From 4de6ada327785a87f105d67f08f62ed6cf8fd05f Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Mon, 13 Apr 2026 11:39:08 +0200 Subject: [PATCH 1/3] Improved detections absed on telemetry --- detections/endpoint/disable_logs_using_wevtutil.yml | 2 +- .../possible_lateral_movement_powershell_spawn.yml | 2 +- ...regsvr32_silent_and_install_param_dll_loading.yml | 6 +++--- detections/endpoint/schtasks_run_task_on_demand.yml | 10 +++++----- ...le_windows_event_logging_disable_http_logging.yml | 8 ++++---- ...nd_dirs_access_rights_modification_via_icacls.yml | 10 +++++----- .../endpoint/windows_msiexec_remote_download.yml | 10 +++++----- .../windows_msiexec_spawn_discovery_command.yml | 12 ++++++------ ..._deny_permission_set_on_service_sd_via_sc_exe.yml | 5 +++-- ...spicious_child_process_spawned_from_webserver.yml | 10 +++++----- 10 files changed, 38 insertions(+), 37 deletions(-) diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index 262ff0d339..5e32b5028b 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -16,7 +16,7 @@ search: |- AND (Processes.process = "*sl*" OR - Processes.process = "*set-log*" ) Processes.process = "*/e:false*" + Processes.process = "*set-log*" ) Processes.process IN ("*/e:false*", "*/enabled:false*") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index 077eee2eb5..8feb0ef3b8 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -4,7 +4,7 @@ version: 14 date: '2026-03-26' author: Mauricio Velazco, Michael Haag, Splunk status: production -type: TTP +type: Anomaly description: | The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. diff --git a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml index b25201d8e5..075eb8ed6f 100644 --- a/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml +++ b/detections/endpoint/regsvr32_silent_and_install_param_dll_loading.yml @@ -1,7 +1,7 @@ name: Regsvr32 Silent and Install Param Dll Loading id: f421c250-24e7-11ec-bc43-acde48001122 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-04-07' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -14,7 +14,7 @@ search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE `process_regsvr32` AND - Processes.process="*/i*" + Processes.process="*/i*" AND NOT Processes.process="*Microsoft\\TeamsMeetingAddin*" BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/schtasks_run_task_on_demand.yml b/detections/endpoint/schtasks_run_task_on_demand.yml index bf230ab4c5..994dc89d96 100644 --- a/detections/endpoint/schtasks_run_task_on_demand.yml +++ b/detections/endpoint/schtasks_run_task_on_demand.yml @@ -1,10 +1,10 @@ name: Schtasks Run Task On Demand id: bb37061e-af1f-11eb-a159-acde48001122 -version: 8 -date: '2026-03-10' +version: 9 +date: '2026-04-08' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the execution of a Windows Scheduled Task on demand via the shell or command line. It leverages process-related data, including process name, parent process, and command-line executions, sourced from endpoint logs. The detection focuses on 'schtasks.exe' with an associated 'run' command. This activity is significant as adversaries often use it to force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. If confirmed malicious, this could allow attackers to maintain persistence or move laterally within the network, potentially leading to further compromise. data_source: - Sysmon EventID 1 @@ -42,10 +42,10 @@ rba: risk_objects: - field: dest type: system - score: 50 + score: 20 - field: user type: user - score: 50 + score: 20 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml index ae16142aea..d4d4f14382 100644 --- a/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml +++ b/detections/endpoint/windows_disable_windows_event_logging_disable_http_logging.yml @@ -1,10 +1,10 @@ name: Windows Disable Windows Event Logging Disable HTTP Logging id: 23fb6787-255f-4d5b-9a66-9fd7504032b5 -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-04-08' author: Michael Haag, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively. data_source: - Sysmon EventID 1 @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE NOT (Processes.parent_process_name IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*set config*", "*httplogging*","*dontlog:true*") + WHERE NOT (Processes.parent_process_name IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*httplogging*","*dontlog:true*") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path diff --git a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml index db18fc9529..a15077030a 100644 --- a/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml +++ b/detections/endpoint/windows_files_and_dirs_access_rights_modification_via_icacls.yml @@ -1,10 +1,10 @@ name: Windows Files and Dirs Access Rights Modification Via Icacls id: c76b796c-27e1-4520-91c4-4a58695c749e -version: 12 -date: '2026-03-10' +version: 13 +date: '2026-04-08' author: Teoderick Contreras, Splunk status: production -type: TTP +type: Anomaly description: | The following analytic identifies the modification of security permissions on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It @@ -50,10 +50,10 @@ rba: risk_objects: - field: dest type: system - score: 50 + score: 30 - field: user type: user - score: 50 + score: 30 threat_objects: [] tags: analytic_story: diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index a3e6a91e41..cb1e9d3c2d 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -1,10 +1,10 @@ name: Windows MSIExec Remote Download id: 6aa49ff2-3c92-4586-83e0-d83eb693dfda -version: 14 -date: '2026-03-10' +version: 15 +date: '2026-04-08' author: Michael Haag, Splunk status: production -type: TTP +type: Anomaly description: | The following analytic detects the use of msiexec.exe with an HTTP or HTTPS URL in the command line, indicating a remote file download attempt. This detection @@ -61,10 +61,10 @@ rba: risk_objects: - field: user type: user - score: 50 + score: 30 - field: dest type: system - score: 50 + score: 30 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml index a46d191fd7..15679f9f42 100644 --- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml +++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml @@ -1,10 +1,10 @@ name: Windows MSIExec Spawn Discovery Command id: e9d05aa2-32f0-411b-930c-5b8ca5c4fcee -version: 13 -date: '2026-03-10' +version: 14 +date: '2026-04-08' author: Michael Haag, Splunk status: production -type: TTP +type: Anomaly description: The following analytic detects MSIExec spawning multiple discovery commands, such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. This activity is significant because MSIExec typically does not spawn child processes other than itself, making this behavior highly suspicious. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network. data_source: - Sysmon EventID 1 @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.parent_process_name=msiexec.exe Processes.process_name IN ("powershell.exe", "pwsh.exe","cmd.exe", "nltest.exe","ipconfig.exe","systeminfo.exe") + WHERE Processes.parent_process_name=msiexec.exe Processes.process_name IN ("nltest.exe","ipconfig.exe","systeminfo.exe") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path @@ -43,10 +43,10 @@ rba: risk_objects: - field: user type: user - score: 50 + score: 30 - field: dest type: system - score: 50 + score: 30 threat_objects: - field: parent_process_name type: parent_process_name diff --git a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml index 06d4d6271f..0c0bf625d9 100644 --- a/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml +++ b/detections/endpoint/windows_new_deny_permission_set_on_service_sd_via_sc_exe.yml @@ -1,7 +1,7 @@ name: Windows New Deny Permission Set On Service SD Via Sc.EXE id: d0f6a5e5-dbfd-46e1-8bd5-2e2905947c33 -version: 8 -date: '2026-03-25' +version: 9 +date: '2026-04-08' author: Nasreddine Bencherchali, Michael Haag, Splunk status: production type: Anomaly @@ -43,6 +43,7 @@ search: |- "*;LS*", "*;S-1-5-19*" ) + NOT Processes.process IN ("*McAfeeFramework*", "*mfefire*", "*mfemms*", "*mfevtp*", "*macmnsvc*", "*masvc*") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id diff --git a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml index c2d2965018..2dae65b8c0 100644 --- a/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml +++ b/detections/endpoint/windows_suspicious_child_process_spawned_from_webserver.yml @@ -1,10 +1,10 @@ name: Windows Suspicious Child Process Spawned From WebServer id: 2d4470ef-7158-4b47-b68b-1f7f16382156 -version: 9 -date: '2026-03-10' +version: 10 +date: '2026-04-08' author: Steven Dick status: production -type: TTP +type: Anomaly description: The following analytic identifies the execution of suspicious processes typically associated with WebShell activity on web servers. It detects when processes like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate an adversary exploiting a web application vulnerability to install a WebShell, providing persistent access and command execution capabilities. If confirmed malicious, this activity could allow attackers to maintain control over the compromised server, execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive data. data_source: - Sysmon EventID 1 @@ -48,10 +48,10 @@ rba: risk_objects: - field: user type: user - score: 50 + score: 10 - field: dest type: system - score: 50 + score: 10 threat_objects: - field: process_name type: process_name From 22b504fb1a0dfdf073f05449af22a503fccebf46 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Mon, 13 Apr 2026 13:28:43 +0200 Subject: [PATCH 2/3] bump versions and dates --- detections/endpoint/disable_logs_using_wevtutil.yml | 4 ++-- .../endpoint/possible_lateral_movement_powershell_spawn.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/disable_logs_using_wevtutil.yml b/detections/endpoint/disable_logs_using_wevtutil.yml index 5e32b5028b..506ce9328a 100644 --- a/detections/endpoint/disable_logs_using_wevtutil.yml +++ b/detections/endpoint/disable_logs_using_wevtutil.yml @@ -1,7 +1,7 @@ name: Disable Logs Using WevtUtil id: 236e7c8e-c9d9-11eb-a824-acde48001122 -version: 11 -date: '2026-03-10' +version: 12 +date: '2026-04-13' author: Teoderick Contreras, Splunk status: production type: TTP diff --git a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml index 8feb0ef3b8..eab6f0ee32 100644 --- a/detections/endpoint/possible_lateral_movement_powershell_spawn.yml +++ b/detections/endpoint/possible_lateral_movement_powershell_spawn.yml @@ -1,7 +1,7 @@ name: Possible Lateral Movement PowerShell Spawn id: cb909b3e-512b-11ec-aa31-3e22fbd008af -version: 14 -date: '2026-03-26' +version: 15 +date: '2026-04-13' author: Mauricio Velazco, Michael Haag, Splunk status: production type: Anomaly From 174b630f61aa7e67ffeaa14e47736f86086d4f35 Mon Sep 17 00:00:00 2001 From: P4T12ICK Date: Tue, 14 Apr 2026 09:19:32 +0200 Subject: [PATCH 3/3] updates --- detections/endpoint/windows_msiexec_spawn_discovery_command.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml index 15679f9f42..d12d3aa51c 100644 --- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml +++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml @@ -12,7 +12,7 @@ data_source: - CrowdStrike ProcessRollup2 search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.parent_process_name=msiexec.exe Processes.process_name IN ("nltest.exe","ipconfig.exe","systeminfo.exe") + WHERE Processes.parent_process_name=msiexec.exe Processes.process_name IN ("powershell.exe", "pwsh.exe", "nltest.exe","ipconfig.exe","systeminfo.exe") BY Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path