From f57e82a181f9ff2c2c38a55c3df312f33c127f42 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 9 Jul 2024 15:10:22 -0700 Subject: [PATCH] deleting SSA from build --- ...ssa___anomalous_usage_of_archive_tools.yml | 57 ------------------- 1 file changed, 57 deletions(-) delete mode 100644 dev_ssa/endpoint/ssa___anomalous_usage_of_archive_tools.yml diff --git a/dev_ssa/endpoint/ssa___anomalous_usage_of_archive_tools.yml b/dev_ssa/endpoint/ssa___anomalous_usage_of_archive_tools.yml deleted file mode 100644 index 36b8814c2f..0000000000 --- a/dev_ssa/endpoint/ssa___anomalous_usage_of_archive_tools.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: Anomalous usage of Archive Tools -id: 63614a58-10e2-4c6c-ae81-ea1113681439 -version: 4 -date: '2021-11-22' -author: Patrick Bareiss, Splunk -status: production -type: Anomaly -description: The following detection identifies the usage of archive tools from the - command line. -data_source: -- Windows Security 4688 -search: - selection1: - process.file.name: WinRAR.exe - selection2: - process.file.name|startswith: 7z - selection3: - process.file.name|startswith: winzip - selection4: - actor.process.file.name|endswith: - - powershell.exe - - cmd.exe - condition: (selection1 or selection2 or selection3) and selection4 -how_to_implement: To successfully implement this search you need to be ingesting information - on process that include the name of the process responsible for the changes from - your endpoints into the `Endpoint` datamodel in the `Processes` node. -known_false_positives: False positives can be ligitmate usage of archive tools from - the command line. -references: -- https://attack.mitre.org/techniques/T1560/001/ -tags: - analytic_story: - - Cobalt Strike - - NOBELIUM Group - - Insider Threat - asset_type: Endpoint - confidence: 60 - impact: 70 - message: An instance of $parent_process_name$ spawning $process_name$ was identified - on endpoint $dest$ by user $user$. This behavior is indicative of suspicious loading - of 7zip. - mitre_attack_id: - - T1560.001 - - T1560 - observable: [] - product: - - Splunk Behavioral Analytics - required_fields: [] - kill_chain_phases: - - Exploitation - risk_score: 42 - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1560.001/archive_tools/windows-security.log - source: WinEventLog:Security