updating detections

splunk · Jun 25, 2024 · e6fb279 · e6fb279
1 parent 1d98293
commit e6fb279
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 67 deletions.
diff --git a/detections/application/okta_risk_threshold_exceeded.yml b/detections/application/okta_risk_threshold_exceeded.yml
@@ -1,54 +1,37 @@
 name: Okta Risk Threshold Exceeded
 id: d8b967dd-657f-4d88-93b5-c588bcd7218c
-version: 1
-date: "2022-09-29"
-author: Michael Haag, Splunk
+version: 2
+date: "2024-04-02"
+author: Michael Haag, Bhavin Patel, Splunk
 status: production
 type: Correlation
 description:
-  The following correlation will take risk associated with the content
-  from  "Suspicious Okta Activity" and "Okta MFA Exhaustion" analytic stories and
-  tally it up. Once it hits the threshold of 100 (can be changed), it will trigger an a notable. As needed, reduce or raise the risk scores assocaited with the anomaly and TTP analytics tagged to these two analytic stories.
+  This correlation computes the risk events associated with the detection analytics from "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories. This analytic will trigger a notable event in your incident review when there are 5 or more distinct TTPs related to these analytic stories in the last 24 hours. This incident highlights potentially suspicious activity by a compromised user.
 data_source: []
 search:
-  '| tstats `security_content_summariesonly` sum(All_Risk.calculated_risk_score) as risk_score,
-  count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id)
-  as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id)
-  as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id)
-  as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id)
-  as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source,
-  dc(source) as source_count from datamodel=Risk.All_Risk by All_Risk.risk_object,All_Risk.risk_object_type
-  All_Risk.analyticstories | `drop_dm_object_name("All_Risk")` | eval "annotations.mitre_attack"="annotations.mitre_attack.mitre_technique_id",
-  risk_threshold=100 | where analyticstories IN ("Suspicious Okta Activity",
-  "Okta MFA Exhaustion")  risk_score > risk_threshold | `get_risk_severity(risk_score)`
-  | `okta_risk_threshold_exceeded_filter`'
+  '| tstats `security_content_summariesonly` values(All_Risk.analyticstories) as analyticstories  sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count,values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk  where All_Risk.risk_object_type = user All_Risk.analyticstories IN ("Okta Account Takeover", "Suspicious Okta Activity","Okta MFA Exhaustion") by All_Risk.risk_object,All_Risk.risk_object_type | `drop_dm_object_name("All_Risk")` |  search mitre_technique_id_count > 5 | `okta_risk_threshold_exceeded_filter`'
 how_to_implement:
-  Ensure "Suspicious Okta Activity" and "Okta MFA Exhaustion" analytic
-  stories are enabled. TTP may be set to Notables for point detections, anomaly should
-  not be notables but risk generators. The correlation relies on risk before generating
-  a notable. Modify the value as needed. Default threshold is 100. This value may
-  need to be increased based on activity in your environment.
+  This search leverages the Risk Framework from Enterprise Security. Ensure that "Suspicious Okta Activity", "Okta Account Takeover", and "Okta MFA Exhaustion" analytic stories are enabled. TTPs may be set to Notables for point detections; anomalies should not be notables but rather risk generators. The correlation relies on risk before generating a notable. Modify the value as needed.
 known_false_positives:
-  False positives will be limited to the amount of events generated
-  by the analytics tied to the stories. Analytics will need to be tesetd and tuned,
-  risk score reduced, as needed based on organization.
+  False positives will be limited to the number of events generated by the analytics tied to the stories. Analytics will need to be tested and tuned, and the risk score reduced as needed based on the organization.
 references:
   - https://developer.okta.com/docs/reference/api/event-types
   - https://sec.okta.com/everythingisyes
 tags:
   analytic_story:
-    - Suspicious Okta Activity
+    - Okta Account Takeover
     - Okta MFA Exhaustion
-  asset_type: Infrastructure
+    - Suspicious Okta Activity
+  asset_type: Okta Tenant
   confidence: 80
   impact: 70
-  message: Risk score $risk_score$ threshold exceeded for $risk_object$ related to Okta events.
+  message: Okta Risk threshold exceeded for user [$risk_object$]. Investigate further to determine if this was authorized.
   mitre_attack_id:
     - T1078
     - T1110
   observable:
     - name: risk_object
-      type: Hostname
+      type: User
       role:
         - Victim
   product:
@@ -59,5 +42,16 @@ tags:
     - All_Risk.risk_object
     - All_Risk.risk_object_type
     - All_Risk.analyticstories
+    - All_Risk.calculated_risk_score
+    - All_Risk.annotations.mitre_attack.mitre_tactic_id
+    - All_Risk.annotations.mitre_attack.mitre_technique_id
+    - All_Risk.tag
+    - _time
   risk_score: 56
   security_domain: access
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/okta_account_takeover_risk_events/okta_risk.log
+    source: risk_data
+    sourcetype: stash
diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml
@@ -6,16 +6,15 @@ author: Dean Luxton
 status: production
 type: TTP
 data_source:
-- UPDATE_DATA_SOURCE
+- Windows Event Log Security 4728
 description: Detect when a user adds themselfs to an AD Group. 
 search: '`wineventlog_security` EventCode IN (4728) 
   | where user=src_user 
   | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name, src_user 
   | `windows_ad_add_self_to_group_filter`'
 how_to_implement: This analytic requires eventCode 4728 to be ingested.
 known_false_positives: Unknown
-references:
-- REFERENCE
+references: []
 tags:
   analytic_story:
   - Active Directory Privilege Escalation
@@ -46,6 +45,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: UPDATE url to dataset
-    source: UPDATE source
-    sourcetype: UPDATE sourcetype
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log
+    source: XmlWinEventLog:Security
+    sourcetype: XmlWinEventLog
+    update_timestamp: true
diff --git a/detections/endpoint/detect_new_local_admin_account.yml b/detections/endpoint/detect_new_local_admin_account.yml
@@ -1,18 +1,18 @@
 name: Detect New Local Admin account
 id: b25f6f62-0712-43c1-b203-083231ffd97d
-version: 2
-date: '2020-07-08'
+version: 4
+date: '2024-06-25'
 author: David Dorsey, Splunk
 status: production
 type: TTP
 description: |-
   The following analytic detects the creation of new accounts that have been elevated to local administrators so that you can take immediate action to mitigate the risks and prevent further unauthorized access or malicious activities. This detection is made by using the Splunk query `wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) to search for relevant security events in the Windows event log. When a new account is created or an existing account is added to the Administrators group, this analytic identifies this behavior by looking for EventCode 4720 (A user account was created) or EventCode 4732 (A member was added to a security-enabled global group). This analytic specifically focuses on events where the Group_Name is set to Administrators. This detection is important because it suggests that an attacker has gained elevated privileges and can perform malicious actions with administrative access. This can lead to significant impact, such as unauthorized access to sensitive data, unauthorized modifications to systems or configurations, and potential disruption of critical services. identifying this behavior is crucial for a Security Operations Center (SOC). Next steps include reviewing the details of the security event, including the user account that was created or added to the Administrators group. Also, examine the time span between the first and last occurrence of the event to determine if the behavior is ongoing. Additionally, consider any contextual information, such as the destination where the account was created or added to understand the scope and potential impact of the attack.
 data_source:
-- Windows Security 4732
-- Windows Security 4720
+- Windows Event Log Security 4732
+- Windows Event Log Security 4720
 search: '`wineventlog_security` (EventCode=4720) OR (EventCode=4732 Group_Name=Administrators) 
 | stats dc(EventCode) as evCount min(_time) as _time range(_time) as duration values(src_user) as src_user values(src_user_category) as src_user_category values(dest_category) as dest_category by user dest
-| where evCount=2 AND duration<7200
+| where evCount=2
 | fields - evCount, duration
 | `detect_new_local_admin_account_filter`'
 how_to_implement: You must be ingesting Windows event logs using the Splunk Windows
@@ -36,7 +36,10 @@ tags:
   - T1136.001
   - T1136
   observable:
-  - name: user
+  - name: src_user
+    type: User
+    role:
+    - Victim
     type: User
     role:
     - Victim
@@ -63,15 +66,9 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-security.log
     source: WinEventLog:Security
     sourcetype: WinEventLog
-    update_timestamp: true
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-system.log
     source: WinEventLog:System
     sourcetype: WinEventLog
-    update_timestamp: true
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/windows-sysmon.log
     source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
-    sourcetype: xmlwineventlog
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1136.001/atomic_red_team/xml-windows-security.log
-    source: XmlWinEventLog:Security
-    sourcetype: XmlWinEventLog
-    update_timestamp: true
+    sourcetype: xmlwineventlog
diff --git a/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml b/detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
@@ -1,7 +1,7 @@
 name: Kerberos Pre-Authentication Flag Disabled in UserAccountControl
 id: 0cb847ee-9423-11ec-b2df-acde48001122
-version: 1
-date: '2022-02-22'
+version: 2
+date: '2024-06-25'
 author: Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -13,7 +13,7 @@ description: The following analytic leverages Windows Security Event 4738, `A us
   Red Teams and adversaries alike who have obtained privileges in an Active Directory
   network may use this technique as a backdoor or a way to escalate privileges.
 data_source:
-- Windows Security 4738
+- Windows Event Log Security 4738
 search: ' `wineventlog_security` EventCode=4738 (UserAccountControl="%%2096" OR MSADChangedAttributes="*Don''t Require Preauth'' - Enabled*")
   | eval MSADChangedAttributes="''Don''t Require Preauth'' - Enabled"
   | table _time, source, EventCode, src_user, src_user_category, user, user_category, MSADChangedAttributes 
@@ -29,7 +29,7 @@ references:
 tags:
   analytic_story:
   - Active Directory Kerberos Attacks
-  asset_type: endpoint
+  asset_type: Endpoint
   confidence: 90
   impact: 50
   message: Kerberos Pre Authentication was Disabled for $user$
@@ -59,4 +59,4 @@ tests:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/powershell/windows-security.log
     source: WinEventLog:Security
     sourcetype: WinEventLog
-    update_timestamp: true
+    update_timestamp: true
diff --git a/detections/endpoint/macos_plutil.yml b/detections/endpoint/macos_plutil.yml
@@ -1,18 +1,24 @@
 name: MacOS plutil
 id: c11f2b57-92c1-4cd2-b46c-064eafb833ac
-version: 2
-date: '2022-05-26'
+version: 4
+date: '2024-05-22'
 author: Patrick Bareiss, Splunk
 status: production
 type: TTP
-description: Detect usage of plutil to modify plist files. Adversaries can Modify plist
-  files to executed binaries or add command line arguments. Plist files in auto-run
-  locations are executed upon user logon or system startup.
-data_source: []
+description: The following analytic detects the usage of the `plutil` command to modify
+  plist files on macOS systems. It leverages osquery to monitor process events, specifically
+  looking for executions of `/usr/bin/plutil`. This activity is significant because
+  adversaries can use `plutil` to alter plist files, potentially adding malicious
+  binaries or command-line arguments that execute upon user logon or system startup.
+  If confirmed malicious, this could allow attackers to achieve persistence, execute
+  arbitrary code, or escalate privileges, posing a significant threat to the system's
+  security.
+data_source:
+- osquery
 search: '`osquery` name=es_process_events columns.path=/usr/bin/plutil | rename columns.*
   as * | stats count  min(_time) as firstTime max(_time) as lastTime by username host
-  cmdline pid path parent signing_id | rename username as User, cmdline as process,
-  path as process_path | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
+  cmdline pid path parent signing_id | rename username as user, cmdline as process,
+  path as process_path, host as dest | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`
   | `macos_plutil_filter`'
 how_to_implement: This detection uses osquery and endpoint security on MacOS. Follow
   the link in references, which describes how to setup process auditing in MacOS with
@@ -26,18 +32,18 @@ tags:
   asset_type: Endpoint
   confidence: 50
   impact: 50
-  message: plutil are executed on $host$ from $user$
+  message: plutil are executed on $dest$ from $user$
   mitre_attack_id:
   - T1647
   observable:
   - name: user
     type: User
     role:
     - Victim
-  - name: process
-    type: Process
+  - name: dest
+    type: Hostname
     role:
-    - Child Process
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -56,6 +62,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1647/atomic_red_team/osquery.log
+  - data: 
+      https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1647/atomic_red_team/osquery.log
     source: osquery
-    sourcetype: osquery:results
+    sourcetype: osquery:results