnsquery.yml b/detections/network/rundll32_dnsquery.yml index 2fac28f717..80d4b36be0 100644 --- a/detections/network/rundll32_dnsquery.yml +++ b/detections/network/rundll32_dnsquery.yml @@ -1,7 +1,7 @@ name: Rundll32 DNSQuery id: f1483f5e-ee29-11eb-9d23-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/network/smb_traffic_spike.yml b/detections/network/smb_traffic_spike.yml index 122c6cb228..e1e3244b39 100644 --- a/detections/network/smb_traffic_spike.yml +++ b/detections/network/smb_traffic_spike.yml @@ -1,7 +1,7 @@ name: SMB Traffic Spike id: 7f5fb3e1-4209-4914-90db-0ec21b936378 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/network/smb_traffic_spike___mltk.yml b/detections/network/smb_traffic_spike___mltk.yml index 38c6b024a6..77f7e6a8c5 100644 --- a/detections/network/smb_traffic_spike___mltk.yml +++ b/detections/network/smb_traffic_spike___mltk.yml @@ -1,7 +1,7 @@ name: SMB Traffic Spike - MLTK id: d25773ba-9ad8-48d1-858e-07ad0bbeb828 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Rico Valdez, Splunk status: experimental type: Anomaly diff --git a/detections/network/ssl_certificates_with_punycode.yml b/detections/network/ssl_certificates_with_punycode.yml index c19238b392..3546c513b3 100644 --- a/detections/network/ssl_certificates_with_punycode.yml +++ b/detections/network/ssl_certificates_with_punycode.yml @@ -1,7 +1,7 @@ name: SSL Certificates with Punycode id: 696694df-5706-495a-81f2-79501fa11b90 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: Hunting diff --git a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml index 2b83e0624c..009df622af 100644 --- a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml @@ -1,7 +1,7 @@ name: Suspicious Process DNS Query Known Abuse Web Services id: 3cf0dc36-484d-11ec-a6bc-acde48001122 -version: 11 -date: '2025-04-18' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/network/suspicious_process_with_discord_dns_query.yml b/detections/network/suspicious_process_with_discord_dns_query.yml index 72bdce2f32..2131e91792 100644 --- a/detections/network/suspicious_process_with_discord_dns_query.yml +++ b/detections/network/suspicious_process_with_discord_dns_query.yml @@ -1,7 +1,7 @@ name: Suspicious Process With Discord DNS Query id: 4d4332ae-792c-11ec-89c1-acde48001122 -version: 9 -date: '2025-04-18' +version: 10 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Anomaly diff --git a/detections/network/tor_traffic.yml b/detections/network/tor_traffic.yml index 70f224eeda..a6f9897278 100644 --- a/detections/network/tor_traffic.yml +++ b/detections/network/tor_traffic.yml @@ -1,7 +1,7 @@ name: TOR Traffic id: ea688274-9c06-4473-b951-e4cb7a5d7a45 -version: 8 -date: '2025-02-10' +version: 9 +date: '2025-05-02' author: David Dorsey, Bhavin Patel, Splunk status: production type: TTP diff --git a/detections/network/wermgr_process_connecting_to_ip_check_web_services.yml b/detections/network/wermgr_process_connecting_to_ip_check_web_services.yml index f9cd823968..6a70f4544a 100644 --- a/detections/network/wermgr_process_connecting_to_ip_check_web_services.yml +++ b/detections/network/wermgr_process_connecting_to_ip_check_web_services.yml @@ -1,7 +1,7 @@ name: Wermgr Process Connecting To IP Check Web Services id: ed313326-a0f9-11eb-a89c-acde48001122 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: TTP diff --git a/detections/network/windows_abused_web_services.yml b/detections/network/windows_abused_web_services.yml index c12ba36f87..48672feee5 100644 --- a/detections/network/windows_abused_web_services.yml +++ b/detections/network/windows_abused_web_services.yml @@ -1,7 +1,7 @@ name: Windows Abused Web Services id: 01f0aef4-8591-4daa-a53d-0ed49823b681 -version: 5 -date: '2024-11-13' +version: 6 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/network/windows_ad_replication_service_traffic.yml b/detections/network/windows_ad_replication_service_traffic.yml index 59036dc908..1755d1bd9c 100644 --- a/detections/network/windows_ad_replication_service_traffic.yml +++ b/detections/network/windows_ad_replication_service_traffic.yml @@ -1,7 +1,7 @@ name: Windows AD Replication Service Traffic id: c6e24183-a5f4-4b2a-ad01-2eb456d09b67 -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Steven Dick type: TTP status: experimental diff --git a/detections/network/windows_ad_rogue_domain_controller_network_activity.yml b/detections/network/windows_ad_rogue_domain_controller_network_activity.yml index d1f364dbfb..892e905a1c 100644 --- a/detections/network/windows_ad_rogue_domain_controller_network_activity.yml +++ b/detections/network/windows_ad_rogue_domain_controller_network_activity.yml @@ -1,7 +1,7 @@ name: Windows AD Rogue Domain Controller Network Activity id: c4aeeeef-da7f-4338-b3ba-553cbcbe2138 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Dean Luxton type: TTP status: experimental diff --git a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml index 861b808fa1..c5edac0ed7 100644 --- a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml +++ b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml @@ -1,7 +1,7 @@ name: Windows DNS Query Request by Telegram Bot API id: 86f66f44-94d9-412d-a71d-5d8ed0fef72e -version: 3 -date: '2025-02-10' +version: 4 +date: '2025-05-02' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 22 diff --git a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml index 8f4c5b6208..a0e13dcfea 100644 --- a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -1,7 +1,7 @@ name: Windows Gather Victim Network Info Through Ip Check Web Services id: 70f7c952-0758-46d6-9148-d8969c4481d1 -version: 11 -date: '2025-04-17' +version: 12 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/network/windows_multi_hop_proxy_tor_website_query.yml b/detections/network/windows_multi_hop_proxy_tor_website_query.yml index bc057a8249..b3bab72e71 100644 --- a/detections/network/windows_multi_hop_proxy_tor_website_query.yml +++ b/detections/network/windows_multi_hop_proxy_tor_website_query.yml @@ -1,7 +1,7 @@ name: Windows Multi hop Proxy TOR Website Query id: 4c2d198b-da58-48d7-ba27-9368732d0054 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly diff --git a/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml b/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml index 77092299c8..c0c701717b 100644 --- a/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml +++ b/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml @@ -1,7 +1,7 @@ name: Windows Remote Desktop Network Bruteforce Attempt id: 908bf0d5-0983-4afd-b6a4-e9eb5d361a7d -version: 3 -date: '2025-02-11' +version: 4 +date: '2025-05-02' author: Jose Hernandez, Bhavin Patel, Splunk status: production type: Anomaly diff --git a/detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml b/detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml index 5dc0448340..a259d4cefc 100644 --- a/detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml +++ b/detections/network/windows_spearphishing_attachment_connect_to_none_ms_office_domain.yml @@ -1,7 +1,7 @@ name: Windows Spearphishing Attachment Connect To None MS Office Domain id: 1cb40e15-cffa-45cc-abbd-e35884a49766 -version: 7 -date: '2025-02-10' +version: 8 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/network/zeek_x509_certificate_with_punycode.yml b/detections/network/zeek_x509_certificate_with_punycode.yml index f22ab38c2e..13b767d411 100644 --- a/detections/network/zeek_x509_certificate_with_punycode.yml +++ b/detections/network/zeek_x509_certificate_with_punycode.yml @@ -1,7 +1,7 @@ name: Zeek x509 Certificate with Punycode id: 029d6fe4-a5fe-43af-827e-c78c50e81d81 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: experimental type: Hunting diff --git a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml index d77b3ca65e..c36fb76ea8 100644 --- a/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml +++ b/detections/web/access_to_vulnerable_ivanti_connect_secure_bookmark_endpoint.yml @@ -1,7 +1,7 @@ name: Access to Vulnerable Ivanti Connect Secure Bookmark Endpoint id: 15838756-f425-43fa-9d88-a7f88063e81a -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/adobe_coldfusion_access_control_bypass.yml b/detections/web/adobe_coldfusion_access_control_bypass.yml index c89e2113e8..10c813edda 100644 --- a/detections/web/adobe_coldfusion_access_control_bypass.yml +++ b/detections/web/adobe_coldfusion_access_control_bypass.yml @@ -1,7 +1,7 @@ name: Adobe ColdFusion Access Control Bypass id: d6821c0b-fcdc-4c95-a77f-e10752fae41a -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml index 6db52e23c4..6d6148c921 100644 --- a/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml +++ b/detections/web/adobe_coldfusion_unauthenticated_arbitrary_file_read.yml @@ -1,7 +1,7 @@ name: Adobe ColdFusion Unauthenticated Arbitrary File Read id: 695aceae-21db-4e7f-93ac-a52e39d02b93 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/cisco_ios_xe_implant_access.yml b/detections/web/cisco_ios_xe_implant_access.yml index 804b64d152..b44f36947c 100644 --- a/detections/web/cisco_ios_xe_implant_access.yml +++ b/detections/web/cisco_ios_xe_implant_access.yml @@ -1,7 +1,7 @@ name: Cisco IOS XE Implant Access id: 07c36cda-6567-43c3-bc1a-89dff61e2cd9 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml index e17f9a29b1..b8e1b11a1f 100644 --- a/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml +++ b/detections/web/citrix_adc_and_gateway_unauthorized_data_disclosure.yml @@ -1,7 +1,7 @@ name: Citrix ADC and Gateway Unauthorized Data Disclosure id: b593cac5-dd20-4358-972a-d945fefdaf17 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml index fd10fa8aee..a118ae7fa5 100644 --- a/detections/web/citrix_adc_exploitation_cve_2023_3519.yml +++ b/detections/web/citrix_adc_exploitation_cve_2023_3519.yml @@ -1,7 +1,7 @@ name: Citrix ADC Exploitation CVE-2023-3519 id: 76ac2dcb-333c-4a77-8ae9-2720cfae47a8 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml b/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml index 96096309be..8c454bf04a 100644 --- a/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml +++ b/detections/web/citrix_sharefile_exploitation_cve_2023_24489.yml @@ -1,7 +1,7 @@ name: Citrix ShareFile Exploitation CVE-2023-24489 id: 172c59f2-5fae-45e5-8e51-94445143e93f -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml index 625f7aa5ab..adfaaf8747 100644 --- a/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml +++ b/detections/web/confluence_cve_2023_22515_trigger_vulnerability.yml @@ -1,7 +1,7 @@ name: Confluence CVE-2023-22515 Trigger Vulnerability id: 630ea8b2-2800-4f5d-9cbc-d65c567349b0 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/confluence_data_center_and_server_privilege_escalation.yml b/detections/web/confluence_data_center_and_server_privilege_escalation.yml index 95e9336c6a..3b530a0970 100644 --- a/detections/web/confluence_data_center_and_server_privilege_escalation.yml +++ b/detections/web/confluence_data_center_and_server_privilege_escalation.yml @@ -1,7 +1,7 @@ name: Confluence Data Center and Server Privilege Escalation id: 115bebac-0976-4f7d-a3ec-d1fb45a39a11 -version: 6 -date: '2024-11-15' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml index e8da6a5df9..67bf2703f3 100644 --- a/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml +++ b/detections/web/confluence_pre_auth_rce_via_ognl_injection_cve_2023_22527.yml @@ -1,7 +1,7 @@ name: Confluence Pre-Auth RCE via OGNL Injection CVE-2023-22527 id: f56936c0-ae6f-4eeb-91ff-ecc1448c6105 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml index a0d16683f5..1d6714b703 100644 --- a/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml +++ b/detections/web/confluence_unauthenticated_remote_code_execution_cve_2022_26134.yml @@ -1,7 +1,7 @@ name: Confluence Unauthenticated Remote Code Execution CVE-2022-26134 id: fcf4bd3f-a79f-4b7a-83bf-2692d60b859c -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/connectwise_screenconnect_authentication_bypass.yml b/detections/web/connectwise_screenconnect_authentication_bypass.yml index ecdf7bd528..8748c27d7a 100644 --- a/detections/web/connectwise_screenconnect_authentication_bypass.yml +++ b/detections/web/connectwise_screenconnect_authentication_bypass.yml @@ -1,7 +1,7 @@ name: ConnectWise ScreenConnect Authentication Bypass id: d3f7a803-e802-448b-8eb2-e796b223bfff -version: 6 -date: '2025-03-24' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Suricata diff --git a/detections/web/crushftp_authentication_bypass_exploitation.yml b/detections/web/crushftp_authentication_bypass_exploitation.yml index bd9717dbb9..1d9dcea53f 100644 --- a/detections/web/crushftp_authentication_bypass_exploitation.yml +++ b/detections/web/crushftp_authentication_bypass_exploitation.yml @@ -1,7 +1,7 @@ name: CrushFTP Authentication Bypass Exploitation id: 82eb7f64-d219-4e21-acfe-956de84c1a35 -version: 1 -date: '2025-04-08' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/crushftp_max_simultaneous_users_from_ip.yml b/detections/web/crushftp_max_simultaneous_users_from_ip.yml index fd9eb99a8c..239d84edc7 100644 --- a/detections/web/crushftp_max_simultaneous_users_from_ip.yml +++ b/detections/web/crushftp_max_simultaneous_users_from_ip.yml @@ -1,7 +1,7 @@ name: CrushFTP Max Simultaneous Users From IP id: 75dfd9f4-ca64-45d0-9422-4bde6d26a59e -version: 1 -date: '2025-04-08' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml index dbf55e5ed9..b122e04f98 100644 --- a/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml +++ b/detections/web/detect_attackers_scanning_for_vulnerable_jboss_servers.yml @@ -1,7 +1,7 @@ name: Detect attackers scanning for vulnerable JBoss servers id: 104658f4-afdc-499e-9719-17243f982681 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: TTP diff --git a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml index 28b011afe7..cfbe6991c3 100644 --- a/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml +++ b/detections/web/detect_f5_tmui_rce_cve_2020_5902.yml @@ -1,7 +1,7 @@ name: Detect F5 TMUI RCE CVE-2020-5902 id: 810e4dbc-d46e-11ea-87d0-0242ac130003 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Shannon Davis, Splunk status: experimental type: TTP diff --git a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml index 7a162d7c7f..11fbae3f11 100644 --- a/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml +++ b/detections/web/detect_malicious_requests_to_exploit_jboss_servers.yml @@ -1,7 +1,7 @@ name: Detect malicious requests to exploit JBoss servers id: c8bff7a4-11ea-4416-a27d-c5bca472913d -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: TTP diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index 25aac973dd..e14d88ec03 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -1,7 +1,7 @@ name: Detect Remote Access Software Usage URL id: 9296f515-073c-43a5-88ec-eda5a4626654 -version: 8 -date: '2024-11-15' +version: 9 +date: '2025-05-02' author: Steven Dick status: production type: Anomaly diff --git a/detections/web/detect_web_access_to_decommissioned_s3_bucket.yml b/detections/web/detect_web_access_to_decommissioned_s3_bucket.yml index 254ed312e7..d4d94a87f1 100644 --- a/detections/web/detect_web_access_to_decommissioned_s3_bucket.yml +++ b/detections/web/detect_web_access_to_decommissioned_s3_bucket.yml @@ -1,7 +1,7 @@ name: Detect Web Access to Decommissioned S3 Bucket id: 3a1d8f62-5b9c-4e7d-b8f3-9d6a8e2f5e1f -version: 1 -date: '2025-02-12' +version: 2 +date: '2025-05-02' author: Jose Hernandez, Splunk status: experimental type: Anomaly diff --git a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml index 162db64b40..4780d50e62 100644 --- a/detections/web/exploit_public_facing_application_via_apache_commons_text.yml +++ b/detections/web/exploit_public_facing_application_via_apache_commons_text.yml @@ -1,7 +1,7 @@ name: Exploit Public Facing Application via Apache Commons Text id: 19a481e0-c97c-4d14-b1db-75a708eb592e -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml index a67a69b392..782539cb27 100644 --- a/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml +++ b/detections/web/exploit_public_facing_fortinet_fortinac_cve_2022_39952.yml @@ -1,7 +1,7 @@ name: Exploit Public-Facing Fortinet FortiNAC CVE-2022-39952 id: 2038f5c6-5aba-4221-8ae2-ca76e2ca8b97 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/f5_tmui_authentication_bypass.yml b/detections/web/f5_tmui_authentication_bypass.yml index 21f73cba3c..733aa9504b 100644 --- a/detections/web/f5_tmui_authentication_bypass.yml +++ b/detections/web/f5_tmui_authentication_bypass.yml @@ -1,7 +1,7 @@ name: F5 TMUI Authentication Bypass id: 88bf127c-613e-4579-99e4-c4d4b02f3840 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/fortinet_appliance_auth_bypass.yml b/detections/web/fortinet_appliance_auth_bypass.yml index 26b16128b0..b7b8546144 100644 --- a/detections/web/fortinet_appliance_auth_bypass.yml +++ b/detections/web/fortinet_appliance_auth_bypass.yml @@ -1,7 +1,7 @@ name: Fortinet Appliance Auth bypass id: a83122f2-fa09-4868-a230-544dbc54bc1c -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/high_volume_of_bytes_out_to_url.yml b/detections/web/high_volume_of_bytes_out_to_url.yml index 06dc8e5092..8636e7eae5 100644 --- a/detections/web/high_volume_of_bytes_out_to_url.yml +++ b/detections/web/high_volume_of_bytes_out_to_url.yml @@ -1,7 +1,7 @@ name: High Volume of Bytes Out to Url id: c8a6b56d-16dd-4e9c-b4bd-527742ead98d -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk data_source: - Nginx Access diff --git a/detections/web/hunting_for_log4shell.yml b/detections/web/hunting_for_log4shell.yml index 772a5c62b0..5b435a24ec 100644 --- a/detections/web/hunting_for_log4shell.yml +++ b/detections/web/hunting_for_log4shell.yml @@ -1,7 +1,7 @@ name: Hunting for Log4Shell id: 158b68fa-5d1a-11ec-aac8-acde48001122 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/web/ivanti_connect_secure_command_injection_attempts.yml b/detections/web/ivanti_connect_secure_command_injection_attempts.yml index 9c15e51f48..978180327b 100644 --- a/detections/web/ivanti_connect_secure_command_injection_attempts.yml +++ b/detections/web/ivanti_connect_secure_command_injection_attempts.yml @@ -1,7 +1,7 @@ name: Ivanti Connect Secure Command Injection Attempts id: 1f32a7e0-a060-4545-b7de-73fcf9ad536e -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml index 5647cfa8a7..fef0d6a67e 100644 --- a/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml +++ b/detections/web/ivanti_connect_secure_ssrf_in_saml_component.yml @@ -1,7 +1,7 @@ name: Ivanti Connect Secure SSRF in SAML Component id: 8e6ca490-7af3-4299-9a24-39fb69759925 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml index 8ca110a5e3..5bfedec959 100644 --- a/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml +++ b/detections/web/ivanti_connect_secure_system_information_access_via_auth_bypass.yml @@ -1,7 +1,7 @@ name: Ivanti Connect Secure System Information Access via Auth Bypass id: d51c13dd-a232-4c83-a2bb-72ab36233c5d -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml b/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml index 0531367b9e..585f387d40 100644 --- a/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml +++ b/detections/web/ivanti_epm_sql_injection_remote_code_execution.yml @@ -1,7 +1,7 @@ name: Ivanti EPM SQL Injection Remote Code Execution id: e20564ca-c86c-4e30-acdb-a8486673426f -version: 3 -date: '2024-11-15' +version: 4 +date: '2025-05-02' author: Michael Haag type: TTP status: production diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml index 358098f043..773ffb0dee 100644 --- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml +++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35078.yml @@ -1,7 +1,7 @@ name: Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078 id: 66b9c9ba-7fb2-4e80-a3a2-496e5e078167 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml index a12e81e4e8..e6fb321219 100644 --- a/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml +++ b/detections/web/ivanti_epmm_remote_unauthenticated_api_access_cve_2023_35082.yml @@ -1,7 +1,7 @@ name: Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082 id: e03edeba-4942-470c-a664-27253f3ad351 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/ivanti_sentry_authentication_bypass.yml b/detections/web/ivanti_sentry_authentication_bypass.yml index 3f13c71a17..0cf5bddae7 100644 --- a/detections/web/ivanti_sentry_authentication_bypass.yml +++ b/detections/web/ivanti_sentry_authentication_bypass.yml @@ -1,7 +1,7 @@ name: Ivanti Sentry Authentication Bypass id: b8e0d1cf-e6a8-4d46-a5ae-aebe18ead8f8 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/java_class_file_download_by_java_user_agent.yml b/detections/web/java_class_file_download_by_java_user_agent.yml index a4f4ce619f..5c191bbbb1 100644 --- a/detections/web/java_class_file_download_by_java_user_agent.yml +++ b/detections/web/java_class_file_download_by_java_user_agent.yml @@ -1,7 +1,7 @@ name: Java Class File download by Java User Agent id: 8281ce42-5c50-11ec-82d2-acde48001122 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml index 8dd7dab448..75ffd1424b 100644 --- a/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml +++ b/detections/web/jenkins_arbitrary_file_read_cve_2024_23897.yml @@ -1,7 +1,7 @@ name: Jenkins Arbitrary File Read CVE-2024-23897 id: c641260d-2b48-4eb1-b1e8-2cc5b8b99ab1 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml index 4fd44d2268..b7e684e51d 100644 --- a/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml +++ b/detections/web/jetbrains_teamcity_authentication_bypass_cve_2024_27198.yml @@ -1,7 +1,7 @@ name: JetBrains TeamCity Authentication Bypass CVE-2024-27198 id: fbcc04c7-8a79-453c-b3a9-c232c423bdd4 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Suricata diff --git a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml index 7aa9431f75..b9e3526b56 100644 --- a/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml +++ b/detections/web/jetbrains_teamcity_authentication_bypass_suricata_cve_2024_27198.yml @@ -1,7 +1,7 @@ name: JetBrains TeamCity Authentication Bypass Suricata CVE-2024-27198 id: fbcc04c7-8a79-453c-b3a9-c232c423bdd3 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Suricata diff --git a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml index d1f5a7e239..152c75053a 100644 --- a/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml +++ b/detections/web/jetbrains_teamcity_limited_auth_bypass_suricata_cve_2024_27199.yml @@ -1,7 +1,7 @@ name: JetBrains TeamCity Limited Auth Bypass Suricata CVE-2024-27199 id: a1e68dcd-2e24-4434-bd0e-b3d4de139d58 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Suricata diff --git a/detections/web/jetbrains_teamcity_rce_attempt.yml b/detections/web/jetbrains_teamcity_rce_attempt.yml index f478aa2c0c..72d5a08678 100644 --- a/detections/web/jetbrains_teamcity_rce_attempt.yml +++ b/detections/web/jetbrains_teamcity_rce_attempt.yml @@ -1,7 +1,7 @@ name: JetBrains TeamCity RCE Attempt id: 89a58e5f-1365-4793-b45c-770abbb32b6c -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml index 833be2b428..aaf8124b27 100644 --- a/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml +++ b/detections/web/juniper_networks_remote_code_execution_exploit_detection.yml @@ -1,7 +1,7 @@ name: Juniper Networks Remote Code Execution Exploit Detection id: 6cc4cc3d-b10a-4fac-be1e-55d384fc690e -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/log4shell_jndi_payload_injection_attempt.yml b/detections/web/log4shell_jndi_payload_injection_attempt.yml index 5ec2d50d5e..c423de6925 100644 --- a/detections/web/log4shell_jndi_payload_injection_attempt.yml +++ b/detections/web/log4shell_jndi_payload_injection_attempt.yml @@ -1,7 +1,7 @@ name: Log4Shell JNDI Payload Injection Attempt id: c184f12e-5c90-11ec-bf1f-497c9a704a72 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Jose Hernandez status: production type: Anomaly diff --git a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml index a1baf2c02e..e0bff0db78 100644 --- a/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml +++ b/detections/web/log4shell_jndi_payload_injection_with_outbound_connection.yml @@ -1,7 +1,7 @@ name: Log4Shell JNDI Payload Injection with Outbound Connection id: 69afee44-5c91-11ec-bf1f-497c9a704a72 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Jose Hernandez status: production type: Anomaly diff --git a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml index be8d1c5663..09fb3f8f24 100644 --- a/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml +++ b/detections/web/microsoft_sharepoint_server_elevation_of_privilege.yml @@ -1,7 +1,7 @@ name: Microsoft SharePoint Server Elevation of Privilege id: fcf4bd3f-a79f-4b7a-83bf-2692d60b859d -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/web/monitor_web_traffic_for_brand_abuse.yml b/detections/web/monitor_web_traffic_for_brand_abuse.yml index 650b5c9f48..9b6b007467 100644 --- a/detections/web/monitor_web_traffic_for_brand_abuse.yml +++ b/detections/web/monitor_web_traffic_for_brand_abuse.yml @@ -1,7 +1,7 @@ name: Monitor Web Traffic For Brand Abuse id: 134da869-e264-4a8f-8d7e-fcd0ec88f301 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: David Dorsey, Splunk status: experimental type: TTP diff --git a/detections/web/multiple_archive_files_http_post_traffic.yml b/detections/web/multiple_archive_files_http_post_traffic.yml index 7e4978a2c5..41e9630b9d 100644 --- a/detections/web/multiple_archive_files_http_post_traffic.yml +++ b/detections/web/multiple_archive_files_http_post_traffic.yml @@ -1,7 +1,7 @@ name: Multiple Archive Files Http Post Traffic id: 4477f3ea-a28f-11eb-b762-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml index 5e0587a98f..e1ad49a6c2 100644 --- a/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml +++ b/detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml @@ -1,7 +1,7 @@ name: Nginx ConnectWise ScreenConnect Authentication Bypass id: b3f7a803-e802-448b-8eb2-e796b223bccc -version: 5 -date: '2025-03-24' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Nginx Access diff --git a/detections/web/papercut_ng_remote_web_access_attempt.yml b/detections/web/papercut_ng_remote_web_access_attempt.yml index ca301d7f70..bf2c7e1652 100644 --- a/detections/web/papercut_ng_remote_web_access_attempt.yml +++ b/detections/web/papercut_ng_remote_web_access_attempt.yml @@ -1,7 +1,7 @@ name: PaperCut NG Remote Web Access Attempt id: 9fcb214a-dc42-4ce7-a650-f1d2cab16a6a -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/plain_http_post_exfiltrated_data.yml b/detections/web/plain_http_post_exfiltrated_data.yml index 1272c755a0..0fbbd09cc3 100644 --- a/detections/web/plain_http_post_exfiltrated_data.yml +++ b/detections/web/plain_http_post_exfiltrated_data.yml @@ -1,7 +1,7 @@ name: Plain HTTP POST Exfiltrated Data id: e2b36208-a364-11eb-8909-acde48001122 -version: 6 -date: '2025-02-10' +version: 7 +date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/web/proxyshell_proxynotshell_behavior_detected.yml b/detections/web/proxyshell_proxynotshell_behavior_detected.yml index 6f4f4aeca0..9e55d33ddb 100644 --- a/detections/web/proxyshell_proxynotshell_behavior_detected.yml +++ b/detections/web/proxyshell_proxynotshell_behavior_detected.yml @@ -1,7 +1,7 @@ name: ProxyShell ProxyNotShell Behavior Detected id: c32fab32-6aaf-492d-bfaf-acbed8e50cdf -version: 6 -date: '2025-04-16' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Correlation diff --git a/detections/web/sap_netweaver_visual_composer_exploitation_attempt.yml b/detections/web/sap_netweaver_visual_composer_exploitation_attempt.yml index 4ced874045..c47b5ca8f3 100644 --- a/detections/web/sap_netweaver_visual_composer_exploitation_attempt.yml +++ b/detections/web/sap_netweaver_visual_composer_exploitation_attempt.yml @@ -1,7 +1,7 @@ name: SAP NetWeaver Visual Composer Exploitation Attempt id: a583b9f1-9c3a-4402-9441-b981654dea6c -version: 1 -date: '2025-04-28' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/web/spring4shell_payload_url_request.yml b/detections/web/spring4shell_payload_url_request.yml index adec62590e..08dd88cb22 100644 --- a/detections/web/spring4shell_payload_url_request.yml +++ b/detections/web/spring4shell_payload_url_request.yml @@ -1,7 +1,7 @@ name: Spring4Shell Payload URL Request id: 9d44d649-7d67-4559-95c1-8022ff49420b -version: 5 -date: '2025-02-10' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/sql_injection_with_long_urls.yml b/detections/web/sql_injection_with_long_urls.yml index baeaf5e239..3c061bc222 100644 --- a/detections/web/sql_injection_with_long_urls.yml +++ b/detections/web/sql_injection_with_long_urls.yml @@ -1,7 +1,7 @@ name: SQL Injection with Long URLs id: e0aad4cf-0790-423b-8328-7564d0d938f9 -version: 6 -date: '2024-11-15' +version: 7 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: TTP diff --git a/detections/web/supernova_webshell.yml b/detections/web/supernova_webshell.yml index 376d74126e..a065bcc2f4 100644 --- a/detections/web/supernova_webshell.yml +++ b/detections/web/supernova_webshell.yml @@ -1,7 +1,7 @@ name: Supernova Webshell id: 2ec08a09-9ff1-4dac-b59f-1efd57972ec1 -version: 5 -date: '2025-04-16' +version: 6 +date: '2025-05-02' author: John Stoner, Splunk status: experimental type: TTP diff --git a/detections/web/tomcat_session_deserialization_attempt.yml b/detections/web/tomcat_session_deserialization_attempt.yml index ad71519af6..8632fd2baa 100644 --- a/detections/web/tomcat_session_deserialization_attempt.yml +++ b/detections/web/tomcat_session_deserialization_attempt.yml @@ -1,7 +1,7 @@ name: Tomcat Session Deserialization Attempt id: e28b4fd4-8f5a-41cd-8222-2f1ccca53ef1 -version: 1 -date: '2025-03-25' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/web/tomcat_session_file_upload_attempt.yml b/detections/web/tomcat_session_file_upload_attempt.yml index 537e1a36d5..a0e8406997 100644 --- a/detections/web/tomcat_session_file_upload_attempt.yml +++ b/detections/web/tomcat_session_file_upload_attempt.yml @@ -1,7 +1,7 @@ name: Tomcat Session File Upload Attempt id: a1d8f5c3-9b7e-4f2d-8c51-3bca5e672410 -version: 1 -date: '2025-03-25' +version: 2 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/web/unusually_long_content_type_length.yml b/detections/web/unusually_long_content_type_length.yml index ecb890838d..163284b10d 100644 --- a/detections/web/unusually_long_content_type_length.yml +++ b/detections/web/unusually_long_content_type_length.yml @@ -1,7 +1,7 @@ name: Unusually Long Content-Type Length id: 57a0a2bf-353f-40c1-84dc-29293f3c35b7 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Bhavin Patel, Splunk status: experimental type: Anomaly diff --git a/detections/web/vmware_aria_operations_exploit_attempt.yml b/detections/web/vmware_aria_operations_exploit_attempt.yml index bcad5a1335..b7d0c31c24 100644 --- a/detections/web/vmware_aria_operations_exploit_attempt.yml +++ b/detections/web/vmware_aria_operations_exploit_attempt.yml @@ -1,7 +1,7 @@ name: VMWare Aria Operations Exploit Attempt id: d5d865e4-03e6-43da-98f4-28a4f42d4df7 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/vmware_server_side_template_injection_hunt.yml b/detections/web/vmware_server_side_template_injection_hunt.yml index 202f0e3626..2e9ebe6761 100644 --- a/detections/web/vmware_server_side_template_injection_hunt.yml +++ b/detections/web/vmware_server_side_template_injection_hunt.yml @@ -1,7 +1,7 @@ name: VMware Server Side Template Injection Hunt id: 5796b570-ad12-44df-b1b5-b7e6ae3aabb0 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Hunting diff --git a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml index 09e37d2b77..da0870e8c7 100644 --- a/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml +++ b/detections/web/vmware_workspace_one_freemarker_server_side_template_injection.yml @@ -1,7 +1,7 @@ name: VMware Workspace ONE Freemarker Server-side Template Injection id: 9e5726fe-8fde-460e-bd74-cddcf6c86113 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: Anomaly diff --git a/detections/web/web_jsp_request_via_url.yml b/detections/web/web_jsp_request_via_url.yml index 32adab8d60..75deef22c9 100644 --- a/detections/web/web_jsp_request_via_url.yml +++ b/detections/web/web_jsp_request_via_url.yml @@ -1,7 +1,7 @@ name: Web JSP Request via URL id: 2850c734-2d44-4431-8139-1a56f6f54c01 -version: 6 -date: '2025-04-16' +version: 7 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/web_remote_shellservlet_access.yml b/detections/web/web_remote_shellservlet_access.yml index e6d6919549..11c5f6bd93 100644 --- a/detections/web/web_remote_shellservlet_access.yml +++ b/detections/web/web_remote_shellservlet_access.yml @@ -1,7 +1,7 @@ name: Web Remote ShellServlet Access id: c2a332c3-24a2-4e24-9455-0e80332e6746 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/web_spring4shell_http_request_class_module.yml b/detections/web/web_spring4shell_http_request_class_module.yml index e7e91040c9..45867601a1 100644 --- a/detections/web/web_spring4shell_http_request_class_module.yml +++ b/detections/web/web_spring4shell_http_request_class_module.yml @@ -1,7 +1,7 @@ name: Web Spring4Shell HTTP Request Class Module id: fcdfd69d-0ca3-4476-920e-9b633cb4593e -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/web_spring_cloud_function_functionrouter.yml b/detections/web/web_spring_cloud_function_functionrouter.yml index 8d690391ad..0fb0680305 100644 --- a/detections/web/web_spring_cloud_function_functionrouter.yml +++ b/detections/web/web_spring_cloud_function_functionrouter.yml @@ -1,7 +1,7 @@ name: Web Spring Cloud Function FunctionRouter id: 89dddbad-369a-4f8a-ace2-2439218735bc -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml index ff04e7b51d..74c8970986 100644 --- a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml +++ b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml @@ -1,7 +1,7 @@ name: Windows Exchange Autodiscover SSRF Abuse id: d436f9e7-0ee7-4a47-864b-6dea2c4e2752 -version: 5 -date: '2025-03-24' +version: 6 +date: '2025-05-02' author: Michael Haag, Nathaniel Stearns, Splunk status: production type: TTP diff --git a/detections/web/windows_iis_server_pswa_console_access.yml b/detections/web/windows_iis_server_pswa_console_access.yml index 70212b2e4e..48048264ce 100644 --- a/detections/web/windows_iis_server_pswa_console_access.yml +++ b/detections/web/windows_iis_server_pswa_console_access.yml @@ -1,7 +1,7 @@ name: Windows IIS Server PSWA Console Access id: 914ab191-fa8a-48cb-83a6-0565e061f934 -version: 3 -date: '2024-11-15' +version: 4 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Windows IIS diff --git a/detections/web/wordpress_bricks_builder_plugin_rce.yml b/detections/web/wordpress_bricks_builder_plugin_rce.yml index 4978d1782b..87638f46d9 100644 --- a/detections/web/wordpress_bricks_builder_plugin_rce.yml +++ b/detections/web/wordpress_bricks_builder_plugin_rce.yml @@ -1,7 +1,7 @@ name: WordPress Bricks Builder plugin RCE id: 56a8771a-3fda-4959-b81d-2f266e2f679f -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Michael Haag, Splunk data_source: - Nginx Access diff --git a/detections/web/ws_ftp_remote_code_execution.yml b/detections/web/ws_ftp_remote_code_execution.yml index d4cf8f56d1..d5e1e1563e 100644 --- a/detections/web/ws_ftp_remote_code_execution.yml +++ b/detections/web/ws_ftp_remote_code_execution.yml @@ -1,7 +1,7 @@ name: WS FTP Remote Code Execution id: b84e8f39-4e7b-4d4f-9e7c-fcd29a227845 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Michael Haag, Splunk status: production type: TTP diff --git a/detections/web/zscaler_adware_activities_threat_blocked.yml b/detections/web/zscaler_adware_activities_threat_blocked.yml index c47abd8740..2f441e91db 100644 --- a/detections/web/zscaler_adware_activities_threat_blocked.yml +++ b/detections/web/zscaler_adware_activities_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Adware Activities Threat Blocked id: 3407b250-345a-4d71-80db-c91e555a3ece -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/web/zscaler_behavior_analysis_threat_blocked.yml b/detections/web/zscaler_behavior_analysis_threat_blocked.yml index 8a55d3f407..763fb765ba 100644 --- a/detections/web/zscaler_behavior_analysis_threat_blocked.yml +++ b/detections/web/zscaler_behavior_analysis_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Behavior Analysis Threat Blocked id: 289ad59f-8939-4331-b805-f2bd51d36fb8 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml index 6d18afa2c9..208c4b53f7 100644 --- a/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml +++ b/detections/web/zscaler_cryptominer_downloaded_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler CryptoMiner Downloaded Threat Blocked id: ed76ce37-bab9-4ec0-bf3e-9c6a6cf43365 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly diff --git a/detections/web/zscaler_employment_search_web_activity.yml b/detections/web/zscaler_employment_search_web_activity.yml index 99af05f85e..7dda32b79e 100644 --- a/detections/web/zscaler_employment_search_web_activity.yml +++ b/detections/web/zscaler_employment_search_web_activity.yml @@ -1,7 +1,7 @@ name: Zscaler Employment Search Web Activity id: 5456bdef-d765-4565-8e1f-61ca027bc50e -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly diff --git a/detections/web/zscaler_exploit_threat_blocked.yml b/detections/web/zscaler_exploit_threat_blocked.yml index e88d087743..9914cef212 100644 --- a/detections/web/zscaler_exploit_threat_blocked.yml +++ b/detections/web/zscaler_exploit_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Exploit Threat Blocked id: 94665d8c-b841-4ff4-acb4-34d613e2cbfe -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: TTP diff --git a/detections/web/zscaler_legal_liability_threat_blocked.yml b/detections/web/zscaler_legal_liability_threat_blocked.yml index 319cba5ae7..676e50dc16 100644 --- a/detections/web/zscaler_legal_liability_threat_blocked.yml +++ b/detections/web/zscaler_legal_liability_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Legal Liability Threat Blocked id: bbf55ebf-c416-4f62-94d9-4064f2a28014 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/web/zscaler_malware_activity_threat_blocked.yml b/detections/web/zscaler_malware_activity_threat_blocked.yml index 34061dc5be..9b3c6c29b2 100644 --- a/detections/web/zscaler_malware_activity_threat_blocked.yml +++ b/detections/web/zscaler_malware_activity_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Malware Activity Threat Blocked id: ae874ad8-e353-40a7-87d4-420cdfb27d1a -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production type: Anomaly diff --git a/detections/web/zscaler_phishing_activity_threat_blocked.yml b/detections/web/zscaler_phishing_activity_threat_blocked.yml index 06092146ff..185d8d3772 100644 --- a/detections/web/zscaler_phishing_activity_threat_blocked.yml +++ b/detections/web/zscaler_phishing_activity_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Phishing Activity Threat Blocked id: 68d3e2c1-e97f-4310-b080-dea180b48aa9 -version: 4 -date: '2024-11-15' +version: 5 +date: '2025-05-02' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly diff --git a/detections/web/zscaler_potentially_abused_file_download.yml b/detections/web/zscaler_potentially_abused_file_download.yml index f18bdfe4f0..d790d8232e 100644 --- a/detections/web/zscaler_potentially_abused_file_download.yml +++ b/detections/web/zscaler_potentially_abused_file_download.yml @@ -1,7 +1,7 @@ name: Zscaler Potentially Abused File Download id: b0c21379-f4ba-4bac-a958-897e260f964a -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly diff --git a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml index abf94751e3..a94d17248c 100644 --- a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml +++ b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Privacy Risk Destinations Threat Blocked id: 5456bdef-d765-4565-8e1f-61ca027bc50d -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly diff --git a/detections/web/zscaler_scam_destinations_threat_blocked.yml b/detections/web/zscaler_scam_destinations_threat_blocked.yml index 5c7281924b..52f8a5ba23 100644 --- a/detections/web/zscaler_scam_destinations_threat_blocked.yml +++ b/detections/web/zscaler_scam_destinations_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Scam Destinations Threat Blocked id: a0c21379-f4ba-4bac-a958-897e260f964a -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly diff --git a/detections/web/zscaler_virus_download_threat_blocked.yml b/detections/web/zscaler_virus_download_threat_blocked.yml index f0c094a07c..00cd865b94 100644 --- a/detections/web/zscaler_virus_download_threat_blocked.yml +++ b/detections/web/zscaler_virus_download_threat_blocked.yml @@ -1,7 +1,7 @@ name: Zscaler Virus Download threat blocked id: aa19e627-d448-4a31-85cd-82068dec5691 -version: 5 -date: '2024-11-15' +version: 6 +date: '2025-05-02' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production type: Anomaly