splunk
Dlux update
PR Summary
There are 24 new detections, updates to 12 detections, and 5 new lookup files included in this PR. Also included a whole stack of AD centric detections focusing on group policy & ACLs of AD objects. Potentially worth putting together as its own analytic story? Or just included as part of the sneak AD story (current state).
Breakdown of each of the new/modified files below
6 New Detections - misc: Utilising the CIM Datamodel
detections/application/authentication_dm_distributed_password_spray.yml detections/application/authentication_dm_password_spray.yml detections/endpoint/windows_network_share_discovery_with_net.yml detections/network/internal_horizontal_port_scan.yml detections/network/internal_vertical_port_scan.yml detections/network/internal_vulnerability_scan.yml
3 New Detections: Misc
detections/application/windows_increase_in_group_or_object_modification_activity.yml detections/application/windows_increase_in_user_modification_activity.yml detections/endpoint/windows_vulnerable_driver_installed.yml
5 Updates to existing detections: Fixes
detections/endpoint/windows_ad_adminsdholder_acl_modified.yml detections/endpoint/windows_ad_domain_replication_acl_addition.yml detections/cloud/azure_ad_service_principal_new_client_credentials.yml detections/cloud/azure_ad_privileged_role_assigned.yml detections/cloud/azure_ad_global_administrator_role_assigned.yml
4 Updates Misc: (additional references, enhancements etc)
detections/endpoint/windows_ad_replication_request_initiated_by_user_account.yml detections/endpoint/windows_ad_replication_request_initiated_from_unsanctioned_location.yml detections/endpoint/windows_admon_default_group_policy_object_modified.yml detections/endpoint/windows_admon_group_policy_object_created.yml
2 Updates to existing detections: Adding support for XMLWinevevntLog
detections/endpoint/detect_new_local_admin_account.yml detections/endpoint/kerberos_pre_authentication_flag_disabled_in_useraccountcontrol.yml
15 New Detections: AD Related
detections/application/windows_ad_add_self_to_group.yml detections/application/windows_ad_dangerous_deny_acl_modification.yml detections/application/windows_ad_dangerous_group_acl_modification.yml detections/application/windows_ad_dangerous_user_acl_modification.yml detections/application/windows_ad_dcshadow_privileges_acl_addition.yml detections/application/windows_ad_domain_root_acl_deletion.yml detections/application/windows_ad_domain_root_acl_modification.yml detections/application/windows_ad_gpo_deleted.yml detections/application/windows_ad_gpo_disabled.yml detections/application/windows_ad_gpo_new_cse_addition.yml detections/application/windows_ad_hidden_ou_creation.yml detections/application/windows_ad_object_owner_updated.yml detections/application/windows_ad_privileged_group_modification.yml detections/application/windows_ad_self_dacl_assignment.yml detections/application/windows_ad_suspicious_attribute_modification.yml
5 New Lookups to support the SACL/Ace detections
dist/DA-ESS-ContentUpdate/default/transforms.conf lookups/ace_access_rights_lookup.csv lookups/ace_access_rights_lookup.yml lookups/ace_flag_lookup.csv lookups/ace_flag_lookup.yml lookups/ace_type_lookup.csv lookups/ace_type_lookup.yml lookups/builtin_groups_lookup.csv lookups/builtin_groups_lookup.yml lookups/msad_guid_lookup.csv lookups/msad_guid_lookup.yml
Checklist
- [ ] Validate name matches
<platform>_<mitre att&ck technique>_<short description>nomenclature - [ ] CI/CD jobs passed ✔️
- [ ] Validated SPL logic.
- [ ] Validated tags, description, and how to implement.
- [ ] Verified references match analytic.
You can ignore the changes in dist/ since those files are generated automatically so you can remove those changes from dist/
Hey Bhavin, I've reviewed the conflicts, resolved a couple of the redundant ones.
These two which are left, keen to keep the version in this PR if possible.
Adding some updates on Azure detections post BOTS.
Update 1
Problem: List of privileged groups needs to be updated Fix: Updated list here https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference Detections: https://research.splunk.com/cloud/a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a/
Update 2 Problem: Source User / Initiated By logic doesn't work when a service principal adds a member to a group Fix: Use src_user instead of initiated by instead | eval initiatedBy = coalesce('initiatedBy.user.userPrincipalName',src_user)
Detections: https://research.splunk.com/cloud/825fed20-309d-4fd1-8aaf-cd49c1bb093c/ https://research.splunk.com/cloud/a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a/
Update 3
Problem: Target user doesn't pick up when SPNs are added Fix: | eval user = coalesce(user,mvfilter('targetResources{}.displayName'!="null")) Detections: https://research.splunk.com/cloud/825fed20-309d-4fd1-8aaf-cd49c1bb093c/ https://research.splunk.com/cloud/a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a/
Update 4
Problem: When an SPN is used to add a new Client Secret, this isn't being picked up by the detection Fix: Add coalesce for the identity and user field | eval user=coalesce(user,identity) https://research.splunk.com/cloud/e3adc0d3-9e4b-4b5d-b662-12cec1adff2a/
Update 5
Problem: For some reason the IP address wasn't logged for this event during BOTS capture, this meant events weren't picked up by the alert, which was aggregating by the src_ip field Fix: move src_ip to values portion of stats command values(src_ip) as src_ip https://research.splunk.com/cloud/e3adc0d3-9e4b-4b5d-b662-12cec1adff2a/
Update 6
Problem: New Values also includes the previous key details & also creating a key without a name (possibly via powershell) causes the field extraction to break. Fix: Add some SPL magic to remove the previous key details https://research.splunk.com/cloud/e3adc0d3-9e4b-4b5d-b662-12cec1adff2a/