conflicts

.gitmodules

@@ -1,4 +1,4 @@
 [submodule "contentctl"]
 	path = contentctl
 	url = https://github.com/splunk/contentctl.git
-        ignore = all
+	ignore = all

dist/DA-ESS-ContentUpdate/default/analyticstories.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-06T21:36:36 UTC
+# On Date: 2023-12-06T21:50:43 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/app.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-06T21:36:36 UTC
+# On Date: 2023-12-06T21:50:43 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############
@@ -10,7 +10,7 @@
 is_configured = false
 state = enabled
 state_change_requires_restart = false
-build = 20231206213413
+build = 20231206214848
 
 [triggers]
 reload.analytic_stories = simple

dist/DA-ESS-ContentUpdate/default/collections.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-06T21:36:36 UTC
+# On Date: 2023-12-06T21:50:43 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/content-version.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-06T21:36:36 UTC
+# On Date: 2023-12-06T21:50:43 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/es_investigations.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-06T21:36:36 UTC
+# On Date: 2023-12-06T21:50:43 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/macros.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-06T21:36:36 UTC
+# On Date: 2023-12-06T21:50:43 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/transforms.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-06T21:36:36 UTC
+# On Date: 2023-12-06T21:50:43 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/DA-ESS-ContentUpdate/default/workflow_actions.conf

@@ -1,6 +1,6 @@
 #############
 # Automatically generated by generator.py in splunk/security_content
-# On Date: 2023-12-06T21:36:36 UTC
+# On Date: 2023-12-06T21:50:43 UTC
 # Author: Splunk Threat Research Team - Splunk
 # Contact: [email protected]
 #############

dist/api/version.json

@@ -1 +1 @@
-{"version": {"name": "v4.17.0", "published_at": "2023-12-06T21:40:37Z"}}
+{"version": {"name": "v4.17.0", "published_at": "2023-12-06T21:55:40Z"}}

dist/ssa/srs/ssa___anomalous_usage_of_archive_tools.yml

@@ -2,7 +2,6 @@ name: Anomalous usage of Archive Tools
 id: 63614a58-10e2-4c6c-ae81-ea1113681439
 version: 2
 status: production
-detection_type: STREAMING
 description: The following detection identifies the usage of archive tools from the
   command line.
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |

dist/ssa/srs/ssa___attempt_to_delete_services.yml

@@ -2,7 +2,6 @@ name: Attempt To Delete Services
 id: a0c8c292-d01a-11eb-aa18-acde48001122
 version: 4
 status: production
-detection_type: STREAMING
 description: The following analytic identifies Windows Service Control, `sc.exe`,
   attempting to delete a service. This is typically identified in parallel with other
   instances of service enumeration of attempts to stop a service and then delete it.

dist/ssa/srs/ssa___attempt_to_disable_services.yml

@@ -2,7 +2,6 @@ name: Attempt To Disable Services
 id: afb31de4-d023-11eb-98d5-acde48001122
 version: 4
 status: production
-detection_type: STREAMING
 description: The following analytic identifies Windows Service Control, `sc.exe`,
   attempting to disable a service. This is typically identified in parallel with other
   instances of service enumeration of attempts to stop a service and then disable

dist/ssa/srs/ssa___attempted_credential_dump_from_registry_via_reg_exe.yml

@@ -2,7 +2,6 @@ name: Attempted Credential Dump From Registry via Reg exe
 id: 14038953-e5f2-4daf-acff-5452062baf03
 version: 5
 status: production
-detection_type: STREAMING
 description: The following analytic identifies the use of `reg.exe` attempting to
   export Windows registry keys that contain hashed credentials. Adversaries will utilize
   this technique to capture and perform offline password cracking.

dist/ssa/srs/ssa___bcdedit_failure_recovery_modification.yml

@@ -2,7 +2,6 @@ name: BCDEdit Failure Recovery Modification
 id: 76d79d6e-25bb-40f6-b3b2-e0a6b7e5ea13
 version: 2
 status: production
-detection_type: STREAMING
 description: This search looks for flags passed to bcdedit.exe modifications to the
   built-in Windows error recovery boot configurations. This is typically used by ransomware
   to prevent recovery.

dist/ssa/srs/ssa___clear_unallocated_sector_using_cipher_app.yml

@@ -2,7 +2,6 @@ name: Clear Unallocated Sector Using Cipher App
 id: 8f907d90-6173-11ec-9c23-acde48001122
 version: 2
 status: production
-detection_type: STREAMING
 description: this search is to detect execution of `cipher.exe` to clear the unallocated
   sectors of a specific disk. This technique was seen in some ransomware to make it
   impossible to forensically recover deleted files.

dist/ssa/srs/ssa___delete_a_net_user.yml

@@ -2,7 +2,6 @@ name: Delete A Net User
 id: 8776d79c-d26e-11eb-9a56-acde48001122
 version: 6
 status: production
-detection_type: STREAMING
 description: This analytic will detect a suspicious net.exe/net1.exe command-line
   to delete a user on a system. This technique may be use by an administrator for
   legitimate purposes, however this behavior has been used in the wild to impair some

dist/ssa/srs/ssa___deleting_shadow_copies.yml

@@ -2,7 +2,6 @@ name: Deleting Shadow Copies
 id: fd40c537-53d0-4c28-9b7e-77cfd28a49c8
 version: 3
 status: validation
-detection_type: STREAMING
 description: The vssadmin.exe utility is used to interact with the Volume Shadow Copy
   Service. Wmic is an interface to the Windows Management Instrumentation.  This search
   looks for either of these tools being used to delete shadow copies.

dist/ssa/srs/ssa___deny_permission_using_cacls_utility.yml

@@ -2,7 +2,6 @@ name: Deny Permission using Cacls Utility
 id: b76eae28-cd25-11eb-9c92-acde48001122
 version: 5
 status: production
-detection_type: STREAMING
 description: The following analytic identifies the use of `cacls.exe`, `icacls.exe`
   or `xcacls.exe` placing the deny permission on a file or directory. Adversaries
   perform this behavior to prevent responders from reviewing or gaining access to

dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe.yml

@@ -2,7 +2,6 @@ name: Detect Prohibited Applications Spawning cmd exe
 id: c10a18cb-fd80-4ffa-a844-25026e0a0c94
 version: 6
 status: production
-detection_type: STREAMING
 description: The following analytic identifies parent processes, browsers, Windows
   terminal applications, Office Products and Java spawning cmd.exe. By its very nature,
   many applications spawn cmd.exe natively or built into macros. Much of this will

dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_browsers.yml

@@ -2,7 +2,6 @@ name: Detect Prohibited Applications Spawning cmd exe browsers
 id: c10a18cb-fd70-4ffa-a844-25026e0a0c94
 version: 3
 status: validation
-detection_type: STREAMING
 description: The following analytic identifies parent processes that are browsers,
   spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or
   built into macros. Much of this will need to be tuned to further enhance the risk.

dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_office.yml

@@ -2,7 +2,6 @@ name: Detect Prohibited Applications Spawning cmd exe office
 id: c10a18cb-fd70-4ffa-a844-25026e0b0c94
 version: 3
 status: validation
-detection_type: STREAMING
 description: The following analytic identifies parent processes that are office/productivity
   applications, spawning cmd.exe. By its very nature, many applications spawn cmd.exe
   natively or built into macros. Much of this will need to be tuned to further enhance

dist/ssa/srs/ssa___detect_prohibited_applications_spawning_cmd_exe_powershell.yml

@@ -2,7 +2,6 @@ name: Detect Prohibited Applications Spawning cmd exe powershell
 id: c10a18cb-fd70-4ffa-a844-25126e0b0d94
 version: 3
 status: validation
-detection_type: STREAMING
 description: The following analytic identifies parent processes that are powershell,
   spawning cmd.exe. By its very nature, many applications spawn cmd.exe natively or
   built into macros. Much of this will need to be tuned to further enhance the risk.

dist/ssa/srs/ssa___detect_rclone_command_line_usage.yml

@@ -2,7 +2,6 @@ name: Detect RClone Command-Line Usage
 id: e8b74268-5454-11ec-a799-acde48001122
 version: 2
 status: production
-detection_type: STREAMING
 description: This analytic identifies commonly used command-line arguments used by
   `rclone.exe` to initiate a file transfer. Some arguments were negated as they are
   specific to the configuration used by adversaries. In particular, an adversary may

dist/ssa/srs/ssa___disable_net_user_account.yml

@@ -2,7 +2,6 @@ name: Disable Net User Account
 id: ba858b08-d26c-11eb-af9b-acde48001122
 version: 5
 status: production
-detection_type: STREAMING
 description: This analytic will identify a suspicious command-line that disables a
   user account using the native `net.exe` or `net1.exe` utility to Windows. This technique
   may used by the adversaries to interrupt availability of accounts and continue the

dist/ssa/srs/ssa___dns_exfiltration_using_nslookup_app.yml

@@ -2,7 +2,6 @@ name: DNS Exfiltration Using Nslookup App
 id: 2452e632-9e0d-11eb-34ba-acde48001122
 version: 2
 status: production
-detection_type: STREAMING
 description: This search is to detect potential DNS exfiltration using nslookup application.
   This technique are seen in couple of malware and APT group to exfiltrated collected
   data in a infected machine or infected network. This detection is looking for unique

dist/ssa/srs/ssa___fsutil_zeroing_file.yml

@@ -2,7 +2,6 @@ name: Fsutil Zeroing File
 id: f792cdc9-43ee-4429-a3c0-ffce4fed1a85
 version: 2
 status: production
-detection_type: STREAMING
 description: This search is to detect a suspicious fsutil process to zeroing a target
   file. This technique was seen in lockbit ransomware where it tries to zero out its
   malware path as part of its defense evasion after encrypting the compromised host.

dist/ssa/srs/ssa___grant_permission_using_cacls_utility.yml

@@ -2,7 +2,6 @@ name: Grant Permission Using Cacls Utility
 id: c6da561a-cd29-11eb-ae65-acde48001122
 version: 5
 status: production
-detection_type: STREAMING
 description: The following analytic identifies the use of `cacls.exe`, `icacls.exe`
   or `xcacls.exe` placing the grant permission on a file or directory. Adversaries
   perform this behavior to allow components of their files to run, however it allows

dist/ssa/srs/ssa___hiding_files_and_directories_with_attrib_exe.yml

@@ -2,7 +2,6 @@ name: Hiding Files And Directories With Attrib exe
 id: 028e4406-6176-11ec-aec2-acde48001122
 version: 2
 status: production
-detection_type: STREAMING
 description: Attackers leverage an existing Windows binary, attrib.exe, to mark specific
   as hidden by using specific flags so that the victim does not see the file.  The
   search looks for specific command-line arguments to detect the use of attrib.exe

dist/ssa/srs/ssa___modify_acls_permission_of_files_or_folders.yml

@@ -2,7 +2,6 @@ name: Modify ACLs Permission Of Files Or Folders
 id: 9ae9a48a-cdbe-11eb-875a-acde48001122
 version: 5
 status: production
-detection_type: STREAMING
 description: This analytic identifies suspicious modification of ACL permission to
   a files or folder to make it available to everyone or to a specific user. This technique
   may be used by the adversary to evade ACLs or protected files access. This changes

dist/ssa/srs/ssa___office_product_spawning_windows_script_host.yml

@@ -2,7 +2,6 @@ name: Office Product Spawning Windows Script Host
 id: 3ea3851a-8736-41a0-bc09-7e4485b48fa6
 version: 3
 status: production
-detection_type: STREAMING
 description: The following analytic will identify a Windows Office Product spawning
   WScript.exe or CScript.exe. Tuning may be required based on legitimate application
   usage that may spawn scripts from an Office product.

dist/ssa/srs/ssa___resize_shadowstorage_volume.yml

@@ -2,7 +2,6 @@ name: Resize Shadowstorage Volume
 id: dbc30554-d27e-11eb-9e5e-acde48001122
 version: 4
 status: production
-detection_type: STREAMING
 description: The following analytic identifies the resizing of shadowstorage using
   vssadmin.exe to avoid the shadow volumes being made again. This technique is typically
   found used by adversaries during a ransomware event and a precursor to deleting

dist/ssa/srs/ssa___sdelete_application_execution.yml

@@ -2,7 +2,6 @@ name: Sdelete Application Execution
 id: fcc52b9a-4616-11ec-8454-acde48001122
 version: 2
 status: production
-detection_type: STREAMING
 description: This analytic will detect the execution of sdelete.exe attempting to
   delete potentially important files that may related to adversary or insider threats
   to destroy evidence or information sabotage. Sdelete is a SysInternals utility meant

dist/ssa/srs/ssa___services_lolbas_execution_process_spawn.yml

@@ -2,7 +2,6 @@ name: Services lolbas Execution Process Spawn
 id: 0d85fde3-0de9-4eec-b386-6a8ba70f3935
 version: 3
 status: validation
-detection_type: STREAMING
 description: The following analytic identifies services.exe spawning a LOLBAS execution
   process. When adversaries execute code on remote endpoints abusing the Service Control
   Manager and creating a remote malicious service, the executed command is spawned

dist/ssa/srs/ssa___system_process_running_from_unexpected_location.yml

@@ -2,7 +2,6 @@ name: System Process Running from Unexpected Location
 id: 28179107-099a-464a-94d3-08301e6c055f
 version: 6
 status: production
-detection_type: STREAMING
 description: An attacker tries might try to use different version of a system command
   without overriding original, or they might try to avoid some detection running the
   process from a different folder. This detection checks that a list of system processes

dist/ssa/srs/ssa___wbadmin_delete_system_backups.yml

@@ -2,7 +2,6 @@ name: WBAdmin Delete System Backups
 id: 71efbf52-4dbb-4c00-a520-306aa546cbb7
 version: 2
 status: production
-detection_type: STREAMING
 description: This search looks for flags passed to wbadmin.exe (Windows Backup Administrator
   Tool) that delete backup files. This is typically used by ransomware to prevent
   recovery.

dist/ssa/srs/ssa___wevtutil_usage_to_clear_logs.yml

@@ -2,7 +2,6 @@ name: WevtUtil Usage To Clear Logs
 id: 5438113c-cdd9-11eb-93b8-acde48001122
 version: 3
 status: production
-detection_type: STREAMING
 description: The wevtutil.exe application is the windows event log utility. This searches
   for wevtutil.exe with parameters for clearing the application, security, setup,
   powershell, sysmon, or system event logs.

dist/ssa/srs/ssa___wevtutil_usage_to_disable_logs.yml

@@ -2,7 +2,6 @@ name: Wevtutil Usage To Disable Logs
 id: a4bdc944-cdd9-11eb-ac97-acde48001122
 version: 3
 status: production
-detection_type: STREAMING
 description: This search is to detect execution of wevtutil.exe to disable logs. This
   technique was seen in several ransomware to disable the event logs to evade alerts
   and detections in compromised host.

dist/ssa/srs/ssa___windows_bits_job_persistence.yml

@@ -2,7 +2,6 @@ name: Windows Bits Job Persistence
 id: 1e25e97a-8ea4-11ec-9767-acde48001122
 version: 2
 status: production
-detection_type: STREAMING
 description: The following query identifies Microsoft Background Intelligent Transfer
   Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint.
   The query identifies the parameters used to create, resume or add a file to a BITS

dist/ssa/srs/ssa___windows_bitsadmin_download_file.yml

@@ -2,7 +2,6 @@ name: Windows Bitsadmin Download File
 id: d76e8188-8f5a-11ec-ace4-acde48001122
 version: 2
 status: production
-detection_type: STREAMING
 description: The following query identifies Microsoft Background Intelligent Transfer
   Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote
   object. In addition, look for `download` or `upload` on the command-line, the switches

dist/ssa/srs/ssa___windows_certutil_decode_file.yml

@@ -2,7 +2,6 @@ name: Windows CertUtil Decode File
 id: b06983f4-8f72-11ec-ab50-acde48001122
 version: 2
 status: production
-detection_type: STREAMING
 description: CertUtil.exe may be used to `encode` and `decode` a file, including PE
   and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----`
   and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded

dist/ssa/srs/ssa___windows_certutil_urlcache_download.yml

@@ -2,7 +2,6 @@ name: Windows CertUtil URLCache Download
 id: 8cb1ad38-8f6d-11ec-87a3-acde48001122
 version: 2
 status: production
-detection_type: STREAMING
 description: Certutil.exe may download a file from a remote destination using `-urlcache`.
   This behavior does require a URL to be passed on the command-line. In addition,
   `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will

dist/ssa/srs/ssa___windows_certutil_verifyctl_download.yml

@@ -2,7 +2,6 @@ name: Windows CertUtil VerifyCtl Download
 id: 9ac29c40-8f6b-11ec-b19a-acde48001122
 version: 2
 status: production
-detection_type: STREAMING
 description: 'Certutil.exe may download a file from a remote destination using `-VerifyCtl`.
   This behavior does require a URL to be passed on the command-line. In addition,
   `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will

dist/ssa/srs/ssa___windows_com_hijacking_inprocserver32_modification.yml

@@ -2,7 +2,6 @@ name: Windows COM Hijacking InprocServer32 Modification
 id: 0ae05a0f-bc84-456b-822a-a5b9c081c7ca
 version: 2
 status: production
-detection_type: STREAMING
 description: The following analytic identifies the use of reg.exe performing an add
   to the InProcServer32, which may be related to COM hijacking. Adversaries can use
   the COM system to insert malicious code that can be executed in place of legitimate

dist/ssa/srs/ssa___windows_curl_upload_to_remote_destination.yml

@@ -2,7 +2,6 @@ name: Windows Curl Upload to Remote Destination
 id: cc8d046a-543b-11ec-b864-acde48001122
 version: 2
 status: production
-detection_type: STREAMING
 description: 'The following analytic identifies the use of Windows Curl.exe uploading
   a file to a remote destination. \
 

dist/ssa/srs/ssa___windows_default_group_policy_object_modified_with_gpme.yml

@@ -2,7 +2,6 @@ name: Windows Default Group Policy Object Modified with GPME
 id: bcb55c13-067b-4648-98f3-627010f72520
 version: 2
 status: production
-detection_type: STREAMING
 description: The following analytic identifies the potential edition of a default
   Group Policy Object. A fresh installation of an Active Directory network will typically
   contain two default group policy objects `Default Domain Controllers Policy` and

dist/ssa/srs/ssa___windows_defender_tools_in_non_standard_path.yml

@@ -2,7 +2,6 @@ name: Windows Defender Tools in Non Standard Path
 id: c205bd2e-cd5b-4224-8510-578a2a1f83d7
 version: 2
 status: production
-detection_type: STREAMING
 description: The following analytic identifies usage of the MPCmdRun utility that
   can be abused by adversaries by moving it to a new directory.
 search: ' $main = from source  | eval timestamp = time  | eval metadata_uid = metadata.uid  |

dist/ssa/srs/ssa___windows_diskshadow_proxy_execution.yml

@@ -2,7 +2,6 @@ name: Windows Diskshadow Proxy Execution
 id: aa502688-9037-11ec-842d-acde48001122
 version: 2
 status: production
-detection_type: STREAMING
 description: DiskShadow.exe is a Microsoft Signed binary present on Windows Server.
   It has a scripting mode intended for complex scripted backup operations. This feature
   also allows for execution of arbitrary unsigned code. This analytic looks for the

dist/ssa/srs/ssa___windows_dotnet_binary_in_non_standard_path.yml

@@ -2,7 +2,6 @@ name: Windows DotNet Binary in Non Standard Path
 id: 21179107-099a-324a-94d3-08301e6c065f
 version: 2
 status: production
-detection_type: STREAMING
 description: The following analytic identifies native .net binaries within the Windows
   operating system that may be abused by adversaries by moving it to a new directory.
   The analytic identifies the .net binary by using a list. If one or the other matches