splunk · P4T12ICK · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026
@@ -16,7 +16,7 @@ search: |-
         AND
         (Processes.process = "*sl*"
         OR
-        Processes.process = "*set-log*" ) Processes.process = "*/e:false*"
+        Processes.process = "*set-log*" ) Processes.process IN ("*/e:false*", "*/enabled:false*")
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

@@ -4,7 +4,7 @@ version: 15
 date: '2026-04-15'
 author: Mauricio Velazco, Michael Haag, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: |
     The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.
     It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions.

@@ -14,7 +14,7 @@ search: |-
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
       WHERE `process_regsvr32`
         AND
-        Processes.process="*/i*"
+        Processes.process="*/i*" AND NOT Processes.process="*Microsoft\\TeamsMeetingAddin*"
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

@@ -4,7 +4,7 @@ version: 9
 date: '2026-04-15'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic detects the execution of a Windows Scheduled Task on demand via the shell or command line. It leverages process-related data, including process name, parent process, and command-line executions, sourced from endpoint logs. The detection focuses on 'schtasks.exe' with an associated 'run' command. This activity is significant as adversaries often use it to force the execution of their created Scheduled Tasks for persistent access or lateral movement within a compromised machine. If confirmed malicious, this could allow attackers to maintain persistence or move laterally within the network, potentially leading to further compromise.
 data_source:
     - Sysmon EventID 1
@@ -42,10 +42,10 @@ rba:
     risk_objects:
         - field: dest
           type: system
-          score: 50
+          score: 20
         - field: user
           type: user
-          score: 50
+          score: 20
     threat_objects: []
 tags:
     analytic_story:

@@ -4,15 +4,15 @@ version: 13
 date: '2026-04-15'
 author: Michael Haag, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic detects the use of AppCmd.exe to disable HTTP logging on IIS servers. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution events where AppCmd.exe is used with specific parameters to alter logging settings. This activity is significant because disabling HTTP logging can help adversaries hide their tracks and avoid detection by removing evidence of their actions. If confirmed malicious, this could allow attackers to operate undetected, making it difficult to trace their activities and respond to the intrusion effectively.
 data_source:
     - Sysmon EventID 1
     - Windows Event Log Security 4688
     - CrowdStrike ProcessRollup2
 search: |-
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE NOT (Processes.parent_process_name  IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*set config*", "*httplogging*","*dontlog:true*")
+      WHERE NOT (Processes.parent_process_name  IN ("msiexec.exe", "iissetup.exe")) Processes.process_name=appcmd.exe Processes.process IN ("*httplogging*","*dontlog:true*")
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path

@@ -4,7 +4,7 @@ version: 13
 date: '2026-04-15'
 author: Teoderick Contreras, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: |
     The following analytic identifies the modification of security permissions
     on files or directories using tools like icacls.exe, cacls.exe, or xcacls.exe. It
@@ -50,10 +50,10 @@ rba:
     risk_objects:
         - field: dest
           type: system
-          score: 50
+          score: 30
         - field: user
           type: user
-          score: 50
+          score: 30
     threat_objects: []
 tags:
     analytic_story:

@@ -4,7 +4,7 @@ version: 15
 date: '2026-04-15'
 author: Michael Haag, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: |
     The following analytic detects the use of msiexec.exe with an HTTP or
     HTTPS URL in the command line, indicating a remote file download attempt. This detection
@@ -61,10 +61,10 @@ rba:
     risk_objects:
         - field: user
           type: user
-          score: 50
+          score: 30
         - field: dest
           type: system
-          score: 50
+          score: 30
     threat_objects:
         - field: parent_process_name
           type: parent_process_name

@@ -4,15 +4,15 @@ version: 14
 date: '2026-04-15'
 author: Michael Haag, Splunk
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic detects MSIExec spawning multiple discovery commands, such as Cmd.exe or PowerShell.exe. This behavior is identified using data from Endpoint Detection and Response (EDR) agents, focusing on process creation events where MSIExec is the parent process. This activity is significant because MSIExec typically does not spawn child processes other than itself, making this behavior highly suspicious. If confirmed malicious, an attacker could use these discovery commands to gather system information, potentially leading to further exploitation or lateral movement within the network.
 data_source:
     - Sysmon EventID 1
     - Windows Event Log Security 4688
     - CrowdStrike ProcessRollup2
 search: |-
     | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE Processes.parent_process_name=msiexec.exe Processes.process_name IN ("powershell.exe", "pwsh.exe","cmd.exe", "nltest.exe","ipconfig.exe","systeminfo.exe")
+      WHERE Processes.parent_process_name=msiexec.exe Processes.process_name IN ("powershell.exe", "pwsh.exe", "nltest.exe","ipconfig.exe","systeminfo.exe")
       BY Processes.action Processes.dest Processes.original_file_name
          Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
          Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
@@ -43,10 +43,10 @@ rba:
     risk_objects:
         - field: user
           type: user
-          score: 50
+          score: 30
         - field: dest
           type: system
-          score: 50
+          score: 30
     threat_objects:
         - field: parent_process_name
           type: parent_process_name

@@ -43,6 +43,7 @@ search: |-
         "*;LS*",
         "*;S-1-5-19*"
     )
+    NOT Processes.process IN ("*McAfeeFramework*", "*mfefire*", "*mfemms*", "*mfevtp*", "*macmnsvc*", "*masvc*")
     BY Processes.action Processes.dest Processes.original_file_name
        Processes.parent_process Processes.parent_process_exec
        Processes.parent_process_guid Processes.parent_process_id

@@ -4,7 +4,7 @@ version: 10
 date: '2026-04-15'
 author: Steven Dick
 status: production
-type: TTP
+type: Anomaly
 description: The following analytic identifies the execution of suspicious processes typically associated with WebShell activity on web servers. It detects when processes like `cmd.exe`, `powershell.exe`, or `bash.exe` are spawned by web server processes such as `w3wp.exe` or `nginx.exe`. This behavior is significant as it may indicate an adversary exploiting a web application vulnerability to install a WebShell, providing persistent access and command execution capabilities. If confirmed malicious, this activity could allow attackers to maintain control over the compromised server, execute arbitrary commands, and potentially escalate privileges or exfiltrate sensitive data.
 data_source:
     - Sysmon EventID 1
@@ -48,10 +48,10 @@ rba:
     risk_objects:
         - field: user
           type: user
-          score: 50
+          score: 10
         - field: dest
           type: system
-          score: 50
+          score: 10
     threat_objects:
         - field: process_name
           type: process_name