Merge branch 'develop' into nterl0k-t1033-query-remote-usage

Author: patel-bhavin

.github/workflows/appinspect.yml

@@ -18,7 +18,13 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl==5.0.0
+          if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
+            echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
+            pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
+          else
+            echo "Installing latest contentctl version"
+            pip install contentctl
+          fi
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       

.github/workflows/build.yml

@@ -19,7 +19,13 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl==5.0.0
+          if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
+            echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
+            pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
+          else
+            echo "Installing latest contentctl version"
+            pip install contentctl
+          fi
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       

.github/workflows/unit-testing.yml

@@ -23,7 +23,13 @@ jobs:
         - name: Install Python Dependencies and ContentCTL
           run: |
             python -m pip install --upgrade pip
-            pip install contentctl==5.0.0
+            if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
+              echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
+              pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
+            else
+              echo "Installing latest contentctl version"
+              pip install contentctl
+            fi
            
         # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
         # Make sure we check out the PR, even if it actually lives in a fork

contentctl.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 4.44.0
+  version: 5.0.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU

data_sources/linux_secure.yml

@@ -6,7 +6,10 @@ author: Patrick Bareiss, Splunk
 description: Data source object for Linux Secure
 source: /var/log/secure
 sourcetype: linux_secure
-supported_TA: []
+supported_TA:
+- name: Splunk Add-on for Unix and Linux
+  url: https://splunkbase.splunk.com/app/833
+  version: 9.2.0
 fields:
 - _time
 - action

detections/application/pingid_mismatch_auth_source_and_verification_response.yml

@@ -1,6 +1,6 @@
 name: PingID Mismatch Auth Source and Verification Response
 id: 15b0694e-caa2-4009-8d83-a1f98b86d086
-version: 4
+version: 5
 date: '2025-01-21'
 author: Steven Dick
 status: production

detections/application/windows_ad_suspicious_attribute_modification.yml

@@ -1,6 +1,6 @@
 name: Windows AD Suspicious Attribute Modification
 id: 5682052e-ce55-4f9f-8d28-59191420b7e0
-version: 3
+version: 4
 date: '2025-01-21'
 author: Dean Luxton
 status: production

detections/application/windows_ad_suspicious_gpo_modification.yml

@@ -1,6 +1,6 @@
 name: Windows AD Suspicious GPO Modification
 id: 0a2afc18-a3b5-4452-b60a-2e774214f9bf
-version: 3
+version: 4
 date: '2025-01-21'
 author: Dean Luxton
 status: experimental

detections/cloud/azure_ad_application_administrator_role_assigned.yml

@@ -1,6 +1,6 @@
 name: Azure AD Application Administrator Role Assigned
 id: eac4de87-7a56-4538-a21b-277897af6d8d
-version: 6
+version: 7
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/azure_ad_azurehound_useragent_detected.yml

@@ -1,6 +1,6 @@
 name: Azure AD AzureHound UserAgent Detected
 id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3
-version: 1
+version: 2
 date: '2025-01-06'
 author: Dean Luxton 
 data_source:

detections/cloud/azure_ad_external_guest_user_invited.yml

@@ -1,6 +1,6 @@
 name: Azure AD External Guest User Invited
 id: c1fb4edb-cab1-4359-9b40-925ffd797fb5
-version: 5
+version: 6
 date: '2024-11-14'
 author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
 status: production

detections/cloud/azure_ad_multi_factor_authentication_disabled.yml

@@ -1,6 +1,6 @@
 name: Azure AD Multi-Factor Authentication Disabled
 id: 482dd42a-acfa-486b-a0bb-d6fcda27318e
-version: 5
+version: 6
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/azure_ad_privileged_role_assigned.yml

@@ -1,6 +1,6 @@
 name: Azure AD Privileged Role Assigned
 id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a
-version: 6
+version: 7
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/azure_ad_service_principal_enumeration.yml

@@ -1,6 +1,6 @@
 name: Azure AD Service Principal Enumeration
 id: 3f0647ce-add5-4436-8039-cbd1abe74563
-version: 1
+version: 2
 date: '2025-01-06'
 author: Dean Luxton
 data_source:

detections/cloud/azure_ad_service_principal_owner_added.yml

@@ -1,6 +1,6 @@
 name: Azure AD Service Principal Owner Added
 id: 7ddf2084-6cf3-4a44-be83-474f7b73c701
-version: 7
+version: 8
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/azure_ad_user_enabled_and_password_reset.yml

@@ -1,6 +1,6 @@
 name: Azure AD User Enabled And Password Reset
 id: 1347b9e8-2daa-4a6f-be73-b421d3d9e268
-version: 6
+version: 7
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/azure_ad_user_immutableid_attribute_updated.yml

@@ -1,6 +1,6 @@
 name: Azure AD User ImmutableId Attribute Updated
 id: 0c0badad-4536-4a84-a561-5ff760f3c00e
-version: 5
+version: 6
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/gcp_multi_factor_authentication_disabled.yml

@@ -1,6 +1,6 @@
 name: GCP Multi-Factor Authentication Disabled
 id: b9bc5513-6fc1-4821-85a3-e1d81e451c83
-version: 5
+version: 6
 date: '2024-11-14'
 author: Bhavin Patel, Mauricio Velazco, Splunk
 status: production

detections/cloud/gsuite_drive_share_in_external_email.yml

@@ -1,6 +1,6 @@
 name: Gsuite Drive Share In External Email
 id: f6ee02d6-fea0-11eb-b2c2-acde48001122
-version: 4
+version: 5
 date: '2024-11-14'
 author: Teoderick Contreras, Splunk
 status: experimental

detections/cloud/gsuite_suspicious_shared_file_name.yml

@@ -1,6 +1,6 @@
 name: Gsuite Suspicious Shared File Name
 id: 07eed200-03f5-11ec-98fb-acde48001122
-version: 4
+version: 5
 date: '2024-11-14'
 author: Teoderick Contreras, Splunk
 status: production

detections/cloud/o365_service_principal_new_client_credentials.yml

@@ -1,6 +1,6 @@
 name: O365 Service Principal New Client Credentials
 id: a1b229e9-d962-4222-8c62-905a8a010453
-version: 5
+version: 6
 date: '2024-11-14'
 author: Mauricio Velazco, Splunk
 status: production

detections/deprecated/attempt_to_stop_security_service.yml

@@ -1,6 +1,6 @@
 name: Attempt To Stop Security Service
 id: c8e349c6-b97c-486e-8949-bd7bcd1f3910
-version: 9
+version: 10
 date: '2025-01-24'
 author: Rico Valdez, Splunk
 status: deprecated

detections/deprecated/attempted_credential_dump_from_registry_via_reg_exe.yml

@@ -1,6 +1,6 @@
 name: Attempted Credential Dump From Registry via Reg exe
 id: e9fb4a59-c5fb-440a-9f24-191fbc6b2911
-version: 12
+version: 13
 date: '2025-01-15'
 author: Patrick Bareiss, Splunk
 status: deprecated

detections/deprecated/cmdline_tool_not_executed_in_cmd_shell.yml

@@ -1,6 +1,6 @@
 name: Cmdline Tool Not Executed In CMD Shell
 id: 6c3f7dd8-153c-11ec-ac2d-acde48001122
-version: 7
+version: 8
 date: '2025-01-24'
 author: Teoderick Contreras, Splunk
 status: deprecated

detections/deprecated/create_local_admin_accounts_using_net_exe.yml

@@ -1,6 +1,6 @@
 name: Create local admin accounts using net exe
 id: b89919ed-fe5f-492c-b139-151bb162040e
-version: 15
+version: 16
 date: '2025-01-24'
 author: Bhavin Patel, Splunk
 status: deprecated

detections/deprecated/deleting_of_net_users.yml

@@ -1,6 +1,6 @@
 name: Deleting Of Net Users
 id: 1c8c6f66-acce-11eb-aafb-acde48001122
-version: 7
+version: 8
 date: '2025-01-24'
 author: Teoderick Contreras, Splunk
 status: deprecated

detections/deprecated/detect_processes_used_for_system_network_configuration_discovery.yml

@@ -1,6 +1,6 @@
 name: Detect processes used for System Network Configuration Discovery
 id: a51bfe1a-94f0-48cc-b1e4-16ae10145893
-version: 7
+version: 8
 date: '2025-01-24'
 author: Bhavin Patel, Splunk
 status: deprecated

detections/deprecated/disabling_net_user_account.yml

@@ -1,6 +1,6 @@
 name: Disabling Net User Account
 id: c0325326-acd6-11eb-98c2-acde48001122
-version: 7
+version: 8
 date: '2025-01-24'
 author: Teoderick Contreras, Splunk
 status: deprecated

detections/deprecated/excel_spawning_powershell.yml

@@ -1,6 +1,6 @@
 name: Excel Spawning PowerShell
 id: 42d40a22-9be3-11eb-8f08-acde48001122
-version: 7
+version: 8
 date: '2025-01-13'
 author: Michael Haag, Splunk
 status: deprecated

detections/deprecated/excel_spawning_windows_script_host.yml

@@ -1,6 +1,6 @@
 name: Excel Spawning Windows Script Host
 id: 57fe880a-9be3-11eb-9bf3-acde48001122
-version: 8
+version: 9
 date: '2025-01-13'
 author: Michael Haag, Splunk
 status: deprecated

detections/deprecated/excessive_usage_of_net_app.yml

@@ -1,6 +1,6 @@
 name: Excessive Usage Of Net App
 id: 45e52536-ae42-11eb-b5c6-acde48001122
-version: 6
+version: 7
 date: '2025-01-24'
 author: Teoderick Contreras, Splunk
 status: deprecated

detections/deprecated/extraction_of_registry_hives.yml

@@ -1,6 +1,6 @@
 name: Extraction of Registry Hives
 id: 8bbb7d58-b360-11eb-ba21-acde48001122
-version: 6
+version: 7
 date: '2025-01-24'
 author: Michael Haag, Splunk
 status: deprecated

detections/deprecated/office_product_spawn_cmd_process.yml

@@ -1,6 +1,6 @@
 name: Office Product Spawn CMD Process
 id: b8b19420-e892-11eb-9244-acde48001122
-version: 8
+version: 9
 date: '2025-01-13'
 author: Teoderick Contreras, Splunk
 status: deprecated

detections/deprecated/office_product_spawning_windows_script_host.yml

@@ -1,6 +1,6 @@
 name: Office Product Spawning Windows Script Host
 id: b3628a5b-8d02-42fa-a891-eebf2351cbe1
-version: 10
+version: 11
 date: '2025-01-13'
 author: Michael Haag, Splunk
 status: deprecated

detections/deprecated/office_spawning_control.yml

@@ -1,6 +1,6 @@
 name: Office Spawning Control
 id: 053e027c-10c7-11ec-8437-acde48001122
-version: 10
+version: 11
 date: '2025-01-24'
 author: Michael Haag, Splunk
 status: deprecated

detections/deprecated/osquery_pack___coldroot_detection.yml

@@ -1,6 +1,6 @@
 name: Osquery pack - ColdRoot detection
 id: a6fffe5e-05c3-4c04-badc-887607fbb8dc
-version: 4
+version: 5
 date: '2024-11-14'
 author: Rico Valdez, Splunk
 status: deprecated

detections/deprecated/windows_lateral_tool_transfer_remcom.yml

@@ -1,6 +1,6 @@
 name: Windows Lateral Tool Transfer RemCom
 id: e373a840-5bdc-47ef-b2fd-9cc7aaf387f0
-version: 5
+version: 6
 date: '2024-12-10'
 author: Michael Haag, Splunk
 type: TTP

detections/deprecated/windows_msiexec_with_network_connections.yml

@@ -1,6 +1,6 @@
 name: Windows MSIExec With Network Connections
 id: 827409a1-5393-4d8d-8da4-bbb297c262a7
-version: 6
+version: 7
 date: '2025-01-24'
 author: Michael Haag, Splunk
 status: deprecated

detections/deprecated/windows_office_product_spawning_msdt.yml

@@ -1,6 +1,6 @@
 name: Windows Office Product Spawning MSDT
 id: 127eba64-c981-40bf-8589-1830638864a7
-version: 9
+version: 10
 date: '2025-01-24'
 author: Michael Haag, Teoderick Contreras, Splunk
 status: deprecated

detections/endpoint/anomalous_usage_of_7zip.yml

@@ -1,6 +1,6 @@
 name: Anomalous usage of 7zip
 id: 9364ee8e-a39a-11eb-8f1d-acde48001122
-version: 6
+version: 7
 date: '2024-11-13'
 author: Michael Haag, Teoderick Contreras, Splunk
 status: production

detections/endpoint/any_powershell_downloadfile.yml

@@ -1,6 +1,6 @@
 name: Any Powershell DownloadFile
 id: 1a93b7ea-7af7-11eb-adb5-acde48001122
-version: 9
+version: 10
 date: '2025-01-27'
 author: Michael Haag, Splunk
 status: production

detections/endpoint/any_powershell_downloadstring.yml

@@ -1,6 +1,6 @@
 name: Any Powershell DownloadString
 id: 4d015ef2-7adf-11eb-95da-acde48001122
-version: 7
+version: 8
 date: '2024-11-13'
 author: Michael Haag, Splunk
 status: production

detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml

@@ -1,6 +1,6 @@
 name: Attempt To Add Certificate To Untrusted Store
 id: 6bc5243e-ef36-45dc-9b12-f4a6be131159
-version: 11
+version: 12
 date: '2024-11-13'
 author: Patrick Bareiss, Rico Valdez, Splunk
 status: production

detections/endpoint/bcdedit_failure_recovery_modification.yml

@@ -1,6 +1,6 @@
 name: BCDEdit Failure Recovery Modification
 id: 809b31d2-5462-11eb-ae93-0242ac130002
-version: 6
+version: 7
 date: '2024-12-10'
 author: Michael Haag, Splunk
 status: production

detections/endpoint/bits_job_persistence.yml

@@ -1,6 +1,6 @@
 name: BITS Job Persistence
 id: e97a5ffe-90bf-11eb-928a-acde48001122
-version: 6
+version: 7
 date: '2024-11-13'
 author: Michael Haag, Splunk
 status: production

detections/endpoint/bitsadmin_download_file.yml

@@ -1,6 +1,6 @@
 name: BITSAdmin Download File
 id: 80630ff4-8e4c-11eb-aab5-acde48001122
-version: 7
+version: 8
 date: '2024-11-13'
 author: Michael Haag, Sittikorn S
 status: production