From 75617e961dae6b43731c00ec0ec3b87d7bf4ccfe Mon Sep 17 00:00:00 2001 From: Patrick Bareiss Date: Wed, 5 Feb 2025 09:19:19 +0100 Subject: [PATCH 1/3] linux secure data source --- data_sources/linux_secure.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/data_sources/linux_secure.yml b/data_sources/linux_secure.yml index cd08575aa2..468d387446 100644 --- a/data_sources/linux_secure.yml +++ b/data_sources/linux_secure.yml @@ -6,7 +6,10 @@ author: Patrick Bareiss, Splunk description: Data source object for Linux Secure source: /var/log/secure sourcetype: linux_secure -supported_TA: [] +supported_TA: +- name: Splunk Add-on for Unix and Linux + url: https://splunkbase.splunk.com/app/833 + version: 9.2.0 fields: - _time - action From 76a9a02c9e7826721e8867d5838c84a7768d068c Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 5 Feb 2025 10:49:03 -0800 Subject: [PATCH 2/3] updating versions --- ..._auth_source_and_verification_response.yml | 2 +- ...s_ad_suspicious_attribute_modification.yml | 2 +- ...windows_ad_suspicious_gpo_modification.yml | 2 +- ...pplication_administrator_role_assigned.yml | 2 +- ...azure_ad_azurehound_useragent_detected.yml | 2 +- .../azure_ad_external_guest_user_invited.yml | 2 +- ...d_multi_factor_authentication_disabled.yml | 2 +- .../azure_ad_privileged_role_assigned.yml | 2 +- ...azure_ad_service_principal_enumeration.yml | 2 +- ...azure_ad_service_principal_owner_added.yml | 2 +- ...ure_ad_user_enabled_and_password_reset.yml | 2 +- ..._ad_user_immutableid_attribute_updated.yml | 2 +- ...p_multi_factor_authentication_disabled.yml | 2 +- .../gsuite_drive_share_in_external_email.yml | 2 +- .../gsuite_suspicious_shared_file_name.yml | 2 +- ...rvice_principal_new_client_credentials.yml | 2 +- .../attempt_to_stop_security_service.yml | 2 +- ...dential_dump_from_registry_via_reg_exe.yml | 2 +- ...cmdline_tool_not_executed_in_cmd_shell.yml | 2 +- ...ate_local_admin_accounts_using_net_exe.yml | 2 +- .../deprecated/deleting_of_net_users.yml | 2 +- ...system_network_configuration_discovery.yml | 2 +- .../deprecated/disabling_net_user_account.yml | 2 +- .../deprecated/excel_spawning_powershell.yml | 2 +- .../excel_spawning_windows_script_host.yml | 2 +- .../deprecated/excessive_usage_of_net_app.yml | 2 +- .../extraction_of_registry_hives.yml | 2 +- .../office_product_spawn_cmd_process.yml | 2 +- ...e_product_spawning_windows_script_host.yml | 2 +- .../deprecated/office_spawning_control.yml | 2 +- .../osquery_pack___coldroot_detection.yml | 2 +- .../windows_lateral_tool_transfer_remcom.yml | 2 +- ...ndows_msiexec_with_network_connections.yml | 2 +- .../windows_office_product_spawning_msdt.yml | 2 +- .../endpoint/anomalous_usage_of_7zip.yml | 2 +- .../endpoint/any_powershell_downloadfile.yml | 2 +- .../any_powershell_downloadstring.yml | 2 +- ..._to_add_certificate_to_untrusted_store.yml | 2 +- .../bcdedit_failure_recovery_modification.yml | 2 +- detections/endpoint/bits_job_persistence.yml | 2 +- .../endpoint/bitsadmin_download_file.yml | 2 +- ...load_with_urlcache_and_split_arguments.yml | 2 +- ...oad_with_verifyctl_and_split_arguments.yml | 2 +- .../certutil_exe_certificate_extraction.yml | 2 +- .../certutil_with_decode_argument.yml | 2 +- .../check_elevated_cmd_using_whoami.yml | 2 +- ...ar_unallocated_sector_using_cipher_app.yml | 2 +- .../endpoint/clop_common_exec_parameter.yml | 2 +- .../endpoint/cmd_echo_pipe___escalation.yml | 2 +- .../endpoint/common_ransomware_extensions.yml | 2 +- .../endpoint/conti_common_exec_parameter.yml | 2 +- ..._loading_from_world_writable_directory.yml | 2 +- ...or_delete_windows_shares_using_net_exe.yml | 2 +- .../endpoint/deleting_shadow_copies.yml | 2 +- ...tect_azurehound_command_line_arguments.yml | 2 +- ...y_with_powershell_script_block_logging.yml | 2 +- .../detect_certipy_file_modifications.yml | 2 +- .../detect_html_help_spawn_child_process.yml | 2 +- .../detect_html_help_url_in_command_line.yml | 2 +- ...z_with_powershell_script_block_logging.yml | 2 +- .../detect_mshta_inline_hta_execution.yml | 2 +- .../detect_mshta_url_in_command_line.yml | 2 +- ...nterception_by_creation_of_program_exe.yml | 2 +- .../detect_psexec_with_accepteula_flag.yml | 2 +- .../detect_rclone_command_line_usage.yml | 2 +- .../detect_regasm_spawning_a_process.yml | 2 +- ..._regasm_with_no_command_line_arguments.yml | 2 +- .../detect_regsvcs_spawning_a_process.yml | 2 +- ...regsvcs_with_no_command_line_arguments.yml | 2 +- ...ct_regsvr32_application_control_bypass.yml | 2 +- ...2_application_control_bypass___advpack.yml | 2 +- ..._application_control_bypass___setupapi.yml | 2 +- ..._application_control_bypass___syssetup.yml | 2 +- ...ssnames_using_pretrained_model_in_dsdl.yml | 2 +- .../dns_exfiltration_using_nslookup_app.yml | 2 +- .../endpoint/dsquery_domain_discovery.yml | 2 +- .../endpoint/dump_lsass_via_comsvcs_dll.yml | 2 +- .../endpoint/dump_lsass_via_procdump.yml | 2 +- detections/endpoint/etw_registry_disabled.yml | 2 +- ...cute_javascript_with_jscript_com_clsid.yml | 2 +- ...ution_of_file_with_multiple_extensions.yml | 2 +- .../endpoint/file_with_samsam_extension.yml | 2 +- ...no_command_line_arguments_with_network.yml | 2 +- ...dless_browser_mockbin_or_mocky_request.yml | 2 +- .../linux_apt_get_privilege_escalation.yml | 2 +- .../linux_apt_privilege_escalation.yml | 2 +- .../linux_awk_privilege_escalation.yml | 2 +- .../linux_busybox_privilege_escalation.yml | 2 +- .../linux_c89_privilege_escalation.yml | 2 +- .../linux_c99_privilege_escalation.yml | 2 +- .../linux_composer_privilege_escalation.yml | 2 +- .../linux_cpulimit_privilege_escalation.yml | 2 +- .../linux_csvtool_privilege_escalation.yml | 2 +- .../linux_data_destruction_command.yml | 2 +- .../endpoint/linux_decode_base64_to_shell.yml | 2 +- .../linux_docker_privilege_escalation.yml | 2 +- .../linux_emacs_privilege_escalation.yml | 2 +- .../linux_find_privilege_escalation.yml | 2 +- .../linux_gdb_privilege_escalation.yml | 2 +- .../linux_gem_privilege_escalation.yml | 2 +- .../linux_gnu_awk_privilege_escalation.yml | 2 +- .../endpoint/linux_java_spawning_shell.yml | 2 +- .../linux_kernel_module_enumeration.yml | 2 +- .../linux_make_privilege_escalation.yml | 2 +- .../linux_mysql_privilege_escalation.yml | 2 +- .../linux_ngrok_reverse_proxy_usage.yml | 2 +- .../linux_node_privilege_escalation.yml | 2 +- ...ted_files_or_information_base64_decode.yml | 2 +- .../linux_octave_privilege_escalation.yml | 2 +- .../linux_openvpn_privilege_escalation.yml | 2 +- .../linux_php_privilege_escalation.yml | 2 +- .../linux_pkexec_privilege_escalation.yml | 2 +- .../endpoint/linux_proxy_socks_curl.yml | 2 +- .../linux_puppet_privilege_escalation.yml | 2 +- .../linux_rpm_privilege_escalation.yml | 2 +- .../linux_ruby_privilege_escalation.yml | 2 +- .../linux_sqlite3_privilege_escalation.yml | 2 +- ...linux_ssh_authorized_keys_modification.yml | 2 +- ...nux_ssh_remote_services_script_execute.yml | 2 +- .../microsoft_defender_atp_alerts.yml | 2 +- .../microsoft_defender_incident_alerts.yml | 2 +- ..._spawning_rundll32_or_regsvr32_process.yml | 2 +- ...notepad_with_no_command_line_arguments.yml | 2 +- ...twork_configuration_discovery_activity.yml | 2 +- .../powershell_load_module_in_meterpreter.yml | 2 +- ...ding_dotnet_into_memory_via_reflection.yml | 2 +- .../powershell_processing_stream_of_data.yml | 2 +- ...hell_remove_windows_defender_directory.yml | 2 +- .../powershell_start_bitstransfer.yml | 2 +- ...nt_automatic_repair_mode_using_bcdedit.yml | 2 +- .../process_kill_base_on_file_path.yml | 2 +- .../recon_avproduct_through_pwh_or_wmi.yml | 2 +- ...ulating_windows_services_registry_keys.yml | 2 +- ...istry_keys_for_creating_shim_databases.yml | 2 +- ...2_silent_and_install_param_dll_loading.yml | 2 +- ...svr32_with_known_silent_switch_cmdline.yml | 2 +- ...ontrol_rundll_world_writable_directory.yml | 2 +- .../sc_exe_manipulating_windows_services.yml | 2 +- ...eduled_task_deleted_or_created_via_cmd.yml | 2 +- .../schtasks_used_for_forcing_a_reboot.yml | 2 +- ...ceprincipalnames_discovery_with_setspn.yml | 2 +- .../spoolsv_suspicious_process_access.yml | 2 +- ...uspicious_computer_account_name_change.yml | 2 +- .../endpoint/suspicious_reg_exe_process.yml | 2 +- ...ious_regsvr32_register_suspicious_path.yml | 2 +- .../suspicious_rundll32_dllregisterserver.yml | 2 +- .../endpoint/suspicious_wevtutil_usage.yml | 2 +- ..._of_kerberos_service_tickets_requested.yml | 2 +- .../windows_ad_adminsdholder_acl_modified.yml | 2 +- ...s_ad_cross_domain_sid_history_addition.yml | 2 +- ...ows_ad_domain_replication_acl_addition.yml | 2 +- ...ernate_datastream___executable_content.yml | 2 +- .../windows_apache_benchmark_binary.yml | 2 +- ...ndows_attempt_to_stop_security_service.yml | 2 +- .../endpoint/windows_autoit3_execution.yml | 2 +- ...roxy_execution_mavinject_dll_injection.yml | 2 +- ...ws_certutil_download_with_url_argument.yml | 2 +- ..._tool_execution_from_non_shell_process.yml | 2 +- ..._hijacking_inprocserver32_modification.yml | 2 +- ...te_local_administrator_account_via_net.yml | 2 +- ...ential_dumping_lsass_memory_createdump.yml | 2 +- ...ndows_curl_download_to_suspicious_path.yml | 2 +- ...dows_curl_upload_to_remote_destination.yml | 2 +- ...s_default_group_policy_object_modified.yml | 2 +- ...group_policy_object_modified_with_gpme.yml | 2 +- ...indows_detect_network_scanner_behavior.yml | 126 +++++++++--------- .../windows_disable_memory_crash_dump.yml | 2 +- ...ows_event_logging_disable_http_logging.yml | 2 +- .../endpoint/windows_dism_remove_defender.yml | 2 +- ...l_search_order_hijacking_with_iscsicpl.yml | 2 +- ...ows_dotnet_binary_in_non_standard_path.yml | 2 +- ...dows_esx_admins_group_creation_via_net.yml | 2 +- ...x_admins_group_creation_via_powershell.yml | 2 +- .../windows_excessive_usage_of_net_app.yml | 2 +- ...s_execute_arbitrary_commands_with_msdt.yml | 2 +- .../windows_findstr_gpp_discovery.yml | 2 +- ...ttp_network_communication_from_msiexec.yml | 2 +- .../windows_iis_components_add_new_module.yml | 2 +- ...nses_disable_av_autostart_via_registry.yml | 2 +- ...s_ingress_tool_transfer_using_explorer.yml | 2 +- ...ndows_installutil_in_non_standard_path.yml | 2 +- ..._installutil_remote_network_connection.yml | 2 +- .../windows_installutil_uninstall_option.yml | 2 +- ...tallutil_uninstall_option_with_network.yml | 2 +- ...indows_installutil_url_in_command_line.yml | 2 +- .../endpoint/windows_java_spawning_shells.yml | 2 +- ...ndows_ldifde_directory_object_behavior.yml | 2 +- .../windows_mimikatz_binary_execution.yml | 2 +- ...ws_modify_registry_valleyrat_c2_config.yml | 2 +- ...odify_registry_valleyrat_pwn_reg_entry.yml | 2 +- ..._mof_event_triggered_execution_via_wmi.yml | 2 +- .../windows_msiexec_dllregisterserver.yml | 2 +- .../windows_msiexec_remote_download.yml | 2 +- ...indows_msiexec_spawn_discovery_command.yml | 2 +- .../endpoint/windows_msiexec_spawn_windbg.yml | 2 +- ...s_msiexec_unregister_dllregisterserver.yml | 2 +- .../windows_ngrok_reverse_proxy_usage.yml | 2 +- .../endpoint/windows_nirsoft_advancedrun.yml | 2 +- .../endpoint/windows_odbcconf_load_dll.yml | 2 +- .../windows_odbcconf_load_response_file.yml | 2 +- ...windows_office_product_spawned_control.yml | 2 +- .../windows_office_product_spawned_msdt.yml | 2 +- .../windows_papercut_ng_spawn_shell.yml | 2 +- .../windows_powersploit_gpp_discovery.yml | 2 +- ...scalation_suspicious_process_elevation.yml | 2 +- .../windows_protocol_tunneling_with_plink.yml | 2 +- ...indows_raccine_scheduled_task_deletion.yml | 2 +- .../windows_rasautou_dll_execution.yml | 2 +- ...y_dotnet_etw_disabled_via_env_variable.yml | 2 +- ...ows_remote_assistance_spawning_process.yml | 2 +- .../windows_remote_create_service.yml | 2 +- .../windows_rundll32_webdav_request.yml | 2 +- ...undll32_webdav_with_network_connection.yml | 2 +- ...ive_registry_hive_dump_via_commandline.yml | 2 +- ...tware_component_gacutil_install_to_gac.yml | 2 +- .../windows_service_create_with_tscon.yml | 2 +- .../windows_service_execution_remcom.yml | 2 +- .../windows_sql_spawning_certutil.yml | 2 +- ...thentication_certificates___esc1_abuse.yml | 2 +- ...ion_certificates___esc1_authentication.yml | 2 +- ...ntication_certificates_certutil_backup.yml | 2 +- ...cation_certificates_export_certificate.yml | 2 +- ...ion_certificates_export_pfxcertificate.yml | 2 +- ...ct_process_with_authentication_traffic.yml | 2 +- ...execution_compiled_html_file_decompile.yml | 2 +- ...oxy_execution_syncappvpublishingserver.yml | 2 +- ...ws_uac_bypass_suspicious_child_process.yml | 2 +- ..._bypass_suspicious_escalation_behavior.yml | 2 +- .../windows_user_deletion_via_net.yml | 2 +- .../windows_user_disabled_via_net.yml | 2 +- .../windows_windbg_spawning_autoit3.yml | 2 +- .../endpoint/winhlp32_spawning_a_process.yml | 2 +- .../winrar_spawning_shell_application.yml | 2 +- .../endpoint/wmic_xsl_execution_via_url.yml | 2 +- .../xsl_script_execution_with_wmic.yml | 2 +- .../detect_large_outbound_icmp_packets.yml | 2 +- ...etect_remote_access_software_usage_url.yml | 2 +- ...caler_adware_activities_threat_blocked.yml | 2 +- ...caler_behavior_analysis_threat_blocked.yml | 2 +- .../web/zscaler_exploit_threat_blocked.yml | 2 +- ...scaler_malware_activity_threat_blocked.yml | 2 +- ...caler_potentially_abused_file_download.yml | 2 +- ...ivacy_risk_destinations_threat_blocked.yml | 2 +- ...caler_scam_destinations_threat_blocked.yml | 2 +- .../zscaler_virus_download_threat_blocked.yml | 2 +- 245 files changed, 307 insertions(+), 307 deletions(-) diff --git a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml index 021ec93c2e..17e059d927 100644 --- a/detections/application/pingid_mismatch_auth_source_and_verification_response.yml +++ b/detections/application/pingid_mismatch_auth_source_and_verification_response.yml @@ -1,6 +1,6 @@ name: PingID Mismatch Auth Source and Verification Response id: 15b0694e-caa2-4009-8d83-a1f98b86d086 -version: 4 +version: 5 date: '2025-01-21' author: Steven Dick status: production diff --git a/detections/application/windows_ad_suspicious_attribute_modification.yml b/detections/application/windows_ad_suspicious_attribute_modification.yml index df005bfae6..01c2dd31bc 100644 --- a/detections/application/windows_ad_suspicious_attribute_modification.yml +++ b/detections/application/windows_ad_suspicious_attribute_modification.yml @@ -1,6 +1,6 @@ name: Windows AD Suspicious Attribute Modification id: 5682052e-ce55-4f9f-8d28-59191420b7e0 -version: 3 +version: 4 date: '2025-01-21' author: Dean Luxton status: production diff --git a/detections/application/windows_ad_suspicious_gpo_modification.yml b/detections/application/windows_ad_suspicious_gpo_modification.yml index 976ed7ea7d..00ca4b7616 100644 --- a/detections/application/windows_ad_suspicious_gpo_modification.yml +++ b/detections/application/windows_ad_suspicious_gpo_modification.yml @@ -1,6 +1,6 @@ name: Windows AD Suspicious GPO Modification id: 0a2afc18-a3b5-4452-b60a-2e774214f9bf -version: 3 +version: 4 date: '2025-01-21' author: Dean Luxton status: experimental diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index 33eb6d2a8d..33305b12f6 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -1,6 +1,6 @@ name: Azure AD Application Administrator Role Assigned id: eac4de87-7a56-4538-a21b-277897af6d8d -version: 6 +version: 7 date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/cloud/azure_ad_azurehound_useragent_detected.yml b/detections/cloud/azure_ad_azurehound_useragent_detected.yml index 12b044f4c3..b81c81b399 100644 --- a/detections/cloud/azure_ad_azurehound_useragent_detected.yml +++ b/detections/cloud/azure_ad_azurehound_useragent_detected.yml @@ -1,6 +1,6 @@ name: Azure AD AzureHound UserAgent Detected id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3 -version: 1 +version: 2 date: '2025-01-06' author: Dean Luxton data_source: diff --git a/detections/cloud/azure_ad_external_guest_user_invited.yml b/detections/cloud/azure_ad_external_guest_user_invited.yml index 0a30335c00..b21df736a9 100644 --- a/detections/cloud/azure_ad_external_guest_user_invited.yml +++ b/detections/cloud/azure_ad_external_guest_user_invited.yml @@ -1,6 +1,6 @@ name: Azure AD External Guest User Invited id: c1fb4edb-cab1-4359-9b40-925ffd797fb5 -version: 5 +version: 6 date: '2024-11-14' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production diff --git a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml index 9ede5d603b..7e8ff92cd0 100644 --- a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml +++ b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml @@ -1,6 +1,6 @@ name: Azure AD Multi-Factor Authentication Disabled id: 482dd42a-acfa-486b-a0bb-d6fcda27318e -version: 5 +version: 6 date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index e08cfb1eea..1bdea42857 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -1,6 +1,6 @@ name: Azure AD Privileged Role Assigned id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a -version: 6 +version: 7 date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/cloud/azure_ad_service_principal_enumeration.yml b/detections/cloud/azure_ad_service_principal_enumeration.yml index 67af2a74cc..67efb06d67 100644 --- a/detections/cloud/azure_ad_service_principal_enumeration.yml +++ b/detections/cloud/azure_ad_service_principal_enumeration.yml @@ -1,6 +1,6 @@ name: Azure AD Service Principal Enumeration id: 3f0647ce-add5-4436-8039-cbd1abe74563 -version: 1 +version: 2 date: '2025-01-06' author: Dean Luxton data_source: diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml index 652d5977ff..70759d0bbc 100644 --- a/detections/cloud/azure_ad_service_principal_owner_added.yml +++ b/detections/cloud/azure_ad_service_principal_owner_added.yml @@ -1,6 +1,6 @@ name: Azure AD Service Principal Owner Added id: 7ddf2084-6cf3-4a44-be83-474f7b73c701 -version: 7 +version: 8 date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index 5cd6090c48..f3601f5b68 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -1,6 +1,6 @@ name: Azure AD User Enabled And Password Reset id: 1347b9e8-2daa-4a6f-be73-b421d3d9e268 -version: 6 +version: 7 date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml index 597d44032d..bb46d01420 100644 --- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml +++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml @@ -1,6 +1,6 @@ name: Azure AD User ImmutableId Attribute Updated id: 0c0badad-4536-4a84-a561-5ff760f3c00e -version: 5 +version: 6 date: '2024-11-14' author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/cloud/gcp_multi_factor_authentication_disabled.yml b/detections/cloud/gcp_multi_factor_authentication_disabled.yml index dc6b0479ea..411d36c82b 100644 --- a/detections/cloud/gcp_multi_factor_authentication_disabled.yml +++ b/detections/cloud/gcp_multi_factor_authentication_disabled.yml @@ -1,6 +1,6 @@ name: GCP Multi-Factor Authentication Disabled id: b9bc5513-6fc1-4821-85a3-e1d81e451c83 -version: 5 +version: 6 date: '2024-11-14' author: Bhavin Patel, Mauricio Velazco, Splunk status: production diff --git a/detections/cloud/gsuite_drive_share_in_external_email.yml b/detections/cloud/gsuite_drive_share_in_external_email.yml index 469c97577b..cda144c5d9 100644 --- a/detections/cloud/gsuite_drive_share_in_external_email.yml +++ b/detections/cloud/gsuite_drive_share_in_external_email.yml @@ -1,6 +1,6 @@ name: Gsuite Drive Share In External Email id: f6ee02d6-fea0-11eb-b2c2-acde48001122 -version: 4 +version: 5 date: '2024-11-14' author: Teoderick Contreras, Splunk status: experimental diff --git a/detections/cloud/gsuite_suspicious_shared_file_name.yml b/detections/cloud/gsuite_suspicious_shared_file_name.yml index 311f449b7f..1081e01e57 100644 --- a/detections/cloud/gsuite_suspicious_shared_file_name.yml +++ b/detections/cloud/gsuite_suspicious_shared_file_name.yml @@ -1,6 +1,6 @@ name: Gsuite Suspicious Shared File Name id: 07eed200-03f5-11ec-98fb-acde48001122 -version: 4 +version: 5 date: '2024-11-14' author: Teoderick Contreras, Splunk status: production diff --git a/detections/cloud/o365_service_principal_new_client_credentials.yml b/detections/cloud/o365_service_principal_new_client_credentials.yml index 702f8ee8f9..4748ee38f9 100644 --- a/detections/cloud/o365_service_principal_new_client_credentials.yml +++ b/detections/cloud/o365_service_principal_new_client_credentials.yml @@ -1,6 +1,6 @@ name: O365 Service Principal New Client Credentials id: a1b229e9-d962-4222-8c62-905a8a010453 -version: 5 +version: 6 date: '2024-11-14' author: Mauricio Velazco, Splunk status: production diff --git a/detections/deprecated/attempt_to_stop_security_service.yml b/detections/deprecated/attempt_to_stop_security_service.yml index 6527800094..d3307c59bf 100644 --- a/detections/deprecated/attempt_to_stop_security_service.yml +++ b/detections/deprecated/attempt_to_stop_security_service.yml @@ -1,6 +1,6 @@ name: Attempt To Stop Security Service id: c8e349c6-b97c-486e-8949-bd7bcd1f3910 -version: 9 +version: 10 date: '2025-01-24' author: Rico Valdez, Splunk status: deprecated diff --git a/detections/deprecated/attempted_credential_dump_from_registry_via_reg_exe.yml b/detections/deprecated/attempted_credential_dump_from_registry_via_reg_exe.yml index 409c21747b..86d2c20c82 100644 --- a/detections/deprecated/attempted_credential_dump_from_registry_via_reg_exe.yml +++ b/detections/deprecated/attempted_credential_dump_from_registry_via_reg_exe.yml @@ -1,6 +1,6 @@ name: Attempted Credential Dump From Registry via Reg exe id: e9fb4a59-c5fb-440a-9f24-191fbc6b2911 -version: 12 +version: 13 date: '2025-01-15' author: Patrick Bareiss, Splunk status: deprecated diff --git a/detections/deprecated/cmdline_tool_not_executed_in_cmd_shell.yml b/detections/deprecated/cmdline_tool_not_executed_in_cmd_shell.yml index 1df440f488..2a47831d2c 100644 --- a/detections/deprecated/cmdline_tool_not_executed_in_cmd_shell.yml +++ b/detections/deprecated/cmdline_tool_not_executed_in_cmd_shell.yml @@ -1,6 +1,6 @@ name: Cmdline Tool Not Executed In CMD Shell id: 6c3f7dd8-153c-11ec-ac2d-acde48001122 -version: 7 +version: 8 date: '2025-01-24' author: Teoderick Contreras, Splunk status: deprecated diff --git a/detections/deprecated/create_local_admin_accounts_using_net_exe.yml b/detections/deprecated/create_local_admin_accounts_using_net_exe.yml index 08cc384790..28560103fa 100644 --- a/detections/deprecated/create_local_admin_accounts_using_net_exe.yml +++ b/detections/deprecated/create_local_admin_accounts_using_net_exe.yml @@ -1,6 +1,6 @@ name: Create local admin accounts using net exe id: b89919ed-fe5f-492c-b139-151bb162040e -version: 15 +version: 16 date: '2025-01-24' author: Bhavin Patel, Splunk status: deprecated diff --git a/detections/deprecated/deleting_of_net_users.yml b/detections/deprecated/deleting_of_net_users.yml index 53d81b2248..379264584f 100644 --- a/detections/deprecated/deleting_of_net_users.yml +++ b/detections/deprecated/deleting_of_net_users.yml @@ -1,6 +1,6 @@ name: Deleting Of Net Users id: 1c8c6f66-acce-11eb-aafb-acde48001122 -version: 7 +version: 8 date: '2025-01-24' author: Teoderick Contreras, Splunk status: deprecated diff --git a/detections/deprecated/detect_processes_used_for_system_network_configuration_discovery.yml b/detections/deprecated/detect_processes_used_for_system_network_configuration_discovery.yml index 077d4c8017..d0851935d2 100644 --- a/detections/deprecated/detect_processes_used_for_system_network_configuration_discovery.yml +++ b/detections/deprecated/detect_processes_used_for_system_network_configuration_discovery.yml @@ -1,6 +1,6 @@ name: Detect processes used for System Network Configuration Discovery id: a51bfe1a-94f0-48cc-b1e4-16ae10145893 -version: 7 +version: 8 date: '2025-01-24' author: Bhavin Patel, Splunk status: deprecated diff --git a/detections/deprecated/disabling_net_user_account.yml b/detections/deprecated/disabling_net_user_account.yml index 2a10320558..409e89854a 100644 --- a/detections/deprecated/disabling_net_user_account.yml +++ b/detections/deprecated/disabling_net_user_account.yml @@ -1,6 +1,6 @@ name: Disabling Net User Account id: c0325326-acd6-11eb-98c2-acde48001122 -version: 7 +version: 8 date: '2025-01-24' author: Teoderick Contreras, Splunk status: deprecated diff --git a/detections/deprecated/excel_spawning_powershell.yml b/detections/deprecated/excel_spawning_powershell.yml index a4808cc05e..83c5d6bd07 100644 --- a/detections/deprecated/excel_spawning_powershell.yml +++ b/detections/deprecated/excel_spawning_powershell.yml @@ -1,6 +1,6 @@ name: Excel Spawning PowerShell id: 42d40a22-9be3-11eb-8f08-acde48001122 -version: 7 +version: 8 date: '2025-01-13' author: Michael Haag, Splunk status: deprecated diff --git a/detections/deprecated/excel_spawning_windows_script_host.yml b/detections/deprecated/excel_spawning_windows_script_host.yml index 70da2b9f10..db56778daf 100644 --- a/detections/deprecated/excel_spawning_windows_script_host.yml +++ b/detections/deprecated/excel_spawning_windows_script_host.yml @@ -1,6 +1,6 @@ name: Excel Spawning Windows Script Host id: 57fe880a-9be3-11eb-9bf3-acde48001122 -version: 8 +version: 9 date: '2025-01-13' author: Michael Haag, Splunk status: deprecated diff --git a/detections/deprecated/excessive_usage_of_net_app.yml b/detections/deprecated/excessive_usage_of_net_app.yml index e48ea823d4..1b3556f57b 100644 --- a/detections/deprecated/excessive_usage_of_net_app.yml +++ b/detections/deprecated/excessive_usage_of_net_app.yml @@ -1,6 +1,6 @@ name: Excessive Usage Of Net App id: 45e52536-ae42-11eb-b5c6-acde48001122 -version: 6 +version: 7 date: '2025-01-24' author: Teoderick Contreras, Splunk status: deprecated diff --git a/detections/deprecated/extraction_of_registry_hives.yml b/detections/deprecated/extraction_of_registry_hives.yml index 565dccabfa..f31196f4e5 100644 --- a/detections/deprecated/extraction_of_registry_hives.yml +++ b/detections/deprecated/extraction_of_registry_hives.yml @@ -1,6 +1,6 @@ name: Extraction of Registry Hives id: 8bbb7d58-b360-11eb-ba21-acde48001122 -version: 6 +version: 7 date: '2025-01-24' author: Michael Haag, Splunk status: deprecated diff --git a/detections/deprecated/office_product_spawn_cmd_process.yml b/detections/deprecated/office_product_spawn_cmd_process.yml index acbe347fb7..812d2a3bc1 100644 --- a/detections/deprecated/office_product_spawn_cmd_process.yml +++ b/detections/deprecated/office_product_spawn_cmd_process.yml @@ -1,6 +1,6 @@ name: Office Product Spawn CMD Process id: b8b19420-e892-11eb-9244-acde48001122 -version: 8 +version: 9 date: '2025-01-13' author: Teoderick Contreras, Splunk status: deprecated diff --git a/detections/deprecated/office_product_spawning_windows_script_host.yml b/detections/deprecated/office_product_spawning_windows_script_host.yml index 20ee47bc5c..8ff8d57259 100644 --- a/detections/deprecated/office_product_spawning_windows_script_host.yml +++ b/detections/deprecated/office_product_spawning_windows_script_host.yml @@ -1,6 +1,6 @@ name: Office Product Spawning Windows Script Host id: b3628a5b-8d02-42fa-a891-eebf2351cbe1 -version: 10 +version: 11 date: '2025-01-13' author: Michael Haag, Splunk status: deprecated diff --git a/detections/deprecated/office_spawning_control.yml b/detections/deprecated/office_spawning_control.yml index ac4c987bc2..8f472a4168 100644 --- a/detections/deprecated/office_spawning_control.yml +++ b/detections/deprecated/office_spawning_control.yml @@ -1,6 +1,6 @@ name: Office Spawning Control id: 053e027c-10c7-11ec-8437-acde48001122 -version: 10 +version: 11 date: '2025-01-24' author: Michael Haag, Splunk status: deprecated diff --git a/detections/deprecated/osquery_pack___coldroot_detection.yml b/detections/deprecated/osquery_pack___coldroot_detection.yml index 3ba9866bed..369173b8fd 100644 --- a/detections/deprecated/osquery_pack___coldroot_detection.yml +++ b/detections/deprecated/osquery_pack___coldroot_detection.yml @@ -1,6 +1,6 @@ name: Osquery pack - ColdRoot detection id: a6fffe5e-05c3-4c04-badc-887607fbb8dc -version: 4 +version: 5 date: '2024-11-14' author: Rico Valdez, Splunk status: deprecated diff --git a/detections/deprecated/windows_lateral_tool_transfer_remcom.yml b/detections/deprecated/windows_lateral_tool_transfer_remcom.yml index 0611c1c8f6..47789c6b30 100644 --- a/detections/deprecated/windows_lateral_tool_transfer_remcom.yml +++ b/detections/deprecated/windows_lateral_tool_transfer_remcom.yml @@ -1,6 +1,6 @@ name: Windows Lateral Tool Transfer RemCom id: e373a840-5bdc-47ef-b2fd-9cc7aaf387f0 -version: 5 +version: 6 date: '2024-12-10' author: Michael Haag, Splunk type: TTP diff --git a/detections/deprecated/windows_msiexec_with_network_connections.yml b/detections/deprecated/windows_msiexec_with_network_connections.yml index 26347f6535..5c17518468 100644 --- a/detections/deprecated/windows_msiexec_with_network_connections.yml +++ b/detections/deprecated/windows_msiexec_with_network_connections.yml @@ -1,6 +1,6 @@ name: Windows MSIExec With Network Connections id: 827409a1-5393-4d8d-8da4-bbb297c262a7 -version: 6 +version: 7 date: '2025-01-24' author: Michael Haag, Splunk status: deprecated diff --git a/detections/deprecated/windows_office_product_spawning_msdt.yml b/detections/deprecated/windows_office_product_spawning_msdt.yml index ad36ac3325..cfdabb0241 100644 --- a/detections/deprecated/windows_office_product_spawning_msdt.yml +++ b/detections/deprecated/windows_office_product_spawning_msdt.yml @@ -1,6 +1,6 @@ name: Windows Office Product Spawning MSDT id: 127eba64-c981-40bf-8589-1830638864a7 -version: 9 +version: 10 date: '2025-01-24' author: Michael Haag, Teoderick Contreras, Splunk status: deprecated diff --git a/detections/endpoint/anomalous_usage_of_7zip.yml b/detections/endpoint/anomalous_usage_of_7zip.yml index 952bab98c5..c92c682b76 100644 --- a/detections/endpoint/anomalous_usage_of_7zip.yml +++ b/detections/endpoint/anomalous_usage_of_7zip.yml @@ -1,6 +1,6 @@ name: Anomalous usage of 7zip id: 9364ee8e-a39a-11eb-8f1d-acde48001122 -version: 6 +version: 7 date: '2024-11-13' author: Michael Haag, Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml index 74049ff9cb..65331578b1 100644 --- a/detections/endpoint/any_powershell_downloadfile.yml +++ b/detections/endpoint/any_powershell_downloadfile.yml @@ -1,6 +1,6 @@ name: Any Powershell DownloadFile id: 1a93b7ea-7af7-11eb-adb5-acde48001122 -version: 9 +version: 10 date: '2025-01-27' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/any_powershell_downloadstring.yml b/detections/endpoint/any_powershell_downloadstring.yml index 3a5fdced6f..c94d2f49c5 100644 --- a/detections/endpoint/any_powershell_downloadstring.yml +++ b/detections/endpoint/any_powershell_downloadstring.yml @@ -1,6 +1,6 @@ name: Any Powershell DownloadString id: 4d015ef2-7adf-11eb-95da-acde48001122 -version: 7 +version: 8 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml index e23a285c6c..e9c57444bf 100644 --- a/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml +++ b/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml @@ -1,6 +1,6 @@ name: Attempt To Add Certificate To Untrusted Store id: 6bc5243e-ef36-45dc-9b12-f4a6be131159 -version: 11 +version: 12 date: '2024-11-13' author: Patrick Bareiss, Rico Valdez, Splunk status: production diff --git a/detections/endpoint/bcdedit_failure_recovery_modification.yml b/detections/endpoint/bcdedit_failure_recovery_modification.yml index 29bdb7ba33..1425eee424 100644 --- a/detections/endpoint/bcdedit_failure_recovery_modification.yml +++ b/detections/endpoint/bcdedit_failure_recovery_modification.yml @@ -1,6 +1,6 @@ name: BCDEdit Failure Recovery Modification id: 809b31d2-5462-11eb-ae93-0242ac130002 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/bits_job_persistence.yml b/detections/endpoint/bits_job_persistence.yml index b115098430..eee12eeb44 100644 --- a/detections/endpoint/bits_job_persistence.yml +++ b/detections/endpoint/bits_job_persistence.yml @@ -1,6 +1,6 @@ name: BITS Job Persistence id: e97a5ffe-90bf-11eb-928a-acde48001122 -version: 6 +version: 7 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/bitsadmin_download_file.yml b/detections/endpoint/bitsadmin_download_file.yml index da8e3522bb..bdab9e207a 100644 --- a/detections/endpoint/bitsadmin_download_file.yml +++ b/detections/endpoint/bitsadmin_download_file.yml @@ -1,6 +1,6 @@ name: BITSAdmin Download File id: 80630ff4-8e4c-11eb-aab5-acde48001122 -version: 7 +version: 8 date: '2024-11-13' author: Michael Haag, Sittikorn S status: production diff --git a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml index 7e3407c516..b6d19b0b39 100644 --- a/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml @@ -1,6 +1,6 @@ name: CertUtil Download With URLCache and Split Arguments id: 415b4306-8bfb-11eb-85c4-acde48001122 -version: 9 +version: 10 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml index 7c6a453b69..97a0c24ba9 100644 --- a/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml +++ b/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml @@ -1,6 +1,6 @@ name: CertUtil Download With VerifyCtl and Split Arguments id: 801ad9e4-8bfb-11eb-8b31-acde48001122 -version: 9 +version: 10 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/certutil_exe_certificate_extraction.yml b/detections/endpoint/certutil_exe_certificate_extraction.yml index 34b29335c5..6dafec9ff9 100644 --- a/detections/endpoint/certutil_exe_certificate_extraction.yml +++ b/detections/endpoint/certutil_exe_certificate_extraction.yml @@ -1,6 +1,6 @@ name: Certutil exe certificate extraction id: 337a46be-600f-11eb-ae93-0242ac130002 -version: 7 +version: 8 date: '2024-12-10' author: Rod Soto, Splunk status: production diff --git a/detections/endpoint/certutil_with_decode_argument.yml b/detections/endpoint/certutil_with_decode_argument.yml index 0fc4d9b902..f00b0f4387 100644 --- a/detections/endpoint/certutil_with_decode_argument.yml +++ b/detections/endpoint/certutil_with_decode_argument.yml @@ -1,6 +1,6 @@ name: CertUtil With Decode Argument id: bfe94226-8c10-11eb-a4b3-acde48001122 -version: 6 +version: 7 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/check_elevated_cmd_using_whoami.yml b/detections/endpoint/check_elevated_cmd_using_whoami.yml index abb19e8ac8..b5f5648875 100644 --- a/detections/endpoint/check_elevated_cmd_using_whoami.yml +++ b/detections/endpoint/check_elevated_cmd_using_whoami.yml @@ -1,6 +1,6 @@ name: Check Elevated CMD using whoami id: a9079b18-1633-11ec-859c-acde48001122 -version: 4 +version: 5 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml index ee6d5594e2..2e3eaddaf9 100644 --- a/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml +++ b/detections/endpoint/clear_unallocated_sector_using_cipher_app.yml @@ -1,6 +1,6 @@ name: Clear Unallocated Sector Using Cipher App id: cd80a6ac-c9d9-11eb-8839-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/clop_common_exec_parameter.yml b/detections/endpoint/clop_common_exec_parameter.yml index 0be756484b..3618dec57d 100644 --- a/detections/endpoint/clop_common_exec_parameter.yml +++ b/detections/endpoint/clop_common_exec_parameter.yml @@ -1,6 +1,6 @@ name: Clop Common Exec Parameter id: 5a8a2a72-8322-11eb-9ee9-acde48001122 -version: 7 +version: 8 date: '2024-12-10' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/cmd_echo_pipe___escalation.yml b/detections/endpoint/cmd_echo_pipe___escalation.yml index 618a7f1670..107dc77582 100644 --- a/detections/endpoint/cmd_echo_pipe___escalation.yml +++ b/detections/endpoint/cmd_echo_pipe___escalation.yml @@ -1,6 +1,6 @@ name: CMD Echo Pipe - Escalation id: eb277ba0-b96b-11eb-b00e-acde48001122 -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/common_ransomware_extensions.yml b/detections/endpoint/common_ransomware_extensions.yml index 281a998ed1..b7dbef7eb3 100644 --- a/detections/endpoint/common_ransomware_extensions.yml +++ b/detections/endpoint/common_ransomware_extensions.yml @@ -1,6 +1,6 @@ name: Common Ransomware Extensions id: a9e5c5db-db11-43ca-86a8-c852d1b2c0ec -version: 10 +version: 11 date: '2025-01-07' author: David Dorsey, Michael Haag, Splunk, Steven Dick status: production diff --git a/detections/endpoint/conti_common_exec_parameter.yml b/detections/endpoint/conti_common_exec_parameter.yml index fe3227dd29..68ddb073f8 100644 --- a/detections/endpoint/conti_common_exec_parameter.yml +++ b/detections/endpoint/conti_common_exec_parameter.yml @@ -1,6 +1,6 @@ name: Conti Common Exec parameter id: 624919bc-c382-11eb-adcc-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/control_loading_from_world_writable_directory.yml b/detections/endpoint/control_loading_from_world_writable_directory.yml index 0b02258a47..aaddd2c8b2 100644 --- a/detections/endpoint/control_loading_from_world_writable_directory.yml +++ b/detections/endpoint/control_loading_from_world_writable_directory.yml @@ -1,6 +1,6 @@ name: Control Loading from World Writable Directory id: 10423ac4-10c9-11ec-8dc4-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml index c90a12c6e9..2b94e92f3d 100644 --- a/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml +++ b/detections/endpoint/create_or_delete_windows_shares_using_net_exe.yml @@ -1,6 +1,6 @@ name: Create or delete windows shares using net exe id: 743a322c-9a68-4a0f-9c17-85d9cce2a27c -version: 10 +version: 11 date: '2024-12-12' author: Bhavin Patel, Splunk status: production diff --git a/detections/endpoint/deleting_shadow_copies.yml b/detections/endpoint/deleting_shadow_copies.yml index 43b2d363b6..89b5ebed9b 100644 --- a/detections/endpoint/deleting_shadow_copies.yml +++ b/detections/endpoint/deleting_shadow_copies.yml @@ -1,6 +1,6 @@ name: Deleting Shadow Copies id: b89919ed-ee5f-492c-b139-95dbb162039e -version: 9 +version: 10 date: '2024-12-10' author: David Dorsey, Splunk status: production diff --git a/detections/endpoint/detect_azurehound_command_line_arguments.yml b/detections/endpoint/detect_azurehound_command_line_arguments.yml index a20929459c..406db0ca35 100644 --- a/detections/endpoint/detect_azurehound_command_line_arguments.yml +++ b/detections/endpoint/detect_azurehound_command_line_arguments.yml @@ -1,6 +1,6 @@ name: Detect AzureHound Command-Line Arguments id: 26f02e96-c300-11eb-b611-acde48001122 -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml index 38e25e1fcc..80357f3580 100644 --- a/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_certify_with_powershell_script_block_logging.yml @@ -1,6 +1,6 @@ name: Detect Certify With PowerShell Script Block Logging id: f533ca6c-9440-4686-80cb-7f294c07812a -version: 4 +version: 5 date: '2024-11-13' author: Steven Dick status: production diff --git a/detections/endpoint/detect_certipy_file_modifications.yml b/detections/endpoint/detect_certipy_file_modifications.yml index 932c36dce7..48a6a3129b 100644 --- a/detections/endpoint/detect_certipy_file_modifications.yml +++ b/detections/endpoint/detect_certipy_file_modifications.yml @@ -1,6 +1,6 @@ name: Detect Certipy File Modifications id: 7e3df743-b1d8-4631-8fa8-bd5819688876 -version: 4 +version: 5 date: '2024-11-13' author: Steven Dick status: production diff --git a/detections/endpoint/detect_html_help_spawn_child_process.yml b/detections/endpoint/detect_html_help_spawn_child_process.yml index 05aed6328e..7bbbcdff80 100644 --- a/detections/endpoint/detect_html_help_spawn_child_process.yml +++ b/detections/endpoint/detect_html_help_spawn_child_process.yml @@ -1,6 +1,6 @@ name: Detect HTML Help Spawn Child Process id: 723716de-ee55-4cd4-9759-c44e7e55ba4b -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_html_help_url_in_command_line.yml b/detections/endpoint/detect_html_help_url_in_command_line.yml index d72c7f64a1..b91592327f 100644 --- a/detections/endpoint/detect_html_help_url_in_command_line.yml +++ b/detections/endpoint/detect_html_help_url_in_command_line.yml @@ -1,6 +1,6 @@ name: Detect HTML Help URL in Command Line id: 8c5835b9-39d9-438b-817c-95f14c69a31e -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml index 0960910cc8..d3616fae42 100644 --- a/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml +++ b/detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml @@ -1,6 +1,6 @@ name: Detect Mimikatz With PowerShell Script Block Logging id: 8148c29c-c952-11eb-9255-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index 09c4f17867..7c5118b8b9 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -1,6 +1,6 @@ name: Detect mshta inline hta execution id: a0873b32-5b68-11eb-ae93-0242ac130002 -version: 12 +version: 13 date: '2024-12-10' author: Bhavin Patel, Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_mshta_url_in_command_line.yml b/detections/endpoint/detect_mshta_url_in_command_line.yml index 7a9bc24261..ca6dcb56be 100644 --- a/detections/endpoint/detect_mshta_url_in_command_line.yml +++ b/detections/endpoint/detect_mshta_url_in_command_line.yml @@ -1,6 +1,6 @@ name: Detect MSHTA Url in Command Line id: 9b3af1e6-5b68-11eb-ae93-0242ac130002 -version: 8 +version: 9 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml index f6f07579ae..0151aeb432 100644 --- a/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml +++ b/detections/endpoint/detect_path_interception_by_creation_of_program_exe.yml @@ -1,6 +1,6 @@ name: Detect Path Interception By Creation Of program exe id: cbef820c-e1ff-407f-887f-0a9240a2d477 -version: 9 +version: 10 date: '2024-11-13' author: Patrick Bareiss, Splunk status: production diff --git a/detections/endpoint/detect_psexec_with_accepteula_flag.yml b/detections/endpoint/detect_psexec_with_accepteula_flag.yml index 6004101254..24de8df12b 100644 --- a/detections/endpoint/detect_psexec_with_accepteula_flag.yml +++ b/detections/endpoint/detect_psexec_with_accepteula_flag.yml @@ -1,6 +1,6 @@ name: Detect PsExec With accepteula Flag id: 27c3a83d-cada-47c6-9042-67baf19d2574 -version: 8 +version: 9 date: '2024-11-13' author: Bhavin Patel, Splunk status: production diff --git a/detections/endpoint/detect_rclone_command_line_usage.yml b/detections/endpoint/detect_rclone_command_line_usage.yml index 31e5bc6329..a36e49cace 100644 --- a/detections/endpoint/detect_rclone_command_line_usage.yml +++ b/detections/endpoint/detect_rclone_command_line_usage.yml @@ -1,6 +1,6 @@ name: Detect RClone Command-Line Usage id: 32e0baea-b3f1-11eb-a2ce-acde48001122 -version: 6 +version: 7 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_regasm_spawning_a_process.yml b/detections/endpoint/detect_regasm_spawning_a_process.yml index edd0e0652f..008e3a9fdf 100644 --- a/detections/endpoint/detect_regasm_spawning_a_process.yml +++ b/detections/endpoint/detect_regasm_spawning_a_process.yml @@ -1,6 +1,6 @@ name: Detect Regasm Spawning a Process id: 72170ec5-f7d2-42f5-aefb-2b8be6aad15f -version: 8 +version: 9 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml index 3431b74b40..39e4bbbd17 100644 --- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml @@ -1,6 +1,6 @@ name: Detect Regasm with no Command Line Arguments id: c3bc1430-04e7-4178-835f-047d8e6e97df -version: 7 +version: 8 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_regsvcs_spawning_a_process.yml b/detections/endpoint/detect_regsvcs_spawning_a_process.yml index 369fa49db9..621501a8a9 100644 --- a/detections/endpoint/detect_regsvcs_spawning_a_process.yml +++ b/detections/endpoint/detect_regsvcs_spawning_a_process.yml @@ -1,6 +1,6 @@ name: Detect Regsvcs Spawning a Process id: bc477b57-5c21-4ab6-9c33-668772e7f114 -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml index c8dfa3767d..05dfb21ac7 100644 --- a/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regsvcs_with_no_command_line_arguments.yml @@ -1,6 +1,6 @@ name: Detect Regsvcs with No Command Line Arguments id: 6b74d578-a02e-4e94-a0d1-39440d0bf254 -version: 7 +version: 8 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_regsvr32_application_control_bypass.yml b/detections/endpoint/detect_regsvr32_application_control_bypass.yml index e2130893c1..ba41b5d992 100644 --- a/detections/endpoint/detect_regsvr32_application_control_bypass.yml +++ b/detections/endpoint/detect_regsvr32_application_control_bypass.yml @@ -1,6 +1,6 @@ name: Detect Regsvr32 Application Control Bypass id: 070e9b80-6252-11eb-ae93-0242ac130002 -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml index 8774c0b8e9..8e285e9c2f 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___advpack.yml @@ -1,6 +1,6 @@ name: Detect Rundll32 Application Control Bypass - advpack id: 4aefadfe-9abd-4bf8-b3fd-867e9ef95bf8 -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml index 5870f0e87b..c61eded5b1 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___setupapi.yml @@ -1,6 +1,6 @@ name: Detect Rundll32 Application Control Bypass - setupapi id: 61e7b44a-6088-4f26-b788-9a96ba13b37a -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml index cab866b351..58bfea6011 100644 --- a/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml +++ b/detections/endpoint/detect_rundll32_application_control_bypass___syssetup.yml @@ -1,6 +1,6 @@ name: Detect Rundll32 Application Control Bypass - syssetup id: 71b9bf37-cde1-45fb-b899-1b0aa6fa1183 -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml index 6fa1b4cdd0..93af7b9881 100644 --- a/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml +++ b/detections/endpoint/detect_suspicious_processnames_using_pretrained_model_in_dsdl.yml @@ -1,6 +1,6 @@ name: Detect suspicious processnames using pretrained model in DSDL id: a15f8977-ad7d-4669-92ef-b59b97219bf5 -version: 4 +version: 5 date: '2024-11-13' author: Abhinav Mishra, Kumar Sharad and Namratha Sreekanta, Splunk type: Anomaly diff --git a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml index a244b2a733..9e42a31685 100644 --- a/detections/endpoint/dns_exfiltration_using_nslookup_app.yml +++ b/detections/endpoint/dns_exfiltration_using_nslookup_app.yml @@ -1,6 +1,6 @@ name: DNS Exfiltration Using Nslookup App id: 2452e632-9e0d-11eb-bacd-acde48001122 -version: 7 +version: 8 date: '2024-12-10' author: Teoderick Contreras, Splunk, Wouter Jansen status: production diff --git a/detections/endpoint/dsquery_domain_discovery.yml b/detections/endpoint/dsquery_domain_discovery.yml index 3ee0399230..72e21dfb8e 100644 --- a/detections/endpoint/dsquery_domain_discovery.yml +++ b/detections/endpoint/dsquery_domain_discovery.yml @@ -1,6 +1,6 @@ name: DSQuery Domain Discovery id: cc316032-924a-11eb-91a2-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml index ea6d606030..f2ca5506a9 100644 --- a/detections/endpoint/dump_lsass_via_comsvcs_dll.yml +++ b/detections/endpoint/dump_lsass_via_comsvcs_dll.yml @@ -1,6 +1,6 @@ name: Dump LSASS via comsvcs DLL id: 8943b567-f14d-4ee8-a0bb-2121d4ce3184 -version: 7 +version: 8 date: '2024-12-10' author: Patrick Bareiss, Splunk status: production diff --git a/detections/endpoint/dump_lsass_via_procdump.yml b/detections/endpoint/dump_lsass_via_procdump.yml index 56b38267ec..e1881104a9 100644 --- a/detections/endpoint/dump_lsass_via_procdump.yml +++ b/detections/endpoint/dump_lsass_via_procdump.yml @@ -1,6 +1,6 @@ name: Dump LSASS via procdump id: 3742ebfe-64c2-11eb-ae93-0242ac130002 -version: 8 +version: 9 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/etw_registry_disabled.yml b/detections/endpoint/etw_registry_disabled.yml index e001bbdc5b..6a16286298 100644 --- a/detections/endpoint/etw_registry_disabled.yml +++ b/detections/endpoint/etw_registry_disabled.yml @@ -1,6 +1,6 @@ name: ETW Registry Disabled id: 8ed523ac-276b-11ec-ac39-acde48001122 -version: 9 +version: 10 date: '2024-12-16' author: Teoderick Contreras, Splunk, Steven Dick status: production diff --git a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml index d389a1626f..3c5861b898 100644 --- a/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml +++ b/detections/endpoint/execute_javascript_with_jscript_com_clsid.yml @@ -1,6 +1,6 @@ name: Execute Javascript With Jscript COM CLSID id: dc64d064-d346-11eb-8588-acde48001122 -version: 4 +version: 5 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/execution_of_file_with_multiple_extensions.yml b/detections/endpoint/execution_of_file_with_multiple_extensions.yml index 306a367e2b..906eec9db6 100644 --- a/detections/endpoint/execution_of_file_with_multiple_extensions.yml +++ b/detections/endpoint/execution_of_file_with_multiple_extensions.yml @@ -1,6 +1,6 @@ name: Execution of File with Multiple Extensions id: b06a555e-dce0-417d-a2eb-28a5d8d66ef7 -version: 7 +version: 8 date: '2024-11-13' author: Rico Valdez, Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/file_with_samsam_extension.yml b/detections/endpoint/file_with_samsam_extension.yml index 0d86b46dcd..f09d658da1 100644 --- a/detections/endpoint/file_with_samsam_extension.yml +++ b/detections/endpoint/file_with_samsam_extension.yml @@ -1,6 +1,6 @@ name: File with Samsam Extension id: 02c6cfc2-ae66-4735-bfc7-6291da834cbf -version: 5 +version: 6 date: '2024-11-13' author: Rico Valdez, Splunk status: production diff --git a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml index c60512b788..46ab4b2a2e 100644 --- a/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml +++ b/detections/endpoint/gpupdate_with_no_command_line_arguments_with_network.yml @@ -1,6 +1,6 @@ name: GPUpdate with no Command Line Arguments with Network id: 2c853856-a140-11eb-a5b5-acde48001122 -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml index a5a0e59b2d..6d6557e0ab 100644 --- a/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml +++ b/detections/endpoint/headless_browser_mockbin_or_mocky_request.yml @@ -1,6 +1,6 @@ name: Headless Browser Mockbin or Mocky Request id: 94fc85a1-e55b-4265-95e1-4b66730e05c0 -version: 4 +version: 5 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/linux_apt_get_privilege_escalation.yml b/detections/endpoint/linux_apt_get_privilege_escalation.yml index 7924c146e3..086b376e70 100644 --- a/detections/endpoint/linux_apt_get_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_get_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux apt-get Privilege Escalation id: d870ce3b-e796-402f-b2af-cab4da1223f2 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_apt_privilege_escalation.yml b/detections/endpoint/linux_apt_privilege_escalation.yml index 7f6804cbfb..4466f0e3e7 100644 --- a/detections/endpoint/linux_apt_privilege_escalation.yml +++ b/detections/endpoint/linux_apt_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux APT Privilege Escalation id: 4d5a05fa-77d9-4fd0-af9c-05704f9f9a88 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_awk_privilege_escalation.yml b/detections/endpoint/linux_awk_privilege_escalation.yml index 1036c94106..f7a4f975d6 100644 --- a/detections/endpoint/linux_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_awk_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux AWK Privilege Escalation id: 4510cae0-96a2-4840-9919-91d262db210a -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_busybox_privilege_escalation.yml b/detections/endpoint/linux_busybox_privilege_escalation.yml index f6bbd0bde7..4f7d70ec4a 100644 --- a/detections/endpoint/linux_busybox_privilege_escalation.yml +++ b/detections/endpoint/linux_busybox_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Busybox Privilege Escalation id: 387c4e78-f4a4-413d-ad44-e9f7bc4642c9 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_c89_privilege_escalation.yml b/detections/endpoint/linux_c89_privilege_escalation.yml index 3919b610e8..9e9c19688c 100644 --- a/detections/endpoint/linux_c89_privilege_escalation.yml +++ b/detections/endpoint/linux_c89_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux c89 Privilege Escalation id: 54c95f4d-3e5d-44be-9521-ea19ba62f7a8 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_c99_privilege_escalation.yml b/detections/endpoint/linux_c99_privilege_escalation.yml index 9e76c91bfe..2b4cc5888a 100644 --- a/detections/endpoint/linux_c99_privilege_escalation.yml +++ b/detections/endpoint/linux_c99_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux c99 Privilege Escalation id: e1c6dec5-2249-442d-a1f9-99a4bd228183 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_composer_privilege_escalation.yml b/detections/endpoint/linux_composer_privilege_escalation.yml index 4128c46843..5753643b61 100644 --- a/detections/endpoint/linux_composer_privilege_escalation.yml +++ b/detections/endpoint/linux_composer_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Composer Privilege Escalation id: a3bddf71-6ba3-42ab-a6b2-396929b16d92 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_cpulimit_privilege_escalation.yml b/detections/endpoint/linux_cpulimit_privilege_escalation.yml index 2d565e6a8b..655e36cbef 100644 --- a/detections/endpoint/linux_cpulimit_privilege_escalation.yml +++ b/detections/endpoint/linux_cpulimit_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Cpulimit Privilege Escalation id: d4e40b7e-aad3-4a7d-aac8-550ea5222be5 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_csvtool_privilege_escalation.yml b/detections/endpoint/linux_csvtool_privilege_escalation.yml index 0b4a4ed4b6..ed76fcb05a 100644 --- a/detections/endpoint/linux_csvtool_privilege_escalation.yml +++ b/detections/endpoint/linux_csvtool_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Csvtool Privilege Escalation id: f8384f9e-1a5c-4c3a-96d6-8a7e5a38a8b8 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_data_destruction_command.yml b/detections/endpoint/linux_data_destruction_command.yml index 0ed0562b5d..d995933ae4 100644 --- a/detections/endpoint/linux_data_destruction_command.yml +++ b/detections/endpoint/linux_data_destruction_command.yml @@ -1,6 +1,6 @@ name: Linux Data Destruction Command id: b11d3979-b2f7-411b-bb1a-bd00e642173b -version: 4 +version: 5 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/linux_decode_base64_to_shell.yml b/detections/endpoint/linux_decode_base64_to_shell.yml index a60cd9db88..a332d7535a 100644 --- a/detections/endpoint/linux_decode_base64_to_shell.yml +++ b/detections/endpoint/linux_decode_base64_to_shell.yml @@ -1,6 +1,6 @@ name: Linux Decode Base64 to Shell id: 637b603e-1799-40fd-bf87-47ecbd551b66 -version: 6 +version: 7 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/linux_docker_privilege_escalation.yml b/detections/endpoint/linux_docker_privilege_escalation.yml index a6c8d07606..5b3c7f3d26 100644 --- a/detections/endpoint/linux_docker_privilege_escalation.yml +++ b/detections/endpoint/linux_docker_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Docker Privilege Escalation id: 2e7bfb78-85f6-47b5-bc2f-15813a4ef2b3 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_emacs_privilege_escalation.yml b/detections/endpoint/linux_emacs_privilege_escalation.yml index 2e3b916845..1bdef39406 100644 --- a/detections/endpoint/linux_emacs_privilege_escalation.yml +++ b/detections/endpoint/linux_emacs_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Emacs Privilege Escalation id: 92033cab-1871-483d-a03b-a7ce98665cfc -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_find_privilege_escalation.yml b/detections/endpoint/linux_find_privilege_escalation.yml index faeeb076e0..ea4a8f3b0d 100644 --- a/detections/endpoint/linux_find_privilege_escalation.yml +++ b/detections/endpoint/linux_find_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Find Privilege Escalation id: 2ff4e0c2-8256-4143-9c07-1e39c7231111 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_gdb_privilege_escalation.yml b/detections/endpoint/linux_gdb_privilege_escalation.yml index fd91250e3a..3e0b7e05d0 100644 --- a/detections/endpoint/linux_gdb_privilege_escalation.yml +++ b/detections/endpoint/linux_gdb_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux GDB Privilege Escalation id: 310b7da2-ab52-437f-b1bf-0bd458674308 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_gem_privilege_escalation.yml b/detections/endpoint/linux_gem_privilege_escalation.yml index 7976f81781..848b8f393f 100644 --- a/detections/endpoint/linux_gem_privilege_escalation.yml +++ b/detections/endpoint/linux_gem_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Gem Privilege Escalation id: 0115482a-5dcb-4bb0-bcca-5d095d224236 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml index 818ca801e4..f7fc077d77 100644 --- a/detections/endpoint/linux_gnu_awk_privilege_escalation.yml +++ b/detections/endpoint/linux_gnu_awk_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux GNU Awk Privilege Escalation id: 0dcf43b9-50d8-42a6-acd9-d1c9201fe6ae -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_java_spawning_shell.yml b/detections/endpoint/linux_java_spawning_shell.yml index 4625c20fb7..a13f0d306e 100644 --- a/detections/endpoint/linux_java_spawning_shell.yml +++ b/detections/endpoint/linux_java_spawning_shell.yml @@ -1,6 +1,6 @@ name: Linux Java Spawning Shell id: 7b09db8a-5c20-11ec-9945-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/linux_kernel_module_enumeration.yml b/detections/endpoint/linux_kernel_module_enumeration.yml index 9939c3de7c..157f255449 100644 --- a/detections/endpoint/linux_kernel_module_enumeration.yml +++ b/detections/endpoint/linux_kernel_module_enumeration.yml @@ -1,6 +1,6 @@ name: Linux Kernel Module Enumeration id: 6df99886-0e04-4c11-8b88-325747419278 -version: 6 +version: 7 date: '2024-11-17' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/linux_make_privilege_escalation.yml b/detections/endpoint/linux_make_privilege_escalation.yml index a8e87a9bf6..9d81cbaa3d 100644 --- a/detections/endpoint/linux_make_privilege_escalation.yml +++ b/detections/endpoint/linux_make_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Make Privilege Escalation id: 80b22836-5091-4944-80ee-f733ac443f4f -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_mysql_privilege_escalation.yml b/detections/endpoint/linux_mysql_privilege_escalation.yml index 370c6cc5e1..77ade04a7d 100644 --- a/detections/endpoint/linux_mysql_privilege_escalation.yml +++ b/detections/endpoint/linux_mysql_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux MySQL Privilege Escalation id: c0d810f4-230c-44ea-b703-989da02ff145 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml index eeaf7de9e4..ace58aa7ad 100644 --- a/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/linux_ngrok_reverse_proxy_usage.yml @@ -1,6 +1,6 @@ name: Linux Ngrok Reverse Proxy Usage id: bc84d574-708c-467d-b78a-4c1e20171f97 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/linux_node_privilege_escalation.yml b/detections/endpoint/linux_node_privilege_escalation.yml index 5e26a21d55..09569d3dd1 100644 --- a/detections/endpoint/linux_node_privilege_escalation.yml +++ b/detections/endpoint/linux_node_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Node Privilege Escalation id: 2e58a4ff-398f-42f4-8fd0-e01ebfe2a8ce -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml index 033284562b..eeb2fe21ba 100644 --- a/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml +++ b/detections/endpoint/linux_obfuscated_files_or_information_base64_decode.yml @@ -1,6 +1,6 @@ name: Linux Obfuscated Files or Information Base64 Decode id: 303b38b2-c03f-44e2-8f41-4594606fcfc7 -version: 6 +version: 7 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/linux_octave_privilege_escalation.yml b/detections/endpoint/linux_octave_privilege_escalation.yml index 37839dd3cb..748265ca07 100644 --- a/detections/endpoint/linux_octave_privilege_escalation.yml +++ b/detections/endpoint/linux_octave_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Octave Privilege Escalation id: 78f7487d-42ce-4f7f-8685-2159b25fb477 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_openvpn_privilege_escalation.yml b/detections/endpoint/linux_openvpn_privilege_escalation.yml index 452799d717..dac490faf9 100644 --- a/detections/endpoint/linux_openvpn_privilege_escalation.yml +++ b/detections/endpoint/linux_openvpn_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux OpenVPN Privilege Escalation id: d25feebe-fa1c-4754-8a1e-afb03bedc0f2 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_php_privilege_escalation.yml b/detections/endpoint/linux_php_privilege_escalation.yml index 521ece7f21..4ca46b1699 100644 --- a/detections/endpoint/linux_php_privilege_escalation.yml +++ b/detections/endpoint/linux_php_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux PHP Privilege Escalation id: 4fc4c031-e5be-4cc0-8cf9-49f9f507bcb5 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_pkexec_privilege_escalation.yml b/detections/endpoint/linux_pkexec_privilege_escalation.yml index e4fa7129d7..81844e155e 100644 --- a/detections/endpoint/linux_pkexec_privilege_escalation.yml +++ b/detections/endpoint/linux_pkexec_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux pkexec Privilege Escalation id: 03e22c1c-8086-11ec-ac2e-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/linux_proxy_socks_curl.yml b/detections/endpoint/linux_proxy_socks_curl.yml index 1093bc6413..2501295d79 100644 --- a/detections/endpoint/linux_proxy_socks_curl.yml +++ b/detections/endpoint/linux_proxy_socks_curl.yml @@ -1,6 +1,6 @@ name: Linux Proxy Socks Curl id: bd596c22-ad1e-44fc-b242-817253ce8b08 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/linux_puppet_privilege_escalation.yml b/detections/endpoint/linux_puppet_privilege_escalation.yml index 05c7c3d735..ee0c832bfc 100644 --- a/detections/endpoint/linux_puppet_privilege_escalation.yml +++ b/detections/endpoint/linux_puppet_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Puppet Privilege Escalation id: 1d19037f-466e-4d56-8d87-36fafd9aa3ce -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_rpm_privilege_escalation.yml b/detections/endpoint/linux_rpm_privilege_escalation.yml index 612f08ab5f..1535df3087 100644 --- a/detections/endpoint/linux_rpm_privilege_escalation.yml +++ b/detections/endpoint/linux_rpm_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux RPM Privilege Escalation id: f8e58a23-cecd-495f-9c65-6c76b4cb9774 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_ruby_privilege_escalation.yml b/detections/endpoint/linux_ruby_privilege_escalation.yml index b004b42783..340e46c341 100644 --- a/detections/endpoint/linux_ruby_privilege_escalation.yml +++ b/detections/endpoint/linux_ruby_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Ruby Privilege Escalation id: 097b28b5-7004-4d40-a715-7e390501788b -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_sqlite3_privilege_escalation.yml b/detections/endpoint/linux_sqlite3_privilege_escalation.yml index 60c9288b4e..dd00c643bd 100644 --- a/detections/endpoint/linux_sqlite3_privilege_escalation.yml +++ b/detections/endpoint/linux_sqlite3_privilege_escalation.yml @@ -1,6 +1,6 @@ name: Linux Sqlite3 Privilege Escalation id: ab75dbb7-c3ba-4689-9c1b-8d2717bdcba1 -version: 5 +version: 6 date: '2024-11-13' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/endpoint/linux_ssh_authorized_keys_modification.yml b/detections/endpoint/linux_ssh_authorized_keys_modification.yml index a2a4c09110..d513ccb7c5 100644 --- a/detections/endpoint/linux_ssh_authorized_keys_modification.yml +++ b/detections/endpoint/linux_ssh_authorized_keys_modification.yml @@ -1,6 +1,6 @@ name: Linux SSH Authorized Keys Modification id: f5ab595e-28e5-4327-8077-5008ba97c850 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/linux_ssh_remote_services_script_execute.yml b/detections/endpoint/linux_ssh_remote_services_script_execute.yml index 6fcbed4dcd..cddd81fa59 100644 --- a/detections/endpoint/linux_ssh_remote_services_script_execute.yml +++ b/detections/endpoint/linux_ssh_remote_services_script_execute.yml @@ -1,6 +1,6 @@ name: Linux SSH Remote Services Script Execute id: aa1748dd-4a5c-457a-9cf6-ca7b4eb711b3 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/microsoft_defender_atp_alerts.yml b/detections/endpoint/microsoft_defender_atp_alerts.yml index e18398545b..eba3aaecd3 100644 --- a/detections/endpoint/microsoft_defender_atp_alerts.yml +++ b/detections/endpoint/microsoft_defender_atp_alerts.yml @@ -1,6 +1,6 @@ name: Microsoft Defender ATP Alerts id: 38f034ed-1598-46c8-95e8-14edf05fdf5d -version: 2 +version: 3 date: '2025-01-20' author: Bryan Pluta, Bhavin Patel, Splunk status: production diff --git a/detections/endpoint/microsoft_defender_incident_alerts.yml b/detections/endpoint/microsoft_defender_incident_alerts.yml index 2133ecae98..4cae1ede0f 100644 --- a/detections/endpoint/microsoft_defender_incident_alerts.yml +++ b/detections/endpoint/microsoft_defender_incident_alerts.yml @@ -1,6 +1,6 @@ name: Microsoft Defender Incident Alerts id: 13435b55-afd8-46d4-9045-7d5457f430a5 -version: 2 +version: 3 date: '2025-01-20' author: Bryan Pluta, Bhavin Patel, Splunk status: production diff --git a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml index 904d7c0ff7..1d9de05366 100644 --- a/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml +++ b/detections/endpoint/mshta_spawning_rundll32_or_regsvr32_process.yml @@ -1,6 +1,6 @@ name: Mshta spawning Rundll32 OR Regsvr32 Process id: 4aa5d062-e893-11eb-9eb2-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/notepad_with_no_command_line_arguments.yml b/detections/endpoint/notepad_with_no_command_line_arguments.yml index 1b8e50b748..9598488359 100644 --- a/detections/endpoint/notepad_with_no_command_line_arguments.yml +++ b/detections/endpoint/notepad_with_no_command_line_arguments.yml @@ -1,6 +1,6 @@ name: Notepad with no Command Line Arguments id: 5adbc5f1-9a2f-41c1-a810-f37e015f8179 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk type: TTP diff --git a/detections/endpoint/potential_system_network_configuration_discovery_activity.yml b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml index 593947e09e..7939bcde78 100644 --- a/detections/endpoint/potential_system_network_configuration_discovery_activity.yml +++ b/detections/endpoint/potential_system_network_configuration_discovery_activity.yml @@ -1,6 +1,6 @@ name: Potential System Network Configuration Discovery Activity id: 3f0b95e3-3195-46ac-bea3-84fb59e7fac5 -version: 1 +version: 2 date: '2025-01-20' author: Bhavin Patel, Splunk status: production diff --git a/detections/endpoint/powershell_load_module_in_meterpreter.yml b/detections/endpoint/powershell_load_module_in_meterpreter.yml index de6090bb3f..7f8f0917d4 100644 --- a/detections/endpoint/powershell_load_module_in_meterpreter.yml +++ b/detections/endpoint/powershell_load_module_in_meterpreter.yml @@ -1,6 +1,6 @@ name: Powershell Load Module in Meterpreter id: d5905da5-d050-48db-9259-018d8f034fcf -version: 4 +version: 5 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml index d848c784db..8c3ae5d352 100644 --- a/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml +++ b/detections/endpoint/powershell_loading_dotnet_into_memory_via_reflection.yml @@ -1,6 +1,6 @@ name: PowerShell Loading DotNET into Memory via Reflection id: 85bc3f30-ca28-11eb-bd21-acde48001122 -version: 6 +version: 7 date: '2025-01-16' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml index 24967a1f8b..3f4244f0ca 100644 --- a/detections/endpoint/powershell_processing_stream_of_data.yml +++ b/detections/endpoint/powershell_processing_stream_of_data.yml @@ -1,6 +1,6 @@ name: Powershell Processing Stream Of Data id: 0d718b52-c9f1-11eb-bc61-acde48001122 -version: 6 +version: 7 date: '2024-11-22' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/powershell_remove_windows_defender_directory.yml b/detections/endpoint/powershell_remove_windows_defender_directory.yml index 6f0ea6b1e1..118090ab0d 100644 --- a/detections/endpoint/powershell_remove_windows_defender_directory.yml +++ b/detections/endpoint/powershell_remove_windows_defender_directory.yml @@ -1,6 +1,6 @@ name: Powershell Remove Windows Defender Directory id: adf47620-79fa-11ec-b248-acde48001122 -version: 6 +version: 7 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/powershell_start_bitstransfer.yml b/detections/endpoint/powershell_start_bitstransfer.yml index 104e8afe41..6b50ec5b4f 100644 --- a/detections/endpoint/powershell_start_bitstransfer.yml +++ b/detections/endpoint/powershell_start_bitstransfer.yml @@ -1,6 +1,6 @@ name: PowerShell Start-BitsTransfer id: 39e2605a-90d8-11eb-899e-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml index 0bac5ac032..06ea69848f 100644 --- a/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml +++ b/detections/endpoint/prevent_automatic_repair_mode_using_bcdedit.yml @@ -1,6 +1,6 @@ name: Prevent Automatic Repair Mode using Bcdedit id: 7742aa92-c9d9-11eb-bbfc-acde48001122 -version: 4 +version: 5 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/process_kill_base_on_file_path.yml b/detections/endpoint/process_kill_base_on_file_path.yml index 22d03dda5e..bb4f8eb862 100644 --- a/detections/endpoint/process_kill_base_on_file_path.yml +++ b/detections/endpoint/process_kill_base_on_file_path.yml @@ -1,6 +1,6 @@ name: Process Kill Base On File Path id: 5ffaa42c-acdb-11eb-9ad3-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml index 15539d184d..b217c5d2a0 100644 --- a/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml +++ b/detections/endpoint/recon_avproduct_through_pwh_or_wmi.yml @@ -1,6 +1,6 @@ name: Recon AVProduct Through Pwh or WMI id: 28077620-c9f6-11eb-8785-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml index f11cc03166..033abc60c4 100644 --- a/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml +++ b/detections/endpoint/reg_exe_manipulating_windows_services_registry_keys.yml @@ -1,6 +1,6 @@ name: Reg exe Manipulating Windows Services Registry Keys id: 8470d755-0c13-45b3-bd63-387a373c10cf -version: 8 +version: 9 date: '2024-11-13' author: Rico Valdez, Splunk status: production diff --git a/detections/endpoint/registry_keys_for_creating_shim_databases.yml b/detections/endpoint/registry_keys_for_creating_shim_databases.yml index 7d20f02115..ab697057ee 100644 --- a/detections/endpoint/registry_keys_for_creating_shim_databases.yml +++ b/detections/endpoint/registry_keys_for_creating_shim_databases.yml @@ -1,6 +1,6 @@ name: Registry Keys for Creating SHIM Databases id: f5f6af30-7aa7-4295-bfe9-07fe87c01bbb -version: 10 +version: 11 date: '2024-12-08' author: Patrick Bareiss, Teoderick Contreras, Splunk, Steven Dick, Bhavin Patel status: production diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index fa6a03e4f6..ccdeb39f99 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -1,6 +1,6 @@ name: Regsvr32 Silent and Install Param Dll Loading id: f421c250-24e7-11ec-bc43-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml index 624108b462..1726b73a91 100644 --- a/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml +++ b/detections/endpoint/regsvr32_with_known_silent_switch_cmdline.yml @@ -1,6 +1,6 @@ name: Regsvr32 with Known Silent Switch Cmdline id: c9ef7dc4-eeaf-11eb-b2b6-acde48001122 -version: 6 +version: 7 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml index aa845361b4..151768e0f0 100644 --- a/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml +++ b/detections/endpoint/rundll32_control_rundll_world_writable_directory.yml @@ -1,6 +1,6 @@ name: Rundll32 Control RunDLL World Writable Directory id: 1adffe86-10c3-11ec-8ce6-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/sc_exe_manipulating_windows_services.yml b/detections/endpoint/sc_exe_manipulating_windows_services.yml index ab462622b5..2ca5eeaf14 100644 --- a/detections/endpoint/sc_exe_manipulating_windows_services.yml +++ b/detections/endpoint/sc_exe_manipulating_windows_services.yml @@ -1,6 +1,6 @@ name: Sc exe Manipulating Windows Services id: f0c693d8-2a89-4ce7-80b4-98fea4c3ea6d -version: 7 +version: 8 date: '2024-11-13' author: Rico Valdez, Splunk status: production diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 3b47886f19..6d89907f5b 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,6 +1,6 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: 10 +version: 11 date: '2025-01-27' author: Bhavin Patel, Splunk status: production diff --git a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml index 72e8073ffc..b49abbe0fc 100644 --- a/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml +++ b/detections/endpoint/schtasks_used_for_forcing_a_reboot.yml @@ -1,6 +1,6 @@ name: Schtasks used for forcing a reboot id: 1297fb80-f42a-4b4a-9c8a-88c066437cf6 -version: 7 +version: 8 date: '2024-11-13' author: Bhavin Patel, Splunk status: production diff --git a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml index 735ed9149a..1abd21eb3c 100644 --- a/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml +++ b/detections/endpoint/serviceprincipalnames_discovery_with_setspn.yml @@ -1,6 +1,6 @@ name: ServicePrincipalNames Discovery with SetSPN id: ae8b3efc-2d2e-11ec-8b57-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/spoolsv_suspicious_process_access.yml b/detections/endpoint/spoolsv_suspicious_process_access.yml index ee46ef235d..a41111a7b1 100644 --- a/detections/endpoint/spoolsv_suspicious_process_access.yml +++ b/detections/endpoint/spoolsv_suspicious_process_access.yml @@ -1,6 +1,6 @@ name: Spoolsv Suspicious Process Access id: 799b606e-da81-11eb-93f8-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Mauricio Velazco, Michael Haag, Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/suspicious_computer_account_name_change.yml b/detections/endpoint/suspicious_computer_account_name_change.yml index 25a57db4be..04edcd2a70 100644 --- a/detections/endpoint/suspicious_computer_account_name_change.yml +++ b/detections/endpoint/suspicious_computer_account_name_change.yml @@ -1,6 +1,6 @@ name: Suspicious Computer Account Name Change id: 35a61ed8-61c4-11ec-bc1e-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Mauricio Velazco, Splunk status: production diff --git a/detections/endpoint/suspicious_reg_exe_process.yml b/detections/endpoint/suspicious_reg_exe_process.yml index 1d7dfc280a..0add6178bb 100644 --- a/detections/endpoint/suspicious_reg_exe_process.yml +++ b/detections/endpoint/suspicious_reg_exe_process.yml @@ -1,6 +1,6 @@ name: Suspicious Reg exe Process id: a6b3ab4e-dd77-4213-95fa-fc94701995e0 -version: 8 +version: 9 date: '2024-11-13' author: David Dorsey, Splunk status: production diff --git a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml index 65c6989495..1167ae4fa3 100644 --- a/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml +++ b/detections/endpoint/suspicious_regsvr32_register_suspicious_path.yml @@ -1,6 +1,6 @@ name: Suspicious Regsvr32 Register Suspicious Path id: 62732736-6250-11eb-ae93-0242ac130002 -version: 10 +version: 11 date: '2025-01-27' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml index 31ca3d198e..6443c7a1f4 100644 --- a/detections/endpoint/suspicious_rundll32_dllregisterserver.yml +++ b/detections/endpoint/suspicious_rundll32_dllregisterserver.yml @@ -1,6 +1,6 @@ name: Suspicious Rundll32 dllregisterserver id: 8c00a385-9b86-4ac0-8932-c9ec3713b159 -version: 6 +version: 7 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/suspicious_wevtutil_usage.yml b/detections/endpoint/suspicious_wevtutil_usage.yml index 321027b633..db66f571be 100644 --- a/detections/endpoint/suspicious_wevtutil_usage.yml +++ b/detections/endpoint/suspicious_wevtutil_usage.yml @@ -1,6 +1,6 @@ name: Suspicious wevtutil Usage id: 2827c0fd-e1be-4868-ae25-59d28e0f9d4f -version: 8 +version: 9 date: '2024-11-13' author: David Dorsey, Michael Haag, Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml index 7735319ec4..104fb978fa 100644 --- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml @@ -1,6 +1,6 @@ name: Unusual Number of Kerberos Service Tickets Requested id: eb3e6702-8936-11ec-98fe-acde48001122 -version: 6 +version: 7 date: '2024-11-13' author: Mauricio Velazco, Dean Luxton, Splunk status: production diff --git a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml index 9b011c912c..87740e631d 100644 --- a/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml +++ b/detections/endpoint/windows_ad_adminsdholder_acl_modified.yml @@ -1,6 +1,6 @@ name: Windows AD AdminSDHolder ACL Modified id: 00d877c3-7b7b-443d-9562-6b231e2abab9 -version: 5 +version: 6 date: '2024-11-13' author: Mauricio Velazco, Dean Luxton, Splunk type: TTP diff --git a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml index 1a951ffa45..d84075b5e2 100644 --- a/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml +++ b/detections/endpoint/windows_ad_cross_domain_sid_history_addition.yml @@ -1,6 +1,6 @@ name: Windows AD Cross Domain SID History Addition id: 41bbb371-28ba-439c-bb5c-d9930c28365d -version: 5 +version: 6 date: '2024-12-10' author: Dean Luxton type: TTP diff --git a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml index 5afac44a1b..a303064df9 100644 --- a/detections/endpoint/windows_ad_domain_replication_acl_addition.yml +++ b/detections/endpoint/windows_ad_domain_replication_acl_addition.yml @@ -1,6 +1,6 @@ name: Windows AD Domain Replication ACL Addition id: 8c372853-f459-4995-afdc-280c114d33ab -version: 7 +version: 8 date: '2024-12-10' author: Dean Luxton type: TTP diff --git a/detections/endpoint/windows_alternate_datastream___executable_content.yml b/detections/endpoint/windows_alternate_datastream___executable_content.yml index 9ff5c8ee67..363e9075c2 100644 --- a/detections/endpoint/windows_alternate_datastream___executable_content.yml +++ b/detections/endpoint/windows_alternate_datastream___executable_content.yml @@ -1,6 +1,6 @@ name: Windows Alternate DataStream - Executable Content id: a258bf2a-34fd-4986-8086-78f506e00206 -version: 5 +version: 6 date: '2024-11-13' author: Steven Dick, Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_apache_benchmark_binary.yml b/detections/endpoint/windows_apache_benchmark_binary.yml index 17a494d0c6..ecbb29f74e 100644 --- a/detections/endpoint/windows_apache_benchmark_binary.yml +++ b/detections/endpoint/windows_apache_benchmark_binary.yml @@ -1,6 +1,6 @@ name: Windows Apache Benchmark Binary id: 894f48ea-8d85-4dcd-9132-c66cdb407c9b -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_attempt_to_stop_security_service.yml b/detections/endpoint/windows_attempt_to_stop_security_service.yml index 44e85bbc42..0719d4656f 100644 --- a/detections/endpoint/windows_attempt_to_stop_security_service.yml +++ b/detections/endpoint/windows_attempt_to_stop_security_service.yml @@ -1,6 +1,6 @@ name: Windows Attempt To Stop Security Service id: 9ed27cea-4e27-4eff-b2c6-aac9e78a7517 -version: 1 +version: 2 date: '2025-01-13' author: Rico Valdez, Nasreddine Bencherchali, Splunk status: production diff --git a/detections/endpoint/windows_autoit3_execution.yml b/detections/endpoint/windows_autoit3_execution.yml index 27d70e95ba..e6ddf3ce77 100644 --- a/detections/endpoint/windows_autoit3_execution.yml +++ b/detections/endpoint/windows_autoit3_execution.yml @@ -1,6 +1,6 @@ name: Windows AutoIt3 Execution id: 0ecb40d9-492b-4a57-9f87-515dd742794c -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml index a14fab9b60..30f986c479 100644 --- a/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml +++ b/detections/endpoint/windows_binary_proxy_execution_mavinject_dll_injection.yml @@ -1,6 +1,6 @@ name: Windows Binary Proxy Execution Mavinject DLL Injection id: ccf4b61b-1b26-4f2e-a089-f2009c569c57 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_certutil_download_with_url_argument.yml b/detections/endpoint/windows_certutil_download_with_url_argument.yml index e7ac8ebf6c..87ff45c03c 100644 --- a/detections/endpoint/windows_certutil_download_with_url_argument.yml +++ b/detections/endpoint/windows_certutil_download_with_url_argument.yml @@ -1,6 +1,6 @@ name: Windows CertUtil Download With URL Argument id: 4fc5ca00-4c7c-46b3-8772-c98a4b8bd944 -version: 2 +version: 3 date: '2025-01-07' author: Nasreddine Bencherchali, Splunk status: production diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index 76789b01ac..441ba5036d 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -1,6 +1,6 @@ name: Windows Cmdline Tool Execution From Non-Shell Process id: 2afa393f-b88d-41b7-9793-623c93a2dfde -version: 1 +version: 2 date: '2025-01-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml index 80717d56c4..4c8b9324c6 100644 --- a/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml +++ b/detections/endpoint/windows_com_hijacking_inprocserver32_modification.yml @@ -1,6 +1,6 @@ name: Windows COM Hijacking InprocServer32 Modification id: b7bd83c0-92b5-4fc7-b286-23eccfa2c561 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_create_local_administrator_account_via_net.yml b/detections/endpoint/windows_create_local_administrator_account_via_net.yml index 518245a6d4..9a9f76fffd 100644 --- a/detections/endpoint/windows_create_local_administrator_account_via_net.yml +++ b/detections/endpoint/windows_create_local_administrator_account_via_net.yml @@ -1,6 +1,6 @@ name: Windows Create Local Administrator Account Via Net id: 2c568c34-bb57-4b43-9d75-19c605b98e70 -version: 1 +version: 2 date: '2025-01-13' author: Bhavin Patel, Splunk status: production diff --git a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml index 1308709d7f..b33e006ced 100644 --- a/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml +++ b/detections/endpoint/windows_credential_dumping_lsass_memory_createdump.yml @@ -1,6 +1,6 @@ name: Windows Credential Dumping LSASS Memory Createdump id: b3b7ce35-fce5-4c73-85f4-700aeada81a9 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_curl_download_to_suspicious_path.yml b/detections/endpoint/windows_curl_download_to_suspicious_path.yml index a267aa3e2f..fc5ad0009f 100644 --- a/detections/endpoint/windows_curl_download_to_suspicious_path.yml +++ b/detections/endpoint/windows_curl_download_to_suspicious_path.yml @@ -1,6 +1,6 @@ name: Windows Curl Download to Suspicious Path id: c32f091e-30db-11ec-8738-acde48001122 -version: 7 +version: 8 date: '2025-01-27' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_curl_upload_to_remote_destination.yml b/detections/endpoint/windows_curl_upload_to_remote_destination.yml index 0ebd3235eb..8b99b345c5 100644 --- a/detections/endpoint/windows_curl_upload_to_remote_destination.yml +++ b/detections/endpoint/windows_curl_upload_to_remote_destination.yml @@ -1,6 +1,6 @@ name: Windows Curl Upload to Remote Destination id: 42f8f1a2-4228-11ec-aade-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_default_group_policy_object_modified.yml b/detections/endpoint/windows_default_group_policy_object_modified.yml index 4955cf8b89..0f8ba948b0 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified.yml @@ -1,6 +1,6 @@ name: Windows Default Group Policy Object Modified id: fe6a6cc4-9e0d-4d66-bcf4-2c7f44860876 -version: 5 +version: 6 date: '2024-11-13' author: Mauricio Velazco, Splunk status: production diff --git a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml index 6c21379d47..732f0e172d 100644 --- a/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml +++ b/detections/endpoint/windows_default_group_policy_object_modified_with_gpme.yml @@ -1,6 +1,6 @@ name: Windows Default Group Policy Object Modified with GPME id: eaf688b3-bb8f-454d-b105-920a862cd8cb -version: 5 +version: 6 date: '2024-11-13' author: Mauricio Velazco, Splunk status: production diff --git a/detections/endpoint/windows_detect_network_scanner_behavior.yml b/detections/endpoint/windows_detect_network_scanner_behavior.yml index 7a05993d0d..3db7828a2b 100644 --- a/detections/endpoint/windows_detect_network_scanner_behavior.yml +++ b/detections/endpoint/windows_detect_network_scanner_behavior.yml @@ -1,63 +1,63 @@ -name: Windows Detect Network Scanner Behavior -id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7 -version: 2 -date: '2025-01-09' -author: Steven Dick -status: production -type: Anomaly -description: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation. -data_source: -- Sysmon EventID 3 -search: '| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m -| `drop_dm_object_name(All_Traffic)` -| rex field=app ".*\\\(?.*)$" -| where port_count > 10 OR dest_count > 10 -| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `windows_detect_network_scanner_behavior_filter`' -how_to_implement: This detection relies on Sysmon EventID 3 events being ingested AND tagged into the Network_Traffic datamodel. -known_false_positives: Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed. -references: -- https://attack.mitre.org/techniques/T1595 -drilldown_searches: -- name: View the detection results for - "$src$" and "$user$" - search: '%original_detection_search% | search src = "$src$" user = "$user$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$src$" and "$user$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ -rba: - message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$ - risk_objects: - - field: src - type: system - score: 25 - - field: user - type: user - score: 25 - threat_objects: - - field: process_name - type: process_name -tags: - analytic_story: - - Network Discovery - - Windows Discovery Techniques - asset_type: Endpoint - mitre_attack_id: - - T1595 - - T1595.001 - - T1595.002 - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: network -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog +name: Windows Detect Network Scanner Behavior +id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7 +version: 3 +date: '2025-01-09' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation. +data_source: +- Sysmon EventID 3 +search: '| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m +| `drop_dm_object_name(All_Traffic)` +| rex field=app ".*\\\(?.*)$" +| where port_count > 10 OR dest_count > 10 +| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `windows_detect_network_scanner_behavior_filter`' +how_to_implement: This detection relies on Sysmon EventID 3 events being ingested AND tagged into the Network_Traffic datamodel. +known_false_positives: Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed. +references: +- https://attack.mitre.org/techniques/T1595 +drilldown_searches: +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$ + risk_objects: + - field: src + type: system + score: 25 + - field: user + type: user + score: 25 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Network Discovery + - Windows Discovery Techniques + asset_type: Endpoint + mitre_attack_id: + - T1595 + - T1595.001 + - T1595.002 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_disable_memory_crash_dump.yml b/detections/endpoint/windows_disable_memory_crash_dump.yml index c8c1b362d2..c53c115e73 100644 --- a/detections/endpoint/windows_disable_memory_crash_dump.yml +++ b/detections/endpoint/windows_disable_memory_crash_dump.yml @@ -1,6 +1,6 @@ name: Windows Disable Memory Crash Dump id: 59e54602-9680-11ec-a8a6-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml index 8419dcfa0e..5c03275ca5 100644 --- a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml +++ b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml @@ -1,6 +1,6 @@ name: Windows Disable Windows Event Logging Disable HTTP Logging id: 23fb6787-255f-4d5b-9a66-9fd7504032b5 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_dism_remove_defender.yml b/detections/endpoint/windows_dism_remove_defender.yml index 8a4786b5ea..a84e7ed383 100644 --- a/detections/endpoint/windows_dism_remove_defender.yml +++ b/detections/endpoint/windows_dism_remove_defender.yml @@ -1,6 +1,6 @@ name: Windows DISM Remove Defender id: 8567da9e-47f0-11ec-99a9-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml index 5ddb5d8355..d5d279ce64 100644 --- a/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml +++ b/detections/endpoint/windows_dll_search_order_hijacking_with_iscsicpl.yml @@ -1,6 +1,6 @@ name: Windows DLL Search Order Hijacking with iscsicpl id: f39ee679-3b1e-4f47-841c-5c3c580acda2 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml index a356cdce76..6efd4b398f 100644 --- a/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml +++ b/detections/endpoint/windows_dotnet_binary_in_non_standard_path.yml @@ -1,6 +1,6 @@ name: Windows DotNet Binary in Non Standard Path id: fddf3b56-7933-11ec-98a6-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml index 0fecbadc81..373e172977 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_net.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_net.yml @@ -1,6 +1,6 @@ name: Windows ESX Admins Group Creation via Net id: 3d7df60b-3332-4667-8090-afe03e08dce0 -version: 4 +version: 5 date: '2025-01-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml index 71b3808e94..fd301786bb 100644 --- a/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml +++ b/detections/endpoint/windows_esx_admins_group_creation_via_powershell.yml @@ -1,6 +1,6 @@ name: Windows ESX Admins Group Creation via PowerShell id: f48a5557-be06-4b96-b8e8-be563e387620 -version: 3 +version: 4 date: '2024-11-13' author: Michael Haag, Splunk data_source: diff --git a/detections/endpoint/windows_excessive_usage_of_net_app.yml b/detections/endpoint/windows_excessive_usage_of_net_app.yml index 68d8e0a30f..10716cc575 100644 --- a/detections/endpoint/windows_excessive_usage_of_net_app.yml +++ b/detections/endpoint/windows_excessive_usage_of_net_app.yml @@ -1,6 +1,6 @@ name: Windows Excessive Usage Of Net App id: 355ba810-0a20-4215-8485-9ce3f87f2e38 -version: 1 +version: 2 date: '2025-01-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml index 576e79a52b..abbcec0359 100644 --- a/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml +++ b/detections/endpoint/windows_execute_arbitrary_commands_with_msdt.yml @@ -1,6 +1,6 @@ name: Windows Execute Arbitrary Commands with MSDT id: e1d5145f-38fe-42b9-a5d5-457796715f97 -version: 8 +version: 9 date: '2024-12-10' author: Michael Haag, Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_findstr_gpp_discovery.yml b/detections/endpoint/windows_findstr_gpp_discovery.yml index b141be9c81..90504904d8 100644 --- a/detections/endpoint/windows_findstr_gpp_discovery.yml +++ b/detections/endpoint/windows_findstr_gpp_discovery.yml @@ -1,6 +1,6 @@ name: Windows Findstr GPP Discovery id: 1631ac2d-f2a9-42fa-8a59-d6e210d472f5 -version: 4 +version: 5 date: '2024-11-13' author: Mauricio Velazco, Splunk type: TTP diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml index 46426413d7..d312721aa7 100644 --- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -1,6 +1,6 @@ name: Windows HTTP Network Communication From MSIExec id: b0fd38c7-f71a-43a2-870e-f3ca06bcdd99 -version: 1 +version: 2 date: '2025-01-17' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_iis_components_add_new_module.yml b/detections/endpoint/windows_iis_components_add_new_module.yml index bd66a0d8fb..eb129002c3 100644 --- a/detections/endpoint/windows_iis_components_add_new_module.yml +++ b/detections/endpoint/windows_iis_components_add_new_module.yml @@ -1,6 +1,6 @@ name: Windows IIS Components Add New Module id: 38fe731c-1f13-43d4-b878-a5bbe44807e3 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml index 9d3ed5adac..0499d7e3de 100644 --- a/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml +++ b/detections/endpoint/windows_impair_defenses_disable_av_autostart_via_registry.yml @@ -1,6 +1,6 @@ name: Windows Impair Defenses Disable AV AutoStart via Registry id: 31a13f43-812e-4752-a6ca-c6c87bf03e83 -version: 4 +version: 5 date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: diff --git a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml index 8bfb3df253..75fd3bf93a 100644 --- a/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml +++ b/detections/endpoint/windows_ingress_tool_transfer_using_explorer.yml @@ -1,6 +1,6 @@ name: Windows Ingress Tool Transfer Using Explorer id: 76753bab-f116-4ea3-8fb9-89b638be58a9 -version: 6 +version: 7 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_installutil_in_non_standard_path.yml b/detections/endpoint/windows_installutil_in_non_standard_path.yml index 3f0452bd4f..34a84e25f7 100644 --- a/detections/endpoint/windows_installutil_in_non_standard_path.yml +++ b/detections/endpoint/windows_installutil_in_non_standard_path.yml @@ -1,6 +1,6 @@ name: Windows InstallUtil in Non Standard Path id: dcf74b22-7933-11ec-857c-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_installutil_remote_network_connection.yml b/detections/endpoint/windows_installutil_remote_network_connection.yml index 7058757a08..63710acabf 100644 --- a/detections/endpoint/windows_installutil_remote_network_connection.yml +++ b/detections/endpoint/windows_installutil_remote_network_connection.yml @@ -1,6 +1,6 @@ name: Windows InstallUtil Remote Network Connection id: 4fbf9270-43da-11ec-9486-acde48001122 -version: 8 +version: 9 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_installutil_uninstall_option.yml b/detections/endpoint/windows_installutil_uninstall_option.yml index 97ee5f6a58..7a969b6004 100644 --- a/detections/endpoint/windows_installutil_uninstall_option.yml +++ b/detections/endpoint/windows_installutil_uninstall_option.yml @@ -1,6 +1,6 @@ name: Windows InstallUtil Uninstall Option id: cfa7b9ac-43f0-11ec-9b48-acde48001122 -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml index fb760e80bd..20601ae9a5 100644 --- a/detections/endpoint/windows_installutil_uninstall_option_with_network.yml +++ b/detections/endpoint/windows_installutil_uninstall_option_with_network.yml @@ -1,6 +1,6 @@ name: Windows InstallUtil Uninstall Option with Network id: 1a52c836-43ef-11ec-a36c-acde48001122 -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_installutil_url_in_command_line.yml b/detections/endpoint/windows_installutil_url_in_command_line.yml index bfae587299..980615a788 100644 --- a/detections/endpoint/windows_installutil_url_in_command_line.yml +++ b/detections/endpoint/windows_installutil_url_in_command_line.yml @@ -1,6 +1,6 @@ name: Windows InstallUtil URL in Command Line id: 28e06670-43df-11ec-a569-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_java_spawning_shells.yml b/detections/endpoint/windows_java_spawning_shells.yml index 8ed67cb7ab..19a3260fbf 100644 --- a/detections/endpoint/windows_java_spawning_shells.yml +++ b/detections/endpoint/windows_java_spawning_shells.yml @@ -1,6 +1,6 @@ name: Windows Java Spawning Shells id: 28c81306-5c47-11ec-bfea-acde48001122 -version: 7 +version: 8 date: '2024-12-16' author: Michael Haag, Splunk status: experimental diff --git a/detections/endpoint/windows_ldifde_directory_object_behavior.yml b/detections/endpoint/windows_ldifde_directory_object_behavior.yml index f03a5ff5a1..30ab7ce4b3 100644 --- a/detections/endpoint/windows_ldifde_directory_object_behavior.yml +++ b/detections/endpoint/windows_ldifde_directory_object_behavior.yml @@ -1,6 +1,6 @@ name: Windows Ldifde Directory Object Behavior id: 35cd29ca-f08c-4489-8815-f715c45460d3 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_mimikatz_binary_execution.yml b/detections/endpoint/windows_mimikatz_binary_execution.yml index b33a7416d4..8578d406d4 100644 --- a/detections/endpoint/windows_mimikatz_binary_execution.yml +++ b/detections/endpoint/windows_mimikatz_binary_execution.yml @@ -1,6 +1,6 @@ name: Windows Mimikatz Binary Execution id: a9e0d6d3-9676-4e26-994d-4e0406bb4467 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml index 6d180da12f..f83503b284 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_c2_config.yml @@ -1,6 +1,6 @@ name: Windows Modify Registry ValleyRAT C2 Config id: ac59298a-8d81-4c02-8c9b-ffdac993891f -version: 4 +version: 5 date: '2024-11-13' author: Teoderick Contreras, Splunk data_source: diff --git a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml index cc16e59756..1f0d757c88 100644 --- a/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml +++ b/detections/endpoint/windows_modify_registry_valleyrat_pwn_reg_entry.yml @@ -1,6 +1,6 @@ name: Windows Modify Registry ValleyRat PWN Reg Entry id: 6947c44e-be1f-4dd9-b198-bc42be5be196 -version: 5 +version: 6 date: '2024-12-16' author: Teoderick Contreras, Splunk data_source: diff --git a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml index 273ecf6bf3..5906eedfab 100644 --- a/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml +++ b/detections/endpoint/windows_mof_event_triggered_execution_via_wmi.yml @@ -1,6 +1,6 @@ name: Windows MOF Event Triggered Execution via WMI id: e59b5a73-32bf-4467-a585-452c36ae10c1 -version: 7 +version: 8 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml index fab94a6582..862e6c9f89 100644 --- a/detections/endpoint/windows_msiexec_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_dllregisterserver.yml @@ -1,6 +1,6 @@ name: Windows MSIExec DLLRegisterServer id: fdb59aef-d88f-4909-8369-ec2afbd2c398 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index 1d89715d94..ea822dfe4d 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -1,6 +1,6 @@ name: Windows MSIExec Remote Download id: 6aa49ff2-3c92-4586-83e0-d83eb693dfda -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml index dde48d4cb7..a604c6a7d5 100644 --- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml +++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml @@ -1,6 +1,6 @@ name: Windows MSIExec Spawn Discovery Command id: e9d05aa2-32f0-411b-930c-5b8ca5c4fcee -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_msiexec_spawn_windbg.yml b/detections/endpoint/windows_msiexec_spawn_windbg.yml index 4e4121a5d0..c80059d8d6 100644 --- a/detections/endpoint/windows_msiexec_spawn_windbg.yml +++ b/detections/endpoint/windows_msiexec_spawn_windbg.yml @@ -1,6 +1,6 @@ name: Windows MSIExec Spawn WinDBG id: 9a18f7c2-1fe3-47b8-9467-8b3976770a30 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml index b7255c3665..697c254586 100644 --- a/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml +++ b/detections/endpoint/windows_msiexec_unregister_dllregisterserver.yml @@ -1,6 +1,6 @@ name: Windows MSIExec Unregister DLLRegisterServer id: a27db3c5-1a9a-46df-a577-765d3f1a3c24 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml index 9d6caf3abd..aae826157a 100644 --- a/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml +++ b/detections/endpoint/windows_ngrok_reverse_proxy_usage.yml @@ -1,6 +1,6 @@ name: Windows Ngrok Reverse Proxy Usage id: e2549f2c-0aef-408a-b0c1-e0f270623436 -version: 6 +version: 7 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_nirsoft_advancedrun.yml b/detections/endpoint/windows_nirsoft_advancedrun.yml index 62b05e5300..4a5461615e 100644 --- a/detections/endpoint/windows_nirsoft_advancedrun.yml +++ b/detections/endpoint/windows_nirsoft_advancedrun.yml @@ -1,6 +1,6 @@ name: Windows NirSoft AdvancedRun id: bb4f3090-7ae4-11ec-897f-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_odbcconf_load_dll.yml b/detections/endpoint/windows_odbcconf_load_dll.yml index 815aa3b02f..f7a52f0e6a 100644 --- a/detections/endpoint/windows_odbcconf_load_dll.yml +++ b/detections/endpoint/windows_odbcconf_load_dll.yml @@ -1,6 +1,6 @@ name: Windows Odbcconf Load DLL id: 141e7fca-a9f0-40fd-a539-9aac8be41f1b -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_odbcconf_load_response_file.yml b/detections/endpoint/windows_odbcconf_load_response_file.yml index 0fa23e5e03..7d234fd114 100644 --- a/detections/endpoint/windows_odbcconf_load_response_file.yml +++ b/detections/endpoint/windows_odbcconf_load_response_file.yml @@ -1,6 +1,6 @@ name: Windows Odbcconf Load Response File id: 1acafff9-1347-4b40-abae-f35aa4ba85c1 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_office_product_spawned_control.yml b/detections/endpoint/windows_office_product_spawned_control.yml index 5590c761b9..314783f994 100644 --- a/detections/endpoint/windows_office_product_spawned_control.yml +++ b/detections/endpoint/windows_office_product_spawned_control.yml @@ -1,6 +1,6 @@ name: Windows Office Product Spawned Control id: 081c485d-ac8d-4bee-ad4c-525772fead4d -version: 1 +version: 2 date: '2025-01-14' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_office_product_spawned_msdt.yml b/detections/endpoint/windows_office_product_spawned_msdt.yml index 3a79e47208..446f762e55 100644 --- a/detections/endpoint/windows_office_product_spawned_msdt.yml +++ b/detections/endpoint/windows_office_product_spawned_msdt.yml @@ -1,6 +1,6 @@ name: Windows Office Product Spawned MSDT id: a3148fad-3734-4b7f-9a71-62f08d39fab1 -version: 1 +version: 2 date: '2025-01-14' author: Michael Haag, Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_papercut_ng_spawn_shell.yml b/detections/endpoint/windows_papercut_ng_spawn_shell.yml index 31198dc5a3..d647e50311 100644 --- a/detections/endpoint/windows_papercut_ng_spawn_shell.yml +++ b/detections/endpoint/windows_papercut_ng_spawn_shell.yml @@ -1,6 +1,6 @@ name: Windows PaperCut NG Spawn Shell id: a602d9a2-aaea-45f8-bf0f-d851168d61ca -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_powersploit_gpp_discovery.yml b/detections/endpoint/windows_powersploit_gpp_discovery.yml index c0bc3bffb3..ab9be17dd3 100644 --- a/detections/endpoint/windows_powersploit_gpp_discovery.yml +++ b/detections/endpoint/windows_powersploit_gpp_discovery.yml @@ -1,6 +1,6 @@ name: Windows PowerSploit GPP Discovery id: 0130a0df-83a1-4647-9011-841e950ff302 -version: 5 +version: 6 date: '2024-11-13' author: Mauricio Velazco, Splunk status: production diff --git a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml index 6b4490c90e..c94417e9e5 100644 --- a/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml +++ b/detections/endpoint/windows_privilege_escalation_suspicious_process_elevation.yml @@ -1,6 +1,6 @@ name: Windows Privilege Escalation Suspicious Process Elevation id: 6a80300a-9f8a-4f22-bd3e-09ca577cfdfc -version: 4 +version: 5 date: '2024-11-13' author: Steven Dick status: production diff --git a/detections/endpoint/windows_protocol_tunneling_with_plink.yml b/detections/endpoint/windows_protocol_tunneling_with_plink.yml index 3a6481da48..b55caf7791 100644 --- a/detections/endpoint/windows_protocol_tunneling_with_plink.yml +++ b/detections/endpoint/windows_protocol_tunneling_with_plink.yml @@ -1,6 +1,6 @@ name: Windows Protocol Tunneling with Plink id: 8aac5e1e-0fab-4437-af0b-c6e60af23eed -version: 6 +version: 7 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml index 4c61efa0c7..9e419ace18 100644 --- a/detections/endpoint/windows_raccine_scheduled_task_deletion.yml +++ b/detections/endpoint/windows_raccine_scheduled_task_deletion.yml @@ -1,6 +1,6 @@ name: Windows Raccine Scheduled Task Deletion id: c9f010da-57ab-11ec-82bd-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_rasautou_dll_execution.yml b/detections/endpoint/windows_rasautou_dll_execution.yml index f04f743ef0..47773b52e9 100644 --- a/detections/endpoint/windows_rasautou_dll_execution.yml +++ b/detections/endpoint/windows_rasautou_dll_execution.yml @@ -1,6 +1,6 @@ name: Windows Rasautou DLL Execution id: 6f42b8be-8e96-11ec-ad5a-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml b/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml index d938db4eac..256ee2f8e3 100644 --- a/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml +++ b/detections/endpoint/windows_registry_dotnet_etw_disabled_via_env_variable.yml @@ -1,6 +1,6 @@ name: Windows Registry Dotnet ETW Disabled Via ENV Variable id: 55502381-5cce-491b-9277-7cb1d10bc0df -version: 2 +version: 3 date: '2025-01-07' author: Nasreddine Bencherchali, Splunk status: production diff --git a/detections/endpoint/windows_remote_assistance_spawning_process.yml b/detections/endpoint/windows_remote_assistance_spawning_process.yml index 90cb689064..e6810e6c34 100644 --- a/detections/endpoint/windows_remote_assistance_spawning_process.yml +++ b/detections/endpoint/windows_remote_assistance_spawning_process.yml @@ -1,6 +1,6 @@ name: Windows Remote Assistance Spawning Process id: ced50492-8849-11ec-9f68-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_remote_create_service.yml b/detections/endpoint/windows_remote_create_service.yml index 93c28d5380..c963d8e1d7 100644 --- a/detections/endpoint/windows_remote_create_service.yml +++ b/detections/endpoint/windows_remote_create_service.yml @@ -1,6 +1,6 @@ name: Windows Remote Create Service id: 0dc44d03-8c00-482d-ba7c-796ba7ab18c9 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_rundll32_webdav_request.yml b/detections/endpoint/windows_rundll32_webdav_request.yml index ce111cff26..68ccb04ab4 100644 --- a/detections/endpoint/windows_rundll32_webdav_request.yml +++ b/detections/endpoint/windows_rundll32_webdav_request.yml @@ -1,6 +1,6 @@ name: Windows Rundll32 WebDAV Request id: 320099b7-7eb1-4153-a2b4-decb53267de2 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk type: TTP diff --git a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml index de78c6f02b..8ef7992823 100644 --- a/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml +++ b/detections/endpoint/windows_rundll32_webdav_with_network_connection.yml @@ -1,6 +1,6 @@ name: Windows Rundll32 WebDav With Network Connection id: f03355e0-28b5-4e9b-815a-6adffc63b38c -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk type: TTP diff --git a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml index d8050741e3..fe239f0596 100644 --- a/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml +++ b/detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml @@ -1,6 +1,6 @@ name: Windows Sensitive Registry Hive Dump Via CommandLine id: 5aaff29d-0cce-405b-9ee8-5d06b49d045e -version: 1 +version: 2 date: '2025-01-15' author: Michael Haag, Patrick Bareiss, Nasreddine Bencherchali, Splunk status: production diff --git a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml index 64c9bcdd4f..ec7cef2ae6 100644 --- a/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml +++ b/detections/endpoint/windows_server_software_component_gacutil_install_to_gac.yml @@ -1,6 +1,6 @@ name: Windows Server Software Component GACUtil Install to GAC id: 7c025ef0-9e65-4c57-be39-1c13dbb1613e -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_service_create_with_tscon.yml b/detections/endpoint/windows_service_create_with_tscon.yml index 150f198cc2..94c6c19992 100644 --- a/detections/endpoint/windows_service_create_with_tscon.yml +++ b/detections/endpoint/windows_service_create_with_tscon.yml @@ -1,6 +1,6 @@ name: Windows Service Create with Tscon id: c13b3d74-6b63-4db5-a841-4206f0370077 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk type: TTP diff --git a/detections/endpoint/windows_service_execution_remcom.yml b/detections/endpoint/windows_service_execution_remcom.yml index 01840501c6..43198428c0 100644 --- a/detections/endpoint/windows_service_execution_remcom.yml +++ b/detections/endpoint/windows_service_execution_remcom.yml @@ -1,6 +1,6 @@ name: Windows Service Execution RemCom id: 7e3d68db-ea4d-419b-adbd-e14a525ecf09 -version: 2 +version: 3 date: '2025-01-07' author: Michael Haag, Splunk type: TTP diff --git a/detections/endpoint/windows_sql_spawning_certutil.yml b/detections/endpoint/windows_sql_spawning_certutil.yml index f2e58cc866..d612a17e7e 100644 --- a/detections/endpoint/windows_sql_spawning_certutil.yml +++ b/detections/endpoint/windows_sql_spawning_certutil.yml @@ -1,6 +1,6 @@ name: Windows SQL Spawning CertUtil id: dfc18a5a-946e-44ee-a373-c0f60d06e676 -version: 6 +version: 7 date: '2024-12-16' author: Michael Haag, Splunk status: experimental diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml index f62cbf81c9..10ca564046 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_abuse.yml @@ -1,6 +1,6 @@ name: Windows Steal Authentication Certificates - ESC1 Abuse id: cbe761fc-d945-4c8c-a71d-e26d12255d32 -version: 5 +version: 6 date: '2024-11-13' author: Steven Dick status: production diff --git a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml index 725f04e04e..5fcaaba267 100644 --- a/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml +++ b/detections/endpoint/windows_steal_authentication_certificates___esc1_authentication.yml @@ -1,6 +1,6 @@ name: Windows Steal Authentication Certificates - ESC1 Authentication id: f0306acf-a6ab-437a-bbc6-8628f8d5c97e -version: 5 +version: 6 date: '2024-12-10' author: Steven Dick status: production diff --git a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml index bf954e1d52..9e7ceb2759 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_certutil_backup.yml @@ -1,6 +1,6 @@ name: Windows Steal Authentication Certificates CertUtil Backup id: bac85b56-0b65-4ce5-aad5-d94880df0967 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml index d1a5eb3d7b..af44db774c 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_certificate.yml @@ -1,6 +1,6 @@ name: Windows Steal Authentication Certificates Export Certificate id: e39dc429-c2a5-4f1f-9c3c-6b211af6b332 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml index 459417802e..2e01886698 100644 --- a/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml +++ b/detections/endpoint/windows_steal_authentication_certificates_export_pfxcertificate.yml @@ -1,6 +1,6 @@ name: Windows Steal Authentication Certificates Export PfxCertificate id: 391329f3-c14b-4b8d-8b37-ac5012637360 -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml index 3b28765cce..a9ace2226c 100644 --- a/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml +++ b/detections/endpoint/windows_suspect_process_with_authentication_traffic.yml @@ -1,6 +1,6 @@ name: Windows Suspect Process With Authentication Traffic id: 953322db-128a-4ce9-8e89-56e039e33d98 -version: 4 +version: 5 date: '2024-11-13' author: Steven Dick status: production diff --git a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml index 115d30093e..318fc412e7 100644 --- a/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml +++ b/detections/endpoint/windows_system_binary_proxy_execution_compiled_html_file_decompile.yml @@ -1,6 +1,6 @@ name: Windows System Binary Proxy Execution Compiled HTML File Decompile id: 2acf0e19-4149-451c-a3f3-39cd3c77e37d -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml index 40f299551f..151b86c366 100644 --- a/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml +++ b/detections/endpoint/windows_system_script_proxy_execution_syncappvpublishingserver.yml @@ -1,6 +1,6 @@ name: Windows System Script Proxy Execution Syncappvpublishingserver id: 8dd73f89-682d-444c-8b41-8e679966ad3c -version: 5 +version: 6 date: '2024-11-13' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml index ffd2829b98..7921f897c6 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_child_process.yml @@ -1,6 +1,6 @@ name: Windows UAC Bypass Suspicious Child Process id: 453a6b0f-b0ea-48fa-9cf4-20537ffdd22c -version: 4 +version: 5 date: '2024-11-13' author: Steven Dick status: production diff --git a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml index 29e8eca705..977a72aeee 100644 --- a/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml +++ b/detections/endpoint/windows_uac_bypass_suspicious_escalation_behavior.yml @@ -1,6 +1,6 @@ name: Windows UAC Bypass Suspicious Escalation Behavior id: 00d050d3-a5b4-4565-a6a5-a31f69681dc3 -version: 5 +version: 6 date: '2024-12-10' author: Steven Dick status: production diff --git a/detections/endpoint/windows_user_deletion_via_net.yml b/detections/endpoint/windows_user_deletion_via_net.yml index 33ae19c5ea..32bb43dd91 100644 --- a/detections/endpoint/windows_user_deletion_via_net.yml +++ b/detections/endpoint/windows_user_deletion_via_net.yml @@ -1,6 +1,6 @@ name: Windows User Deletion Via Net id: b0b6fd2c-8953-4d1b-8f7b-56075ea6ab3e -version: 1 +version: 2 date: '2025-01-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_user_disabled_via_net.yml b/detections/endpoint/windows_user_disabled_via_net.yml index dd390a4128..547248419e 100644 --- a/detections/endpoint/windows_user_disabled_via_net.yml +++ b/detections/endpoint/windows_user_disabled_via_net.yml @@ -1,6 +1,6 @@ name: Windows User Disabled Via Net id: b0359e05-c87b-4354-83d8-aee0d890243f -version: 1 +version: 2 date: '2025-01-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/endpoint/windows_windbg_spawning_autoit3.yml b/detections/endpoint/windows_windbg_spawning_autoit3.yml index ddf09e5373..323c29de1d 100644 --- a/detections/endpoint/windows_windbg_spawning_autoit3.yml +++ b/detections/endpoint/windows_windbg_spawning_autoit3.yml @@ -1,6 +1,6 @@ name: Windows WinDBG Spawning AutoIt3 id: 7aec015b-cd69-46c3-85ed-dac152056aa4 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/winhlp32_spawning_a_process.yml b/detections/endpoint/winhlp32_spawning_a_process.yml index 97671e24f0..71018871f9 100644 --- a/detections/endpoint/winhlp32_spawning_a_process.yml +++ b/detections/endpoint/winhlp32_spawning_a_process.yml @@ -1,6 +1,6 @@ name: Winhlp32 Spawning a Process id: d17dae9e-2618-11ec-b9f5-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/winrar_spawning_shell_application.yml b/detections/endpoint/winrar_spawning_shell_application.yml index 9ef1be04ff..104bc4f1d3 100644 --- a/detections/endpoint/winrar_spawning_shell_application.yml +++ b/detections/endpoint/winrar_spawning_shell_application.yml @@ -1,6 +1,6 @@ name: WinRAR Spawning Shell Application id: d2f36034-37fa-4bd4-8801-26807c15540f -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/wmic_xsl_execution_via_url.yml b/detections/endpoint/wmic_xsl_execution_via_url.yml index b8efe7f1fc..a9fa113597 100644 --- a/detections/endpoint/wmic_xsl_execution_via_url.yml +++ b/detections/endpoint/wmic_xsl_execution_via_url.yml @@ -1,6 +1,6 @@ name: WMIC XSL Execution via URL id: 787e9dd0-4328-11ec-a029-acde48001122 -version: 6 +version: 7 date: '2024-12-10' author: Michael Haag, Splunk status: production diff --git a/detections/endpoint/xsl_script_execution_with_wmic.yml b/detections/endpoint/xsl_script_execution_with_wmic.yml index 02f24699a2..28584c4d66 100644 --- a/detections/endpoint/xsl_script_execution_with_wmic.yml +++ b/detections/endpoint/xsl_script_execution_with_wmic.yml @@ -1,6 +1,6 @@ name: XSL Script Execution With WMIC id: 004e32e2-146d-11ec-a83f-acde48001122 -version: 5 +version: 6 date: '2024-11-13' author: Teoderick Contreras, Splunk status: production diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml index e4bdf54ffc..9fa1a7f4b5 100644 --- a/detections/network/detect_large_outbound_icmp_packets.yml +++ b/detections/network/detect_large_outbound_icmp_packets.yml @@ -1,6 +1,6 @@ name: Detect Large Outbound ICMP Packets id: e9c102de-4d43-42a7-b1c8-8062ea297419 -version: 8 +version: 9 date: '2025-01-27' author: Rico Valdez, Dean Luxton, Splunk status: production diff --git a/detections/web/detect_remote_access_software_usage_url.yml b/detections/web/detect_remote_access_software_usage_url.yml index d60f2af086..4e51d42198 100644 --- a/detections/web/detect_remote_access_software_usage_url.yml +++ b/detections/web/detect_remote_access_software_usage_url.yml @@ -1,6 +1,6 @@ name: Detect Remote Access Software Usage URL id: 9296f515-073c-43a5-88ec-eda5a4626654 -version: 5 +version: 6 date: '2024-11-15' author: Steven Dick status: production diff --git a/detections/web/zscaler_adware_activities_threat_blocked.yml b/detections/web/zscaler_adware_activities_threat_blocked.yml index f662cc0a16..c47abd8740 100644 --- a/detections/web/zscaler_adware_activities_threat_blocked.yml +++ b/detections/web/zscaler_adware_activities_threat_blocked.yml @@ -1,6 +1,6 @@ name: Zscaler Adware Activities Threat Blocked id: 3407b250-345a-4d71-80db-c91e555a3ece -version: 4 +version: 5 date: '2024-11-15' author: Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/web/zscaler_behavior_analysis_threat_blocked.yml b/detections/web/zscaler_behavior_analysis_threat_blocked.yml index 8875d8762b..8a55d3f407 100644 --- a/detections/web/zscaler_behavior_analysis_threat_blocked.yml +++ b/detections/web/zscaler_behavior_analysis_threat_blocked.yml @@ -1,6 +1,6 @@ name: Zscaler Behavior Analysis Threat Blocked id: 289ad59f-8939-4331-b805-f2bd51d36fb8 -version: 4 +version: 5 date: '2024-11-15' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/web/zscaler_exploit_threat_blocked.yml b/detections/web/zscaler_exploit_threat_blocked.yml index 0da0906592..e88d087743 100644 --- a/detections/web/zscaler_exploit_threat_blocked.yml +++ b/detections/web/zscaler_exploit_threat_blocked.yml @@ -1,6 +1,6 @@ name: Zscaler Exploit Threat Blocked id: 94665d8c-b841-4ff4-acb4-34d613e2cbfe -version: 4 +version: 5 date: '2024-11-15' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/web/zscaler_malware_activity_threat_blocked.yml b/detections/web/zscaler_malware_activity_threat_blocked.yml index 3494bd9e23..34061dc5be 100644 --- a/detections/web/zscaler_malware_activity_threat_blocked.yml +++ b/detections/web/zscaler_malware_activity_threat_blocked.yml @@ -1,6 +1,6 @@ name: Zscaler Malware Activity Threat Blocked id: ae874ad8-e353-40a7-87d4-420cdfb27d1a -version: 4 +version: 5 date: '2024-11-15' author: Rod Soto, Gowthamaraj Rajendran, Splunk status: production diff --git a/detections/web/zscaler_potentially_abused_file_download.yml b/detections/web/zscaler_potentially_abused_file_download.yml index 040b02ae71..f18bdfe4f0 100644 --- a/detections/web/zscaler_potentially_abused_file_download.yml +++ b/detections/web/zscaler_potentially_abused_file_download.yml @@ -1,6 +1,6 @@ name: Zscaler Potentially Abused File Download id: b0c21379-f4ba-4bac-a958-897e260f964a -version: 4 +version: 5 date: '2024-11-15' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production diff --git a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml index cad5f20065..abf94751e3 100644 --- a/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml +++ b/detections/web/zscaler_privacy_risk_destinations_threat_blocked.yml @@ -1,6 +1,6 @@ name: Zscaler Privacy Risk Destinations Threat Blocked id: 5456bdef-d765-4565-8e1f-61ca027bc50d -version: 4 +version: 5 date: '2024-11-15' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production diff --git a/detections/web/zscaler_scam_destinations_threat_blocked.yml b/detections/web/zscaler_scam_destinations_threat_blocked.yml index d91cf5e7e9..5c7281924b 100644 --- a/detections/web/zscaler_scam_destinations_threat_blocked.yml +++ b/detections/web/zscaler_scam_destinations_threat_blocked.yml @@ -1,6 +1,6 @@ name: Zscaler Scam Destinations Threat Blocked id: a0c21379-f4ba-4bac-a958-897e260f964a -version: 4 +version: 5 date: '2024-11-15' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production diff --git a/detections/web/zscaler_virus_download_threat_blocked.yml b/detections/web/zscaler_virus_download_threat_blocked.yml index 656efd2fac..f0c094a07c 100644 --- a/detections/web/zscaler_virus_download_threat_blocked.yml +++ b/detections/web/zscaler_virus_download_threat_blocked.yml @@ -1,6 +1,6 @@ name: Zscaler Virus Download threat blocked id: aa19e627-d448-4a31-85cd-82068dec5691 -version: 4 +version: 5 date: '2024-11-15' author: Gowthamaraj Rajendran, Rod Soto, Splunk status: production From ba8f23593a20179931b92b738de079207daa75ae Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 5 Feb 2025 10:56:37 -0800 Subject: [PATCH 3/3] udpating ctl --- .github/workflows/appinspect.yml | 2 +- .github/workflows/build.yml | 3 ++- .github/workflows/unit-testing.yml | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/appinspect.yml b/.github/workflows/appinspect.yml index 5d821f8ab1..6eaf1a1025 100644 --- a/.github/workflows/appinspect.yml +++ b/.github/workflows/appinspect.yml @@ -18,7 +18,7 @@ jobs: - name: Install Python Dependencies and ContentCTL and Atomic Red Team run: | - pip install contentctl==5.0.0 + pip install contentctl==${{ vars.CONTENTCTL_VERSION }} git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 46d76ececa..9cbfcabf7c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,7 +19,8 @@ jobs: - name: Install Python Dependencies and ContentCTL and Atomic Red Team run: | - pip install contentctl==5.0.0 + echo "CONTENTCTL_VERSION is ${{ vars.CONTENTCTL_VERSION }}" + pip install contentctl==${{ vars.CONTENTCTL_VERSION }} git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti diff --git a/.github/workflows/unit-testing.yml b/.github/workflows/unit-testing.yml index fb10af44eb..7efa46679f 100644 --- a/.github/workflows/unit-testing.yml +++ b/.github/workflows/unit-testing.yml @@ -23,7 +23,7 @@ jobs: - name: Install Python Dependencies and ContentCTL run: | python -m pip install --upgrade pip - pip install contentctl==5.0.0 + pip install contentctl==${{ vars.CONTENTCTL_VERSION }} # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop # Make sure we check out the PR, even if it actually lives in a fork