Merge branch 'splunk:develop' into nterl0k-t1059-malicious-powershell…

…-strings

.github/labeler.yml

@@ -22,3 +22,8 @@ Lookups:
 Datasource:
 - changed-files:
   - any-glob-to-any-file: data_sources/*
+
+Baselines:
+  - changed-files:
+    - any-glob-to-any-file: baselines/*
+

.github/workflows/appinspect.yml

@@ -34,7 +34,7 @@ jobs:
           APPINSPECTPASSWORD: "${{ secrets.APPINSPECTPASSWORD }}"
         run: |
           echo $APPINSPECTUSERNAME
-          contentctl inspect --splunk-api-username "$APPINSPECTUSERNAME" --splunk-api-password "$APPINSPECTPASSWORD" --stack_type victoria --enrichments --enable-metadata-validation --suppress-missing-content-exceptions
+          contentctl inspect --splunk-api-username "$APPINSPECTUSERNAME" --splunk-api-password "$APPINSPECTPASSWORD" --enrichments --enable-metadata-validation --suppress-missing-content-exceptions
           echo "done appinspect"
           mkdir -p artifacts/app_inspect_report
           cp -r dist/*.html artifacts/app_inspect_report

README.md

@@ -138,7 +138,7 @@ Please use the [GitHub Issue Tracker](https://github.com/splunk/security_content
 If you have questions or need support, you can:
 
 * Post a question to [Splunk Answers](http://answers.splunk.com)
-* Join the [#security-research](https://splunk-usergroups.slack.com/archives/C1S5BEF38) room in the [Splunk Slack channel](http://splunk-usergroups.slack.com)
+* Join the [#security-research](https://splunkcommunity.slack.com/archives/CDNHXVBGS) channel in the [Splunk Community Slack.](https://splk.it/slack)
 
 ## License
 Copyright 2022 Splunk Inc.

app_template/default/data/ui/views/feedback.xml

@@ -6,8 +6,8 @@
       <html>
         <p5>You can contact the Splunk Threat Research team at<a href = "mailto:[email protected]">[email protected]</a> to send us support requests, bug reports, and questions.
           <br>Specify the request type and the title of any related analytic stories, detections analytics where applicable.</br>
-          You can also find us on the <b>#es-content-updates</b><a href = "http://splunk-usergroups.slack.com/"> Splunk Usergroups Slack channel.</a></p5>
+          You can also find us on the <b>#es-content-updates</b><a href = "https://splk.it/slack/"> Splunk Community Slack channel.</a></p5>
       </html>
     </panel>
   </row>
-</form>
+</form>

data_sources/aws_cloudtrail_consolelogin.yml

@@ -90,13 +90,13 @@ fields:
 - vendor_product
 - vendor_region
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "accountId":
-  "140429656527", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"},
+  "111111111111", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"},
   "eventTime": "2022-10-19T20:33:38Z", "eventSource": "signin.amazonaws.com", "eventName":
   "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "142.254.89.27", "userAgent":
   "Go-http-client/1.1", "errorMessage": "No username found in supplied account", "requestParameters":
   null, "responseElements": {"ConsoleLogin": "Failure"}, "additionalEventData": {"LoginTo":
   "https://console.aws.amazon.com", "MobileVersion": "No", "MFAUsed": "No"}, "eventID":
   "9fcfb8c3-3fca-48db-85d2-7b107f9d95d0", "readOnly": false, "eventType": "AwsConsoleSignIn",
-  "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory":
+  "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":
   "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
   "clientProvidedHostHeader": "signin.aws.amazon.com"}}'

data_sources/aws_cloudtrail_createvirtualmfadevice.yml

@@ -88,13 +88,13 @@ fields:
 - vendor_product
 - vendor_region
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
-  "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
+  "1111111111111111", "arn": "arn:aws:iam::1111111111111111:root", "accountId": "1111111111111111",
   "accessKeyId": "ASIASBMSCQHH2YXNXJBU", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
   {}, "attributes": {"creationDate": "2023-01-30T22:59:36Z", "mfaAuthenticated": "false"}}},
   "eventTime": "2023-01-30T23:02:23Z", "eventSource": "iam.amazonaws.com", "eventName":
   "CreateVirtualMFADevice", "awsRegion": "us-east-1", "sourceIPAddress": "23.93.193.6",
   "userAgent": "AWS Internal", "requestParameters": {"path": "/", "virtualMFADeviceName":
-  "strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::140429656527:mfa/strt_mfa_2"}},
+  "strt_mfa_2"}, "responseElements": {"virtualMFADevice": {"serialNumber": "arn:aws:iam::1111111111111111:mfa/strt_mfa_2"}},
   "requestID": "2fbe2074-55f8-4ec6-ad32-0b250803cf46", "eventID": "7e1c493d-c3c3-4f4a-ae4f-8cdd38970027",
   "readOnly": false, "eventType": "AwsApiCall", "managementEvent": true, "recipientAccountId":
-  "140429656527", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'
+  "1111111111111111", "eventCategory": "Management", "sessionCredentialFromConsole": "true"}'

data_sources/aws_cloudtrail_describeeventaggregates.yml

@@ -84,7 +84,7 @@ fields:
 - vendor_product
 - vendor_region
 example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "principalId":
-  "140429656527", "arn": "arn:aws:iam::140429656527:root", "accountId": "140429656527",
+  "1111111111111111", "arn": "arn:aws:iam::1111111111111111:root", "accountId": "1111111111111111",
   "accessKeyId": "ASIASBMSCQHHQQ6LB24V", "sessionContext": {"sessionIssuer": {}, "webIdFederationData":
   {}, "attributes": {"creationDate": "2023-01-31T21:58:17Z", "mfaAuthenticated": "true"}}},
   "eventTime": "2023-02-01T02:52:34Z", "eventSource": "health.amazonaws.com", "eventName":
@@ -93,5 +93,5 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "Root", "princip
   "filter": {"eventStatusCodes": ["open", "upcoming"], "startTimes": [{"from": "Jan
   25, 2023 2:54:32 AM"}]}}, "responseElements": null, "requestID": "d6adf050-1d7a-4c25-9d48-0319e33f6f9a",
   "eventID": "201cee69-61ab-4ffb-80b7-bd31e81e0d82", "readOnly": true, "eventType":
-  "AwsApiCall", "managementEvent": true, "recipientAccountId": "140429656527", "eventCategory":
+  "AwsApiCall", "managementEvent": true, "recipientAccountId": "1111111111111111", "eventCategory":
   "Management", "sessionCredentialFromConsole": "true"}'

data_sources/aws_cloudtrail_modifyimageattribute.yml

@@ -101,7 +101,7 @@ example_log: '{"eventVersion": "1.08", "userIdentity": {"type": "AssumedRole", "
   "ec2.amazonaws.com", "eventName": "ModifyImageAttribute", "awsRegion": "us-west-2",
   "sourceIPAddress": "72.135.245.10", "userAgent": "AWS Internal", "requestParameters":
   {"imageId": "ami-06dac31db29508566", "launchPermission": {"add": {"items": [{"userId":
-  "140429656527"}]}}, "attributeType": "launchPermission"}, "responseElements": {"requestId":
+  "1111111111111111"}]}}, "attributeType": "launchPermission"}, "responseElements": {"requestId":
   "84c431ce-6268-4218-aaf8-b4cdc1cd4055", "_return": true}, "requestID": "84c431ce-6268-4218-aaf8-b4cdc1cd4055",
   "eventID": "957e1b12-ea17-4006-aefd-20677ace72b8", "readOnly": false, "eventType":
   "AwsApiCall", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory":

data_sources/kubernetes_audit.yml

@@ -54,7 +54,7 @@ fields:
 - user.username
 - userAgent
 - verb
-example_log: '{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"582c31ab-4906-49bb-9ff9-872f980ccb84","stage":"ResponseComplete","requestURI":"/apis/batch/v1/namespaces/test2/jobs?fieldManager=kubectl-create\u0026fieldValidation=Strict","verb":"create","user":{"username":"k8s-test-user","uid":"aws-iam-authenticator:591511147606:AROAYTOGP2RLFHNBOTP5J","groups":["system:authenticated"]},"sourceIPs":["176.95.188.101"],"userAgent":"kubectl/v1.27.2
+example_log: '{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"RequestResponse","auditID":"582c31ab-4906-49bb-9ff9-872f980ccb84","stage":"ResponseComplete","requestURI":"/apis/batch/v1/namespaces/test2/jobs?fieldManager=kubectl-create\u0026fieldValidation=Strict","verb":"create","user":{"username":"k8s-test-user","uid":"aws-iam-authenticator:111111111111:AROAYTXXXXXXHNXXXXX","groups":["system:authenticated"]},"sourceIPs":["176.95.188.101"],"userAgent":"kubectl/v1.27.2
   (darwin/arm64) kubernetes/7f6f68f","objectRef":{"resource":"jobs","namespace":"test2","apiGroup":"batch","apiVersion":"v1"},"responseStatus":{"metadata":{},"status":"Failure","message":"jobs.batch
   is forbidden: User \"k8s-test-user\" cannot create resource \"jobs\" in API group
   \"batch\" in the namespace \"test2\"","reason":"Forbidden","details":{"group":"batch","kind":"jobs"},"code":403},"responseObject":{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"jobs.batch

detections/application/detect_distributed_password_spray_attempts.yml

@@ -1,7 +1,7 @@
 name: Detect Distributed Password Spray Attempts
 id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: Hunting
@@ -65,7 +65,6 @@ tags:
   - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
   mitre_attack_id:
   - T1110.003
-  - T1110
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

detections/application/detect_password_spray_attempts.yml

@@ -1,7 +1,7 @@
 name: Detect Password Spray Attempts
 id: 086ab581-8877-42b3-9aee-4a7ecb0923af
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: TTP
@@ -83,7 +83,6 @@ tags:
   - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
   mitre_attack_id:
   - T1110.003
-  - T1110
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

detections/application/email_files_written_outside_of_the_outlook_directory.yml

@@ -1,7 +1,7 @@
 name: Email files written outside of the Outlook directory
 id: 8d52cf03-ba25-4101-aa78-07994aed4f74
-version: 6
-date: '2025-01-21'
+version: 7
+date: '2025-02-10'
 author: Bhavin Patel, Splunk
 status: experimental
 type: TTP
@@ -44,7 +44,6 @@ tags:
   - Collection and Staging
   asset_type: Endpoint
   mitre_attack_id:
-  - T1114
   - T1114.001
   product:
   - Splunk Enterprise

detections/application/email_servers_sending_high_volume_traffic_to_hosts.yml

@@ -1,7 +1,7 @@
 name: Email servers sending high volume traffic to hosts
 id: 7f5fb3e1-4209-4914-90db-0ec21b556378
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Bhavin Patel, Splunk
 status: experimental
 type: Anomaly
@@ -51,7 +51,6 @@ tags:
   - HAFNIUM Group
   asset_type: Endpoint
   mitre_attack_id:
-  - T1114
   - T1114.002
   product:
   - Splunk Enterprise

detections/application/okta_authentication_failed_during_mfa_challenge.yml

@@ -1,7 +1,7 @@
 name: Okta Authentication Failed During MFA Challenge
 id: e2b99e7d-d956-411a-a120-2b14adfdde93
-version: 4
-date: '2025-01-21'
+version: 5
+date: '2025-02-10'
 author: Bhavin Patel, Splunk
 data_source:
 - Okta
@@ -59,10 +59,8 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1586
-  - T1586.003
-  - T1078
   - T1078.004
+  - T1586.003
   - T1621
   product:
   - Splunk Enterprise

detections/application/okta_multi_factor_authentication_disabled.yml

@@ -1,7 +1,7 @@
 name: Okta Multi-Factor Authentication Disabled
 id: 7c0348ce-bdf9-45f6-8a57-c18b5976f00a
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Mauricio Velazco, Splunk
 data_source:
 - Okta
@@ -57,7 +57,6 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1556
   - T1556.006
   product:
   - Splunk Enterprise

detections/application/okta_new_api_token_created.yml

@@ -1,7 +1,7 @@
 name: Okta New API Token Created
 id: c3d22720-35d3-4da4-bd0a-740d37192bd4
-version: 6
-date: '2025-01-21'
+version: 7
+date: '2025-02-10'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -54,7 +54,6 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1078
   - T1078.001
   product:
   - Splunk Enterprise

detections/application/okta_new_device_enrolled_on_account.yml

@@ -1,7 +1,7 @@
 name: Okta New Device Enrolled on Account
 id: bb27cbce-d4de-432c-932f-2e206e9130fb
-version: 6
-date: '2025-01-21'
+version: 7
+date: '2025-02-10'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -54,7 +54,6 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1098
   - T1098.005
   product:
   - Splunk Enterprise

detections/application/okta_phishing_detection_with_fastpass_origin_check.yml

@@ -1,7 +1,7 @@
 name: Okta Phishing Detection with FastPass Origin Check
 id: f4ca0057-cbf3-44f8-82ea-4e330ee901d3
-version: 4
-date: '2025-01-21'
+version: 5
+date: '2025-02-10'
 author: Okta, Inc, Michael Haag, Splunk
 type: TTP
 status: experimental
@@ -38,7 +38,6 @@ tags:
   - Okta Account Takeover
   asset_type: Infrastructure
   mitre_attack_id:
-  - T1078
   - T1078.001
   - T1556
   product:

detections/application/okta_successful_single_factor_authentication.yml

@@ -1,7 +1,7 @@
 name: Okta Successful Single Factor Authentication
 id: 98f6ad4f-4325-4096-9d69-45dc8e638e82
-version: 4
-date: '2025-01-21'
+version: 5
+date: '2025-02-10'
 author: Bhavin Patel, Splunk
 data_source:
 - Okta
@@ -55,10 +55,8 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1586
-  - T1586.003
-  - T1078
   - T1078.004
+  - T1586.003
   - T1621
   product:
   - Splunk Enterprise

detections/application/okta_suspicious_activity_reported.yml

@@ -1,7 +1,7 @@
 name: Okta Suspicious Activity Reported
 id: bfc840f5-c9c6-454c-aa13-b46fd0bf1e79
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -55,7 +55,6 @@ tags:
   - Okta Account Takeover
   asset_type: Okta Tenant
   mitre_attack_id:
-  - T1078
   - T1078.001
   product:
   - Splunk Enterprise

detections/application/okta_threatinsight_threat_detected.yml

@@ -1,7 +1,7 @@
 name: Okta ThreatInsight Threat Detected
 id: 140504ae-5fe2-4d65-b2bc-a211813fbca6
-version: 5
-date: '2025-01-21'
+version: 6
+date: '2025-02-10'
 author: Michael Haag, Mauricio Velazco, Splunk
 status: production
 type: Anomaly
@@ -56,7 +56,6 @@ tags:
   - Okta Account Takeover
   asset_type: Infrastructure
   mitre_attack_id:
-  - T1078
   - T1078.004
   product:
   - Splunk Enterprise

detections/application/suspicious_email_attachment_extensions.yml

@@ -1,7 +1,7 @@
 name: Suspicious Email Attachment Extensions
 id: 473bd65f-06ca-4dfe-a2b8-ba04ab4a0084
-version: 6
-date: '2025-01-21'
+version: 7
+date: '2025-02-10'
 author: David Dorsey, Splunk
 status: experimental
 type: Anomaly
@@ -48,7 +48,6 @@ tags:
   asset_type: Endpoint
   mitre_attack_id:
   - T1566.001
-  - T1566
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

detections/application/windows_ad_dangerous_deny_acl_modification.yml

@@ -1,7 +1,7 @@
 name: Windows AD Dangerous Deny ACL Modification
 id: 8e897153-2ebd-4cb2-85d3-09ad57db2fb7
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: TTP
@@ -76,9 +76,8 @@ tags:
   - Sneaky Active Directory Persistence Tricks
   asset_type: Endpoint
   mitre_attack_id:
-  - T1484
-  - T1222
   - T1222.001
+  - T1484
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security

detections/application/windows_ad_dangerous_group_acl_modification.yml

@@ -1,7 +1,7 @@
 name: Windows AD Dangerous Group ACL Modification
 id: 59b0fc85-7a0d-4585-97ec-06a382801990
-version: 3
-date: '2025-01-21'
+version: 4
+date: '2025-02-10'
 author: Dean Luxton
 status: production
 type: TTP
@@ -85,9 +85,8 @@ tags:
   - Sneaky Active Directory Persistence Tricks
   asset_type: Endpoint
   mitre_attack_id:
-  - T1484
-  - T1222
   - T1222.001
+  - T1484
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security