splunk · RavenTait · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
@@ -0,0 +1,57 @@
+name: Windows Active Directory Command Line Tools
+id: 75f1742d-c5a5-4fe1-a448-3e925eb1aa5c
+version: 1
+date: '2026-04-13'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: This analytic detects activity involving various Windows command-line tools used to query and manage Active Directory data. These utilities are often employed by administrators, but they can also be abused by adversaries to gather information, manipulate directory objects, modify permissions, or move accounts within the directory. Monitoring the use of these tools is essential as unauthorized or unusual usage may indicate reconnaissance or preparation for further attacks targeting Active Directory infrastructure.
+data_source:
+    - Sysmon EventID 1
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("csvde.exe", "dsget.exe", "dsmod.exe", "dsquery.exe", "ldifde.exe", "ntdsutil.exe", "dcdiag.exe", "klist.exe", "dcpromo.exe", "adprep.exe", "dsacl.exe", "ntdsutil.exe", "dsmove.exe", "ldp.exe", "netdom.exe", "dsrm.exe", "adinfo.exe") by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash Processes.parent_process_name Processes.parent_process_exec Processes.action Processes.dest Processes.process_current_directory Processes.process_path Processes.process_integrity_level Processes.original_file_name Processes.parent_process Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_active_directory_command_line_tools_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: Legitimate administrative tasks and authorized scripts may generate activity using these tools for querying Active Directory. Filter alerts accordingly to avoid false positives from routine management operations.
+references:
+    - https://github.com/redcanaryco/cb-response-surveyor/blob/master/definitions/active-directory.json
+drilldown_searches:
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+rba:
+    message: Potential Active Directory Command Line Tools activity observed on $dest$ via $process$.
+    risk_objects:
+        - field: dest
+          type: system
+          score: 20
+        - field: dest
+          type: system
+          score: 20
+    threat_objects:
+        - field: parent_process_name
+          type: process
+tags:
+    analytic_story:
+        - Active Directory Discovery
+        - Active Directory Kerberos Attacks
+        - Active Directory Privilege Escalation
+        - Active Directory Lateral Movement
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1069
+        - T1087
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069/snapattack/snapattack.log
+          source: XmlWinEventLog:Security
+          sourcetype: XmlWinEventLog
@@ -0,0 +1,53 @@
+name: Windows Amadey File Indicators
+id: 74705999-b88c-4242-b978-8fb4ac84671f
+version: 1
+date: '2026-04-13'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: 'Detects the two files that are downloaded as part of an Amadey infection. Amadey is a botnet and periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.
+
+'
+data_source:
+    - Sysmon EventID 11
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*cred64.dll", "*clip64.dll") by Filesystem.dest Filesystem.file_create_time Filesystem.process_path Filesystem.process_guid Filesystem.process_id Filesystem.file_path Filesystem.file_name Filesystem.action Filesystem.vendor_product Filesystem.user| `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_amadey_file_indicators_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: Some legitimate security tools or system management applications may access or create similar files for monitoring or configuration purposes. Verify against approved software before flagging.
+references:
+    - https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
+drilldown_searches:
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+rba:
+    message: A process created a suspicious file at $file_path$ on $dest$
+    risk_objects:
+        - field: dest
+          type: system
+          score: 20
+    threat_objects: []
+tags:
+    analytic_story:
+        - Compromised Windows Host
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1608
+        - T1105
+        - T1071.001
+        - T1027
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1608/snapattack/snapattack.log
+          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+          sourcetype: XmlWinEventLog
@@ -0,0 +1,49 @@
+name: Windows AppCertDLL Modification
+id: 3ba73a2b-3396-47e4-bdef-c80e6a7895c0
+version: 1
+date: '2026-04-13'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: This analytic detects attempts to modify AppCertDLL registry keys, which are used to specify DLLs loaded by the Windows Session Manager. Such modifications can be abused by attackers to load malicious code early in the system startup process, enabling persistent malware execution with high privileges. If confirmed malicious, this behavior may lead to system compromise, persistence, and the evasion of security controls.
+data_source:
+    - Sysmon EventID 1
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*controlset*\\control\\session manager*appcertdlls*" by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash Processes.parent_process_name Processes.parent_process_exec Processes.action Processes.dest Processes.process_current_directory Processes.process_path Processes.process_integrity_level Processes.original_file_name Processes.parent_process Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_appcertdll_modification_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: Modifications to AppCertDLL keys may be made by legitimate software updates or trusted system management tools. Review changes to ensure they are from approved sources.
+drilldown_searches:
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+rba:
+    message: Potential AppCertDLL Modification activity observed on $dest$ via $process$.via $process$.
+    risk_objects:
+        - field: dest
+          type: system
+          score: 20
+    threat_objects:
+        - field: parent_process_name
+          type: process
+tags:
+    analytic_story:
+        - Windows Persistence Techniques
+        - Windows Privilege Escalation
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1546.009
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1546.009/snapattack/snapattack.log
+          source: XmlWinEventLog:Security
+          sourcetype: XmlWinEventLog
@@ -0,0 +1,58 @@
+name: Windows Azure Domain Federated via Powershell
+id: 59a8662f-f616-4494-8fa1-29ae77fc2018
+version: 1
+date: '2026-04-13'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: 'The ConvertTo-AADIntBackdoor command is part of the AADInternals toolkit, which is used primarily for security testing and administrative tasks in Azure Active Directory (Azure AD) environments. This particular command is designed to create a "backdoor" in a federated Azure AD domain.
+
+
+    When executed, ConvertTo-AADIntBackdoor modifies the federation settings of a domain by adding or changing the federation configuration to allow an attacker to control the authentication process. This manipulation enables the creation of security tokens that can impersonate any user within the Azure AD tenant. Consequently, this allows an attacker to bypass Multi-Factor Authentication (MFA), escalate privileges, and maintain persistent access to the Azure AD environment.
+
+'
+data_source:
+    - Powershell Script Block Logging 4104
+search: '`powershell` EventID="4104" ScriptBlockText="*ConvertTo-AADIntBackdoor*" | fillnull | stats count by Computer, EventID, ScriptBlockText, signature, signature_id, user_id, vendor_product, Guid, Opcode, Name, Path, ProcessID, ScriptBlockId | rename Computer as dest |`security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_azure_domain_federated_via_powershell_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: Certain administrative or security testing activities in Azure AD environments may use ConvertTo-AADIntBackdoor for legitimate federation configuration changes. Review and allow such actions from trusted administrators and approved tools.
+references:
+    - https://atomicredteam.io/privilege-escalation/T1484.002/#atomic-test-1---add-federation-to-azure-ad
+drilldown_searches:
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+rba:
+    message: Potential Azure Domain Federated via Powershell activity observed on $dest$.
+    risk_objects:
+        - field: dest
+          type: system
+          score: 50
+    threat_objects: []
+tags:
+    analytic_story:
+        - Azure Active Directory Persistence
+        - Azure Active Directory Account Takeover
+        - Azure Active Directory Privilege Escalation
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1482
+        - T1078
+        - T1212
+        - T1071.001
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1482/snapattack/snapattack.log
+          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
+          sourcetype: XmlWinEventLog