Merge branch 'develop' into nterl0k-t1213.002-sus-sharepoint-search

Author: patel-bhavin

.github/workflows/appinspect.yml

@@ -18,7 +18,13 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl==5.0.0
+          if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
+            echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
+            pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
+          else
+            echo "Installing latest contentctl version"
+            pip install contentctl
+          fi
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       

.github/workflows/build.yml

@@ -19,7 +19,13 @@ jobs:
 
       - name: Install Python Dependencies and ContentCTL and Atomic Red Team
         run: |
-          pip install contentctl==5.0.0
+          if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
+            echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
+            pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
+          else
+            echo "Installing latest contentctl version"
+            pip install contentctl
+          fi
           git clone --depth=1 --single-branch --branch=master https://github.com/redcanaryco/atomic-red-team.git external_repos/atomic-red-team
           git clone --depth=1 --single-branch --branch=master https://github.com/mitre/cti external_repos/cti
       

.github/workflows/unit-testing.yml

@@ -23,7 +23,13 @@ jobs:
         - name: Install Python Dependencies and ContentCTL
           run: |
             python -m pip install --upgrade pip
-            pip install contentctl==5.0.0
+            if [ -n "${{ vars.CONTENTCTL_VERSION }}" ]; then
+              echo "Installing contentctl version ${{ vars.CONTENTCTL_VERSION }}"
+              pip install contentctl==${{ vars.CONTENTCTL_VERSION }}
+            else
+              echo "Installing latest contentctl version"
+              pip install contentctl
+            fi
            
         # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop
         # Make sure we check out the PR, even if it actually lives in a fork

contentctl.yml

@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 4.44.0
+  version: 5.0.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
@@ -71,9 +71,9 @@ apps:
 - uid: 833
   title: Splunk Add-on for Unix and Linux
   appid: Splunk_TA_nix
-  version: 9.2.0
+  version: 10.0.0
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_920.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-unix-and-linux_1000.tgz
 - uid: 5579
   title: Splunk Add-on for CrowdStrike FDR
   appid: Splunk_TA_CrowdStrike_FDR

data_sources/linux_auditd_add_user.yml

@@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
   url: https://splunkbase.splunk.com/app/833
-  version: 9.2.0
+  version: 10.0.0
 fields:
 - msg
 - type
@@ -30,4 +30,6 @@ fields:
 - UID
 - AUID
 - ID
-example_log: 'type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000 ses=1 subj=unconfined msg=''op=adding user id=1002 exe="/usr/sbin/useradd" hostname=ar-linux1 addr=? terminal=pts/1 res=success''UID="root" AUID="ubuntu" ID="unknown(1002)"'
+example_log: 'type=ADD_USER msg=audit(1722950859.266:6994): pid=1788 uid=0 auid=1000
+  ses=1 subj=unconfined msg=''op=adding user id=1002 exe="/usr/sbin/useradd" hostname=ar-linux1
+  addr=? terminal=pts/1 res=success''UID="root" AUID="ubuntu" ID="unknown(1002)"'

data_sources/linux_auditd_execve.yml

@@ -10,10 +10,11 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
   url: https://splunkbase.splunk.com/app/833
-  version: 9.2.0
+  version: 10.0.0
 fields:
 - msg
 - type
 - msg
 - argc
-example_log: 'type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so" a2="./prog"'
+example_log: 'type=EXECVE msg=audit(1723044684.257:15795): argc=3 a0="sudo" a1="LD_PRELOAD=./myfopen.so"
+  a2="./prog"'

data_sources/linux_auditd_path.yml

@@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
   url: https://splunkbase.splunk.com/app/833
-  version: 9.2.0
+  version: 10.0.0
 fields:
 - msg
 - type
@@ -30,4 +30,6 @@ fields:
 - cap_frootid
 - OUID
 - OGID
-example_log: 'type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~" inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"'
+example_log: 'type=PATH msg=audit(1723043687.149:14898): item=1 name="/etc/ssh/ssh_config~"
+  inode=1292 dev=103:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=DELETE cap_fp=0
+  cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 OUID="root" OGID="root"'

data_sources/linux_auditd_proctitle.yml

@@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
   url: https://splunkbase.splunk.com/app/833
-  version: 9.2.0
+  version: 10.0.0
 fields:
 - proctitle
 - msg

data_sources/linux_auditd_service_stop.yml

@@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
   url: https://splunkbase.splunk.com/app/833
-  version: 9.2.0
+  version: 10.0.0
 fields:
 - msg
 - type
@@ -28,4 +28,6 @@ fields:
 - res
 - UID
 - AUID
-example_log: 'type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=unconfined msg=''unit=atd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success''UID="root" AUID="unset"'
+example_log: 'type=SERVICE_STOP msg=audit(1722957155.494:4802): pid=1 uid=0 auid=4294967295
+  ses=4294967295 subj=unconfined msg=''unit=atd comm="systemd" exe="/usr/lib/systemd/systemd"
+  hostname=? addr=? terminal=? res=success''UID="root" AUID="unset"'

data_sources/linux_auditd_syscall.yml

@@ -10,7 +10,7 @@ configuration: https://github.com/Neo23x0/auditd/blob/master/audit.rules
 supported_TA:
 - name: Splunk Add-on for Unix and Linux
   url: https://splunkbase.splunk.com/app/833
-  version: 9.2.0
+  version: 10.0.0
 fields:
 - msg
 - type
@@ -20,7 +20,7 @@ fields:
 - success
 - exit
 - a1
-- a2 
+- a2
 - a3
 - items
 - ppid
@@ -51,4 +51,9 @@ fields:
 - EGID
 - SGID
 - FSGID
-example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59 success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2 ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64 SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"'
+example_log: 'type=SYSCALL msg=audit(1723035666.627:3663): arch=c000003e syscall=59
+  success=yes exit=0 a0=556a6d697a58 a1=556a6d68ad00 a2=556a6d69c980 a3=0 items=2
+  ppid=1300 pid=1301 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
+  tty=pts1 ses=1 comm="lsmod" exe="/usr/bin/kmod" subj=unconfined key="rootcmd" ARCH=x86_64
+  SYSCALL=execve AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root"
+  EGID="root" SGID="root" FSGID="root"'

data_sources/linux_secure.yml

@@ -6,7 +6,10 @@ author: Patrick Bareiss, Splunk
 description: Data source object for Linux Secure
 source: /var/log/secure
 sourcetype: linux_secure
-supported_TA: []
+supported_TA:
+- name: Splunk Add-on for Unix and Linux
+  url: https://splunkbase.splunk.com/app/833
+  version: 9.2.0
 fields:
 - _time
 - action

detections/application/pingid_mismatch_auth_source_and_verification_response.yml

@@ -1,6 +1,6 @@
 name: PingID Mismatch Auth Source and Verification Response
 id: 15b0694e-caa2-4009-8d83-a1f98b86d086
-version: 4
+version: 5
 date: '2025-01-21'
 author: Steven Dick
 status: production

detections/application/windows_ad_suspicious_attribute_modification.yml

@@ -1,6 +1,6 @@
 name: Windows AD Suspicious Attribute Modification
 id: 5682052e-ce55-4f9f-8d28-59191420b7e0
-version: 3
+version: 4
 date: '2025-01-21'
 author: Dean Luxton
 status: production

detections/application/windows_ad_suspicious_gpo_modification.yml

@@ -1,6 +1,6 @@
 name: Windows AD Suspicious GPO Modification
 id: 0a2afc18-a3b5-4452-b60a-2e774214f9bf
-version: 3
+version: 4
 date: '2025-01-21'
 author: Dean Luxton
 status: experimental

detections/cloud/azure_ad_application_administrator_role_assigned.yml

@@ -1,6 +1,6 @@
 name: Azure AD Application Administrator Role Assigned
 id: eac4de87-7a56-4538-a21b-277897af6d8d
-version: 6
+version: 7
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/azure_ad_azurehound_useragent_detected.yml

@@ -1,6 +1,6 @@
 name: Azure AD AzureHound UserAgent Detected
 id: d62852db-a1f1-40db-a7fc-c3d56fa8bda3
-version: 1
+version: 2
 date: '2025-01-06'
 author: Dean Luxton 
 data_source:

detections/cloud/azure_ad_external_guest_user_invited.yml

@@ -1,6 +1,6 @@
 name: Azure AD External Guest User Invited
 id: c1fb4edb-cab1-4359-9b40-925ffd797fb5
-version: 5
+version: 6
 date: '2024-11-14'
 author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
 status: production

detections/cloud/azure_ad_multi_factor_authentication_disabled.yml

@@ -1,6 +1,6 @@
 name: Azure AD Multi-Factor Authentication Disabled
 id: 482dd42a-acfa-486b-a0bb-d6fcda27318e
-version: 5
+version: 6
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/azure_ad_privileged_role_assigned.yml

@@ -1,6 +1,6 @@
 name: Azure AD Privileged Role Assigned
 id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a
-version: 6
+version: 7
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/azure_ad_service_principal_enumeration.yml

@@ -1,6 +1,6 @@
 name: Azure AD Service Principal Enumeration
 id: 3f0647ce-add5-4436-8039-cbd1abe74563
-version: 1
+version: 2
 date: '2025-01-06'
 author: Dean Luxton
 data_source:

detections/cloud/azure_ad_service_principal_owner_added.yml

@@ -1,6 +1,6 @@
 name: Azure AD Service Principal Owner Added
 id: 7ddf2084-6cf3-4a44-be83-474f7b73c701
-version: 7
+version: 8
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/azure_ad_user_enabled_and_password_reset.yml

@@ -1,6 +1,6 @@
 name: Azure AD User Enabled And Password Reset
 id: 1347b9e8-2daa-4a6f-be73-b421d3d9e268
-version: 6
+version: 7
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/azure_ad_user_immutableid_attribute_updated.yml

@@ -1,6 +1,6 @@
 name: Azure AD User ImmutableId Attribute Updated
 id: 0c0badad-4536-4a84-a561-5ff760f3c00e
-version: 5
+version: 6
 date: '2024-11-14'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production

detections/cloud/gcp_multi_factor_authentication_disabled.yml

@@ -1,6 +1,6 @@
 name: GCP Multi-Factor Authentication Disabled
 id: b9bc5513-6fc1-4821-85a3-e1d81e451c83
-version: 5
+version: 6
 date: '2024-11-14'
 author: Bhavin Patel, Mauricio Velazco, Splunk
 status: production

detections/cloud/gsuite_drive_share_in_external_email.yml

@@ -1,6 +1,6 @@
 name: Gsuite Drive Share In External Email
 id: f6ee02d6-fea0-11eb-b2c2-acde48001122
-version: 4
+version: 5
 date: '2024-11-14'
 author: Teoderick Contreras, Splunk
 status: experimental

detections/cloud/gsuite_suspicious_shared_file_name.yml

@@ -1,6 +1,6 @@
 name: Gsuite Suspicious Shared File Name
 id: 07eed200-03f5-11ec-98fb-acde48001122
-version: 4
+version: 5
 date: '2024-11-14'
 author: Teoderick Contreras, Splunk
 status: production

detections/cloud/o365_multiple_os_vendors_authenticating_from_user.yml

@@ -0,0 +1,66 @@
+name: O365 Multiple OS Vendors Authenticating From User
+id: 3451e58a-9457-4985-a600-b616b0cbfda1
+version: 1
+date: '2024-12-19'
+author: Steven Dick
+status: production
+type: TTP
+description: The following analytic identifies when multiple operating systems are used to authenticate to Azure/EntraID/Office 365 by the same user account over a short period of time. This activity could be indicative of attackers enumerating various logon capabilities of Azure/EntraID/Office 365 and attempting to discover weaknesses in the organizational MFA or conditional access configurations. Usage of the tools like "MFASweep" will trigger this detection.
+data_source: 
+- Office 365 Universal Audit Log
+search: |-
+  `o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn)
+  | eval -time = _time
+  | bin _time span=15m
+  | stats values(Operation) as signature, values(ErrorNumber) as signature_id, values(OS) as os_name, dc(OS) as os_count, count, min(-time) as firstTime, max(-time) as lastTime by  ClientIP, UserId, _time
+  | where os_count >= 4
+  | eval src = ClientIP, user = UserId
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `o365_multiple_os_vendors_authenticating_from_user_filter`
+how_to_implement: You must install the Splunk Microsoft Office 365 Add-on and ingest Office 365 management activity events. The thresholds set within the analytic (such as unique OS) are initial guidelines and should be customized based on the organization's user behavior and risk profile. Security teams are encouraged to adjust these thresholds to optimize the balance between detecting genuine threats and minimizing false positives, ensuring the detection is tailored to their specific environment.
+known_false_positives: IP or users where the usage of multiple Operating systems is expected, filter accordingly. 
+references:
+- https://attack.mitre.org/techniques/T1110
+- https://www.blackhillsinfosec.com/exploiting-mfa-inconsistencies-on-microsoft-services/
+- https://sra.io/blog/msspray-wait-how-many-endpoints-dont-have-mfa/
+- https://github.com/dafthack/MFASweep/tree/master
+drilldown_searches:
+- name: View the detection results for - "$user$"
+  search: '%original_detection_search% | search user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: Investigate logons from $user$ 
+  search: '`o365_management_activity` Operation IN (UserLoginFailed,UserLoggedIn) "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: The user account $user$ authenticated with $os_count$ unique operating system types over a short period from $src$.
+  risk_objects:
+  - field: user
+    type: user
+    score: 60
+  threat_objects:
+  - field: src
+    type: ip_address
+tags:
+  analytic_story: 
+  - Office 365 Account Takeover
+  asset_type: O365 Tenant
+  mitre_attack_id: 
+  - T1110
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: threat
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/azure_mfasweep_events/azure_mfasweep_events.log
+    source: o365
+    sourcetype: o365:management:activity

detections/cloud/o365_service_principal_new_client_credentials.yml

@@ -1,6 +1,6 @@
 name: O365 Service Principal New Client Credentials
 id: a1b229e9-d962-4222-8c62-905a8a010453
-version: 5
+version: 6
 date: '2024-11-14'
 author: Mauricio Velazco, Splunk
 status: production

detections/deprecated/attempt_to_stop_security_service.yml

@@ -1,6 +1,6 @@
 name: Attempt To Stop Security Service
 id: c8e349c6-b97c-486e-8949-bd7bcd1f3910
-version: 9
+version: 10
 date: '2025-01-24'
 author: Rico Valdez, Splunk
 status: deprecated

detections/deprecated/attempted_credential_dump_from_registry_via_reg_exe.yml

@@ -1,6 +1,6 @@
 name: Attempted Credential Dump From Registry via Reg exe
 id: e9fb4a59-c5fb-440a-9f24-191fbc6b2911
-version: 12
+version: 13
 date: '2025-01-15'
 author: Patrick Bareiss, Splunk
 status: deprecated

detections/deprecated/cmdline_tool_not_executed_in_cmd_shell.yml

@@ -1,6 +1,6 @@
 name: Cmdline Tool Not Executed In CMD Shell
 id: 6c3f7dd8-153c-11ec-ac2d-acde48001122
-version: 7
+version: 8
 date: '2025-01-24'
 author: Teoderick Contreras, Splunk
 status: deprecated