Merge pull request #3294 from splunk/restore-deleted-to-deprecated

Restore deleted analytics to deprecated

Author: patel-bhavin

Diff for: detections/deprecated/attempt_to_stop_security_service.yml

@@ -0,0 +1,96 @@
+name: Attempt To Stop Security Service
+id: c8e349c6-b97c-486e-8949-bd7bcd1f3910
+version: 9
+date: '2025-01-24'
+author: Rico Valdez, Splunk
+status: deprecated
+type: TTP
+description: The following analytic has been deprecated.
+  The following analytic detects attempts to stop security-related services
+  on an endpoint, which may indicate malicious activity. It leverages data from Endpoint
+  Detection and Response (EDR) agents, specifically searching for processes involving
+  the "sc.exe" command with the "stop" parameter. This activity is significant because
+  disabling security services can undermine the organization's security posture, potentially
+  leading to unauthorized access, data exfiltration, or further attacks like malware
+  installation or privilege escalation. If confirmed malicious, this behavior could
+  compromise the endpoint and the entire network, necessitating immediate investigation
+  and response.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+search: '| tstats `security_content_summariesonly` values(Processes.process) as process
+  min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
+  where `process_net` OR  Processes.process_name = sc.exe Processes.process="* stop
+  *" by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name
+  Processes.process_name Processes.original_file_name Processes.process Processes.process_id
+  Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` |lookup security_services_lookup service as
+  process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: None identified. Attempts to disable security-related services
+  should be identified and understood.
+references:
+- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md#atomic-test-14---disable-arbitrary-security-windows-service
+- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: An instance of $parent_process_name$ spawning $process_name$ was identified
+    attempting to disable security services on endpoint $dest$ by user $user$.
+  risk_objects:
+  - field: user
+    type: user
+    score: 20
+  - field: dest
+    type: system
+    score: 20
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+  - field: process_name
+    type: process_name
+tags:
+  analytic_story:
+  - WhisperGate
+  - Graceful Wipe Out Attack
+  - Disabling Security Tools
+  - Data Destruction
+  - Azorult
+  - Trickbot
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1562.001
+  - T1562
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/win_defend_service_stop/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

Diff for: detections/deprecated/change_default_file_association.yml

@@ -0,0 +1,82 @@
+name: Change Default File Association
+id: 462d17d8-1f71-11ec-ad07-acde48001122
+version: 5
+date: '2025-01-24'
+author: Teoderick Contreras, Splunk
+status: deprecated
+type: TTP
+description: The following analytic has been deprecated.
+  The following analytic detects suspicious registry modifications that
+  change the default file association to execute a malicious payload. It leverages
+  data from the Endpoint data model, specifically monitoring registry paths under
+  "*\\shell\\open\\command\\*" and "*HKCR\\*". This activity is significant because
+  altering default file associations can allow attackers to execute arbitrary scripts
+  or payloads when a user opens a file, leading to potential code execution. If confirmed
+  malicious, this technique can enable attackers to persist on the compromised host
+  and execute further malicious commands, posing a severe threat to the environment.
+data_source:
+- Sysmon EventID 12
+- Sysmon EventID 13
+search: '| tstats `security_content_summariesonly` count  min(_time) as firstTime
+  max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path
+  ="*\\shell\\open\\command\\*" Registry.registry_path = "*HKCR\\*" by Registry.dest  Registry.user
+  Registry.registry_path Registry.registry_key_name Registry.registry_value_name |
+  `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)`
+  | `change_default_file_association_filter`'
+how_to_implement: To successfully implement this search, you must be ingesting data
+  that records registry activity from your hosts to populate the endpoint data model
+  in the registry node. This is typically populated via endpoint detection-and-response
+  product, such as Carbon Black or endpoint data sources, such as Sysmon. The data
+  used for this search is typically generated via logs that report reads and writes
+  to the registry.
+known_false_positives: unknown
+references:
+- https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/privilege-escalation/untitled-3/accessibility-features
+drilldown_searches:
+- name: View the detection results for - "$dest$" and "$user$"
+  search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$" and "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$",
+    "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Registry path $registry_path$ was modified, added, or deleted on $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 80
+  - field: user
+    type: user
+    score: 80
+  threat_objects: []
+tags:
+  analytic_story:
+  - Hermetic Wiper
+  - Windows Registry Abuse
+  - Prestige Ransomware
+  - Windows Privilege Escalation
+  - Windows Persistence Techniques
+  - Data Destruction
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1546.001
+  - T1546
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.001/txtfile_reg/sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

Diff for: detections/deprecated/cmdline_tool_not_executed_in_cmd_shell.yml

@@ -0,0 +1,102 @@
+name: Cmdline Tool Not Executed In CMD Shell
+id: 6c3f7dd8-153c-11ec-ac2d-acde48001122
+version: 7
+date: '2025-01-24'
+author: Teoderick Contreras, Splunk
+status: deprecated
+type: TTP
+description: The following analytic identifies instances where `ipconfig.exe`, `systeminfo.exe`,
+  or similar tools are executed by a non-standard parent process, excluding CMD, PowerShell,
+  or Explorer. This detection leverages Endpoint Detection and Response (EDR) telemetry
+  to monitor process creation events. Such behavior is significant as it may indicate
+  adversaries using injected processes to perform system discovery, a tactic observed
+  in FIN7's JSSLoader. If confirmed malicious, this activity could allow attackers
+  to gather critical host information, aiding in further exploitation or lateral movement
+  within the network.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = "ipconfig.exe"
+  OR Processes.process_name = "systeminfo.exe" OR Processes.process_name = "net.exe"
+  OR Processes.process_name = "net1.exe" OR Processes.process_name = "arp.exe" OR
+  Processes.process_name = "nslookup.exe" OR Processes.process_name = "route.exe"
+  OR Processes.process_name = "netstat.exe" OR Processes.process_name = "whoami.exe")
+  AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name
+  = "powershell*" OR Processes.parent_process_name="pwsh.exe" OR Processes.parent_process_name
+  = "explorer.exe") by Processes.parent_process_name Processes.parent_process Processes.process_name
+  Processes.original_file_name Processes.process_id Processes.process Processes.dest
+  Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `cmdline_tool_not_executed_in_cmd_shell_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: A network operator or systems administrator may utilize an
+  automated host discovery application that may generate false positives. Filter as
+  needed.
+references:
+- https://www.mandiant.com/resources/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation
+- https://attack.mitre.org/groups/G0046/
+- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
+drilldown_searches:
+- name: View the detection results for - "$dest$" and "$user$"
+  search: '%original_detection_search% | search  dest = "$dest$" user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$" and "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$",
+    "$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A non-standard parent process $parent_process_name$ spawned child process
+    $process_name$ to execute command-line tool on $dest$.
+  risk_objects:
+  - field: dest
+    type: system
+    score: 56
+  - field: user
+    type: user
+    score: 56
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+  - field: process_name
+    type: process_name
+tags:
+  analytic_story:
+  - Volt Typhoon
+  - Rhysida Ransomware
+  - FIN7
+  - DarkGate Malware
+  - Qakbot
+  - CISA AA22-277A
+  - CISA AA23-347A
+  - Gozi Malware
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1059
+  - T1059.007
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/fin7/jssloader/sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

Diff for: detections/deprecated/create_local_admin_accounts_using_net_exe.yml

@@ -0,0 +1,94 @@
+name: Create local admin accounts using net exe
+id: b89919ed-fe5f-492c-b139-151bb162040e
+version: 15
+date: '2025-01-24'
+author: Bhavin Patel, Splunk
+status: deprecated
+type: TTP
+description: The following analytic has been deprecated.
+  The following analytic detects the creation of local administrator accounts
+  using the net.exe command. It leverages Endpoint Detection and Response (EDR) data
+  to identify processes named net.exe or net1.exe with the "/add" parameter and keywords
+  related to administrator accounts. This activity is significant as it may indicate
+  an attacker attempting to gain persistent access or escalate privileges. If confirmed
+  malicious, this could lead to unauthorized access, data theft, or further system
+  compromise. Review the process details, user context, and related artifacts to determine
+  the legitimacy of the activity.
+data_source:
+- Sysmon EventID 1
+- Windows Event Log Security 4688
+- CrowdStrike ProcessRollup2
+search: '| tstats `security_content_summariesonly` count values(Processes.user) as
+  user values(Processes.parent_process) as parent_process values(parent_process_name)
+  as parent_process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
+  where `process_net` AND Processes.process=*/add* AND (Processes.process=*administrators*
+  OR Processes.process=*administratoren* OR Processes.process=*administrateurs* OR
+  Processes.process=*administrador* OR Processes.process=*amministratori* OR Processes.process=*administratorer*
+  OR Processes.process=*Rendszergazda* OR Processes.process=*Администратор* OR Processes.process=*Administratör*)
+  by Processes.process Processes.process_name Processes.parent_process_name Processes.dest
+  Processes.user| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` | `create_local_admin_accounts_using_net_exe_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: Administrators often leverage net.exe to create admin accounts.
+references: []
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: An instance of $parent_process_name$ spawning $process_name$ was identified
+    on endpoint $dest$ by user $user$ attempting to add a user to the local Administrators
+    group.
+  risk_objects:
+  - field: user
+    type: user
+    score: 30
+  - field: dest
+    type: system
+    score: 30
+  threat_objects:
+  - field: parent_process_name
+    type: parent_process_name
+  - field: process_name
+    type: process_name
+tags:
+  analytic_story:
+  - DHS Report TA18-074A
+  - Azorult
+  - CISA AA22-257A
+  - DarkGate Malware
+  - CISA AA24-241A
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1136.001
+  - T1136
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog