Updating detections

Author: dluxtron

detections/cloud/azure_ad_global_administrator_role_assigned.yml

@@ -1,8 +1,8 @@
 name: Azure AD Global Administrator Role Assigned
 id: 825fed20-309d-4fd1-8aaf-cd49c1bb093c
-version: 5
-date: '2024-05-29'
-author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
+version: 6
+date: '2024-07-02'
+author: Gowthamaraj Rajendran, Mauricio Velazco, Dean Luxton, Splunk
 status: production
 type: TTP
 description: The following analytic detects the assignment of the Azure AD Global
@@ -15,11 +15,14 @@ description: The following analytic detects the assignment of the Azure AD Globa
   posing a severe security risk.
 data_source:
 - Azure Active Directory Add member to role
-search: '`azure_monitor_aad`  operationName="Add member to role"  properties.targetResources{}.modifiedProperties{}.newValue="\"Global
-  Administrator\"" | rename properties.* as * | rename initiatedBy.user.userPrincipalName
-  as initiatedBy | stats count min(_time) as firstTime max(_time) as lastTime values(user)
-  as user by initiatedBy, result, operationName | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `azure_ad_global_administrator_role_assigned_filter`'
+search: '`azure_monitor_aad`  operationName="Add member to role"  properties.targetResources{}.modifiedProperties{}.newValue="\"Global Administrator\""
+  | rename properties.* as *, initiatedBy.user.userPrincipalName as userPrincipalName, targetResources{}.displayName as displayName
+  | eval  initiatedBy = coalesce(userPrincipalName,src_user)
+  | eval user = coalesce(user,mvfilter(displayName!="null"))
+  | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
+  | `azure_ad_global_administrator_role_assigned_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
   You must be ingesting Azure Active Directory events into your Splunk environment

detections/cloud/azure_ad_privileged_role_assigned.yml

@@ -1,8 +1,8 @@
 name: Azure AD Privileged Role Assigned
 id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a
-version: 3
-date: '2024-05-29'
-author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
+version: 4
+date: '2024-07-02'
+author: Mauricio Velazco, Gowthamaraj Rajendran, Dean Luxton, Splunk
 status: production
 type: TTP
 description: The following analytic detects the assignment of privileged Azure Active
@@ -14,8 +14,10 @@ description: The following analytic detects the assignment of privileged Azure A
   over the Azure AD infrastructure.
 data_source:
 - Azure Active Directory Add member to role
-search: ' `azure_monitor_aad`  "operationName"="Add member to role" | rename properties.*  as * 
-  | rename initiatedBy.user.userPrincipalName as initiatedBy 
+search: ' `azure_monitor_aad`  "operationName"="Add member to role" 
+  | rename properties.* as *, initiatedBy.user.userPrincipalName as userPrincipalName, targetResources{}.displayName as displayName
+  | eval  initiatedBy = coalesce(userPrincipalName,src_user)
+  | eval user = coalesce(user,mvfilter(displayName!="null"))
   | rename targetResources{}.modifiedProperties{}.newValue  as roles 
   | eval role=mvindex(roles,1)
   | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role

detections/cloud/azure_ad_service_principal_new_client_credentials.yml

@@ -1,8 +1,8 @@
 name: Azure AD Service Principal New Client Credentials
 id: e3adc0d3-9e4b-4b5d-b662-12cec1adff2a
-version: 3
-date: '2024-05-11'
-author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
+version: 4
+date: '2024-07-02'
+author: Mauricio Velazco, Gowthamaraj Rajendran, Dean Luxton, Splunk
 status: production
 type: TTP
 description: The following analytic detects the addition of new credentials to Service
@@ -15,11 +15,21 @@ description: The following analytic detects the addition of new credentials to S
   access and control over the Azure environment.
 data_source:
 - Azure Active Directory
-search: ' `azure_monitor_aad`  category=AuditLogs operationName="Update application*Certificates
-  and secrets management " | rename properties.* as * | rename  targetResources{}.*
-  as * | stats count min(_time) as firstTime max(_time) as lastTime values(displayName)
-  as displayName by user, modifiedProperties{}.newValue, src_ip | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `azure_ad_service_principal_new_client_credentials_filter`'
+search: ' `azure_monitor_aad`  category=AuditLogs operationName="Update application*Certificates and secrets management*"
+ | rename properties.* as * 
+ | rename  targetResources{}.* as * 
+ | rename modifiedProperties{}.* as *
+ | eval src_user=coalesce(user,identity), newValue=mvfilter(newValue!="\"KeyDescription\"")
+ | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName values(src_ip) as src_ip values(eval(mvfilter(oldValue!="null"))) as oldValue by src_user, object, newValue
+ | spath input=oldValue output=oldValues path={}
+ | spath input=newValue output=newValues path={}
+ | mvexpand newValues
+ | where NOT newValues IN (oldValues)
+ | fields - newValue, oldValue, oldValues
+ | rename newValues as newValue
+ | `security_content_ctime(firstTime)` 
+ | `security_content_ctime(lastTime)`
+ | `azure_ad_service_principal_new_client_credentials_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
   You must be ingesting Azure Active Directory events into your Splunk environment.
@@ -42,12 +52,16 @@ tags:
   asset_type: Azure Active Directory
   confidence: 50
   impact: 70
-  message: New credentials added for Service Principal by $user$
+  message: New Service Principal credentials were added to $object$ by $src_user$
   mitre_attack_id:
   - T1098
   - T1098.001
   observable:
-  - name: user
+  - name: src_user
+    type: User
+    role:
+    - Victim
+  - name: object
     type: User
     role:
     - Victim

detections/endpoint/detect_new_local_admin_account.yml

@@ -1,7 +1,7 @@
 name: Detect New Local Admin account
 id: b25f6f62-0712-43c1-b203-083231ffd97d
-version: 4
-date: '2024-05-15'
+version: 5
+date: '2024-07-02'
 author: David Dorsey, Splunk
 status: production
 type: TTP
@@ -10,10 +10,11 @@ description: |-
 data_source:
 - Windows Event Log Security 4732
 - Windows Event Log Security 4720
-search: '`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators)
-  | transaction src_user connected=false maxspan=180m | rename src_user as user |
-  stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`'
+search: '`wineventlog_security` (EventCode=4720) OR (EventCode=4732 Group_Name=Administrators) 
+| stats dc(EventCode) as evCount min(_time) as _time range(_time) as duration values(src_user) as src_user values(src_user_category) as src_user_category values(dest_category) as dest_category by user dest
+| where evCount=2
+| fields - evCount, duration
+| `detect_new_local_admin_account_filter`'
 how_to_implement: You must be ingesting Windows event logs using the Splunk Windows
   TA and collecting event code 4720 and 4732
 known_false_positives: The activity may be legitimate. For this reason, it's best
@@ -39,6 +40,10 @@ tags:
     type: User
     role:
     - Victim
+  - name: src_user
+    type: User
+    role:
+    - Victim
   - name: dest
     type: Hostname
     role:

detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml

@@ -1,8 +1,8 @@
 name: Kerberos Pre-Authentication Flag Disabled in UserAccountControl
 id: 0cb847ee-9423-11ec-b2df-acde48001122
-version: 2
-date: '2024-05-24'
-author: Mauricio Velazco, Splunk
+version: 3
+date: '2024-07-02'
+author: Mauricio Velazco, Dean Luxton, Splunk
 status: production
 type: TTP
 description: The following analytic detects when the Kerberos Pre-Authentication flag
@@ -15,9 +15,10 @@ description: The following analytic detects when the Kerberos Pre-Authentication
   of sensitive information.
 data_source:
 - Windows Event Log Security 4738
-search: ' `wineventlog_security` EventCode=4738 MSADChangedAttributes="*Don''t Require
-  Preauth'' - Enabled*" |rename Account_Name as user | table EventCode, user, dest,
-  Security_ID, MSADChangedAttributes | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`'
+search: '`wineventlog_security` EventCode=4738 (UserAccountControl="%%2096" OR MSADChangedAttributes="*Don''t Require Preauth'' - Enabled*")
+  | eval MSADChangedAttributes="''Don''t Require Preauth'' - Enabled"
+  | table _time, source, EventCode, src_user, src_user_category, user, user_category, MSADChangedAttributes 
+  | `kerberos_pre_authentication_flag_disabled_in_useraccountcontrol_filter`'
 how_to_implement: To successfully implement this search, you need to be ingesting
   Domain Controller events. The Advanced Security Audit policy setting `User Account
   Management` within `Account Management` needs to be enabled.

detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml

@@ -41,6 +41,7 @@ references:
 - https://adsecurity.org/?p=1729
 - https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer
 - https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml
+- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
 tags:
   analytic_story:
   - Sneaky Active Directory Persistence Tricks

detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml

@@ -45,6 +45,7 @@ references:
 - https://adsecurity.org/?p=1729
 - https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer
 - https://github.com/SigmaHQ/sigma/blob/0.22-699-g29a5c6278/rules/windows/builtin/security/win_security_dcsync.yml
+- https://lantern.splunk.com/Security/Product_Tips/Enterprise_Security/Enabling_an_audit_trail_from_Active_Directory
 tags:
   analytic_story:
   - Sneaky Active Directory Persistence Tricks

detections/endpoint/windows_admon_default_group_policy_object_modified.yml

@@ -1,8 +1,8 @@
 name: Windows Admon Default Group Policy Object Modified
 id: 83458004-db60-4170-857d-8572f16f070b
-version: 2
-date: '2024-05-28'
-author: Mauricio Velazco, Splunk
+version: 3
+date: '2024-07-02'
+author: Mauricio Velazco, Dean Luxton, Splunk
 status: production
 type: TTP
 data_source:
@@ -15,10 +15,10 @@ description: The following analytic detects modifications to the default Group P
   persistence, or deploy malware across multiple hosts. If confirmed malicious, such
   modifications could lead to widespread policy enforcement changes, unauthorized
   access, and potential compromise of the entire domain environment.
-search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*"
-  (displayName="Default Domain Policy" OR displayName="Default Domain Controllers
-  Policy") | stats min(_time) as firstTime max(_time) as lastTime values(gPCFileSysPath)
-  by dcName, displayName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" (displayName="Default Domain Policy" OR displayName="Default Domain Controllers Policy")
+  | appendpipe [
+  | map search="search `wineventlog_security` EventCode=5136  AttributeSyntaxOID=2.5.5.12 AttributeValue=$displayName$" | rename AttributeValue as displayName] 
+  | stats min(_time) as _time values(displayName) as gp_name, values(gPCFileSysPath) as gPCFileSysPath, values(src_user) as src_user, values(dest) as dest, values(dest_category) as dest_category, values(src_user_category) as src_user_category by displayName
   | `windows_admon_default_group_policy_object_modified_filter`'
 how_to_implement: To successfully implement this search, you need to be monitoring
   Active Directory logs using Admon. Details can be found here 

detections/endpoint/windows_admon_group_policy_object_created.yml

@@ -1,8 +1,8 @@
 name: Windows Admon Group Policy Object Created
 id: 69201633-30d9-48ef-b1b6-e680805f0582
-version: 2
-date: '2024-05-20'
-author: Mauricio Velazco, Splunk
+version: 3
+date: '2024-07-02'
+author: Mauricio Velazco, Dean Luxton, Splunk
 status: production
 type: TTP
 data_source:
@@ -14,10 +14,11 @@ description: The following analytic detects the creation of a new Group Policy O
   across an Active Directory network. If confirmed malicious, this activity could
   allow attackers to control system configurations, deploy ransomware, or propagate
   malware, significantly compromising the network's security.
-search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*"
-  versionNumber=0 displayName!="New Group Policy Object" | stats min(_time) as firstTime
-  max(_time) as lastTime values(gPCFileSysPath) by dcName, displayName | `security_content_ctime(firstTime)`
-  | `security_content_ctime(lastTime)` | `windows_admon_group_policy_object_created_filter`'
+search: ' `admon` admonEventType=Update objectCategory="CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=*" versionNumber=0 displayName!="New Group Policy Object"
+  | appendpipe [
+  | map search="search `wineventlog_security` EventCode=5136  AttributeSyntaxOID=2.5.5.12 AttributeValue=$displayName$" | rename AttributeValue as displayName] 
+  | stats min(_time) as _time values(displayName) as gp_name, values(gPCFileSysPath) as gPCFileSysPath, values(src_user) as src_user, values(dest) as dest, values(dest_category) as dest_category, values(src_user_category) as src_user_category by displayName
+  | `windows_admon_group_policy_object_created_filter`'
 how_to_implement: To successfully implement this search, you need to be monitoring
   Active Directory logs using Admon. Details can be found here 
   https://docs.splunk.com/Documentation/SplunkCloud/8.1.2101/Data/MonitorActiveDirectory

lookups/privileged_azure_ad_roles.csv

@@ -1,26 +1,28 @@
 "azureadrole","isprvilegedadrole","description"
+"""Application Administrator""","True","Can create and manage all aspects of app registrations and enterprise apps."
+"""Application Developer""","True","Can create application registrations independent of the 'Users can register applications' setting."
 """Authentication Administrator""","True","Can access to view, set and reset authentication method information for any non-admin user."
-"""Authentication Policy Administrator""","True","Can create and manage the authentication methods policy, tenant-wide MFA settings, password protection policy, and verifiable credentials."
-"""Azure AD Joined Device Local Administrator""","True","Users assigned to this role are added to the local administrators group on Azure AD-joined devices."
-"""Azure DevOps Administrator""","True","Can manage Azure DevOps policies and settings."
-"""Azure Information Protection Administrator""","True","Can manage all aspects of the Azure Information Protection product."
+"""Authentication Extensibility Administrator""","True","Customize sign in and sign up experiences for users by creating and managing custom authentication extensions."
+"""B2C IEF Keyset Administrator""","True","Can manage secrets for federation and encryption in the Identity Experience Framework (IEF)."
 """Cloud Application Administrator""","True","Can create and manage all aspects of app registrations and enterprise apps except App Proxy."
-"""Cloud Device Administrator""","True","Limited access to manage devices in Azure AD."
-"""Compliance Administrator""","True","Can read and manage compliance configuration and reports in Azure AD and Microsoft 365."
+"""Cloud Device Administrator""","True","Limited access to manage devices in Microsoft Entra ID."
 """Conditional Access Administrator""","True","Can manage Conditional Access capabilities."
-"""Exchange Administrator""","True","Can manage all aspects of the Exchange product."
+"""Directory Synchronization Accounts""","True","Only used by Microsoft Entra Connect and Microsoft Entra Cloud Sync services."
+"""Directory Writers""","True","Can read and write basic directory information. For granting access to applications, not intended for users."
+"""Domain Name Administrator""","True","Can manage domain names in cloud and on-premises."
 """External Identity Provider Administrator""","True","Can configure identity providers for use in direct federation."
-"""Groups Administrator""","True","Members of this role can create/manage groups, create/manage groups settings like naming and expiration policies, and view groups activity and audit reports."
+"""Global Administrator""","True","Can manage all aspects of Microsoft Entra ID and Microsoft services that use Microsoft Entra identities."
+"""Global Reader""","True","Can read everything that a Global Administrator can, but not update anything."
 """Helpdesk Administrator""","True","Can reset passwords for non-administrators and Helpdesk Administrators."
-"""Hybrid Identity Administrator""","True","Can manage AD to Azure AD cloud provisioning, Azure AD Connect, Pass-through Authentication (PTA), Password hash synchronization (PHS), Seamless Single sign-on (Seamless SSO), and federation settings."
+"""Hybrid Identity Administrator""","True","Manage Active Directory to Microsoft Entra cloud provisioning, Microsoft Entra Connect, pass-through authentication (PTA), password hash synchronization (PHS), seamless single sign-on (seamless SSO), and federation settings. Does not have access to manage Microsoft Entra Connect Health."
 """Intune Administrator""","True","Can manage all aspects of the Intune product."
-"""License Administrator""","True","Can manage product licenses on users and groups."
-"""Network Administrator""","True","Can manage network locations and review enterprise network design insights for Microsoft 365 Software as a Service applications."
+"""Lifecycle Workflows Administrator""","True","Create and manage all aspects of workflows and tasks associated with Lifecycle Workflows in Microsoft Entra ID."
+"""Partner Tier1 Support""","True","Do not use - not intended for general use."
+"""Partner Tier2 Support""","True","Do not use - not intended for general use."
 """Password Administrator""","True","Can reset passwords for non-administrators and Password Administrators."
-"""Privileged Role Administrator""","True","Can manage role assignments in Azure AD, and all aspects of Privileged Identity Management."
-"""Security Administrator""","True","Can read security information and reports, and manage configuration in Azure AD and Office 365."
-"""SharePoint Administrator""","True","Can manage all aspects of the SharePoint service."
-"""Teams Administrator""","True","Can manage the Microsoft Teams service."
-"""User Administrator""","True","Can manage all aspects of users and groups, including resetting passwords for limited admins."
-"""Windows 365 Administrator""","True","Can provision and manage all aspects of Cloud PCs."
-
+"""Privileged Authentication Administrator""","True","Can access to view, set and reset authentication method information for any user (admin or non-admin)."
+"""Privileged Role Administrator""","True","Can manage role assignments in Microsoft Entra ID, and all aspects of Privileged Identity Management."
+"""Security Administrator""","True","Can read security information and reports, and manage configuration in Microsoft Entra ID and Office 365."
+"""Security Operator""","True","Creates and manages security events."
+"""Security Reader""","True","Can read security information and reports in Microsoft Entra ID and Office 365."
+"""User Administrator""","True","Can manage all aspects of users and groups, including resetting passwords for limited admins."