From 7fb44fb0b9be584cfe301d4ffadb2bb9bd085c46 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 17 Jan 2025 15:53:38 -0500 Subject: [PATCH 01/18] Add files via upload --- ..._process_executed_from_removable_media.yml | 99 +++++++++++++++++++ ...tect_usbstor_registry_key_modification.yml | 76 ++++++++++++++ ..._wpdbbusenum_registry_key_modification.yml | 77 +++++++++++++++ 3 files changed, 252 insertions(+) create mode 100644 detections/endpoint/windows_detect_process_executed_from_removable_media.yml create mode 100644 detections/endpoint/windows_detect_usbstor_registry_key_modification.yml create mode 100644 detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml diff --git a/detections/endpoint/windows_detect_process_executed_from_removable_media.yml b/detections/endpoint/windows_detect_process_executed_from_removable_media.yml new file mode 100644 index 0000000000..a7fb8a4d2d --- /dev/null +++ b/detections/endpoint/windows_detect_process_executed_from_removable_media.yml @@ -0,0 +1,99 @@ +name: Windows Detect Process Executed From Removable Media +id: b483804a-4cc0-49a4-9f00-ac29ba844d08 +version: 1 +date: '2025-01-17' +author: Steven Dick +status: production +type: Anomaly +description: This analytic is used to identify when a process is executed with a removable media device as it's current drive or run path. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration. +data_source: +- Windows Security Event ID 4688 +- Sysmon Event ID 1 +- Sysmon Event ID 12 +- Sysmon Event ID 13 +- CrowdStrike ProcessRollup2 +search: '| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_current_directory=* AND NOT Processes.process_current_directory IN ("C:\\*","*\\sysvol\\*") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name Processes.process_current_directory +| `drop_dm_object_name(Processes)` +| rex field=process_current_directory "^(?[^\\\]+\\\)" +| where isnotnull(object_handle) +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| join dest,object_handle + [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data="*:\\*" AND Registry.registry_path="*USBSTOR*" AND Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") by Registry.dest,Registry.registry_value_data,Registry.registry_path + | `drop_dm_object_name(Registry)` + | eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","") +] +| `windows_detect_process_executed_from_removable_media_filter`' +how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys as well as Process Execution commands. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. +known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. +references: +- https://attack.mitre.org/techniques/T1200/ +- https://www.cisa.gov/news-events/news/using-caution-usb-drives +- https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" and user= "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$" , "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate USB events on $dest$ + search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_current_directory=$object_handle$*' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Data Protection + asset_type: Endpoint + confidence: 50 + impact: 70 + message: The process [$process_name$] was launched using files on a removable storage device named [$object_name$] by [$user$] on $dest$ + mitre_attack_id: + - T1200 + - T1025 + - T1091 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + - name: object_name + type: Other + role: + - Attacker + - name: object_handle + type: Other + role: + - Attacker + - name: process_name + type: Process Name + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - Processes.dest + - Processes.user + - Processes.process_name + - Processes.parent_process_name + - Processes.process_current_directory + - Registry.registry_path + - Registry.registry_value_name + - Registry.dest + - Registry.registry_value_data + risk_score: 35 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml b/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml new file mode 100644 index 0000000000..875086d1de --- /dev/null +++ b/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml @@ -0,0 +1,76 @@ +name: Windows Detect USBSTOR Registry Key Modification +id: a345980a-417d-4ed3-9fb4-cac30c9405a0 +version: 1 +date: '2025-01-17' +author: Steven Dick +status: production +type: Anomaly +description: This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ key. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration. +data_source: +- Sysmon Event ID 12 +- Sysmon Event ID 13 +search: '| tstats `security_content_summariesonly` values(Registry.registry_value_data) as registry_value_data, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*") AND Registry.registry_value_name ="FriendlyName" by Registry.dest,Registry.registry_value_data,Registry.registry_path +| `drop_dm_object_name(Registry)` +| eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0) +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `windows_detect_usbstor_registry_key_modification_filter`' +how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ registry keys. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. +known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. +references: +- https://attack.mitre.org/techniques/T1200/ +- https://www.cisa.gov/news-events/news/using-caution-usb-drives +- https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ + drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dets$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ +- name: Investigate USB events on $dest$ + search: '| from datamodel:Endpoint.Registry | search dest=$dest$ registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*")' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Data Protection + asset_type: Endpoint + confidence: 50 + impact: 20 + message: A removable storage device named [$object_name$] with drive letter [$object_handle$] was attached to $dest$ + mitre_attack_id: + - T1200 + - T1025 + - T1091 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: object_name + type: Other + role: + - Attacker + - name: object_handle + type: Other + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - Registry.registry_path + - Registry.registry_value_name + - Registry.dest + - Registry.registry_value_data + risk_score: 10 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml b/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml new file mode 100644 index 0000000000..3bed16e73e --- /dev/null +++ b/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml @@ -0,0 +1,77 @@ +name: Windows Detect WPDBusEnum Registry Key Modification +id: 52b48e8b-eb6e-48b0-b8f1-73273f6b134e +version: 1 +date: '2025-01-17' +author: Steven Dick +status: production +type: Anomaly +description: This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the Windows Portable Device keys: HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ . Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration. +data_source: +- Sysmon Event ID 12 +- Sysmon Event ID 13 +search: '| tstats `security_content_summariesonly` latest(Registry.registry_path) as registry_path, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") AND Registry.registry_value_name ="FriendlyName" AND Registry.registry_path="*USBSTOR*" by Registry.dest,Registry.registry_value_data +| `drop_dm_object_name(Registry)` +| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","") +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `windows_detect_wpdbusenum_registry_key_modification_filter`' +how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. +known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. +references: +- https://attack.mitre.org/techniques/T1200/ +- https://www.cisa.gov/news-events/news/using-caution-usb-drives +- https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ + drilldown_searches: +- name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dets$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate USB events on $dest$ + search: '| from datamodel:Endpoint.Registry | search dest=$dest$ registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*")' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Data Protection + asset_type: Endpoint + confidence: 50 + impact: 20 + message: A removable storage device named [$object_name$] with drive letter [$object_handle$] was attached to $dest$ + mitre_attack_id: + - T1200 + - T1025 + - T1091 + observable: + - name: dest + type: Hostname + role: + - Victim + - name: object_name + type: Other + role: + - Attacker + - name: object_handle + type: Other + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - Registry.registry_path + - Registry.registry_value_name + - Registry.dest + - Registry.registry_value_data + risk_score: 10 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file From 9f6d5665f3b3f87ee94ecd2bd2830eed0b6063f0 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 17 Jan 2025 16:03:04 -0500 Subject: [PATCH 02/18] Update windows_detect_usbstor_registry_key_modification.yml --- .../windows_detect_usbstor_registry_key_modification.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml b/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml index 875086d1de..979b41e244 100644 --- a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml +++ b/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml @@ -23,7 +23,7 @@ references: - https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ drilldown_searches: - name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dets$"' + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" @@ -73,4 +73,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog From 475b3dd5bc10ab764f88bd203cc0f20b687ca742 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 17 Jan 2025 16:03:36 -0500 Subject: [PATCH 03/18] Update windows_detect_wpdbbusenum_registry_key_modification.yml --- .../windows_detect_wpdbbusenum_registry_key_modification.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml b/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml index 3bed16e73e..6c4df0e9af 100644 --- a/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml +++ b/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml @@ -23,7 +23,7 @@ references: - https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ drilldown_searches: - name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dets$"' + search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$dest$" @@ -74,4 +74,4 @@ tests: attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog From e38d6e01bab580f9d929a70ebbbe87f32697a87a Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 17 Jan 2025 16:08:59 -0500 Subject: [PATCH 04/18] Update windows_detect_usbstor_registry_key_modification.yml --- .../windows_detect_usbstor_registry_key_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml b/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml index 979b41e244..5d079bcfcf 100644 --- a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml +++ b/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml @@ -21,7 +21,7 @@ references: - https://attack.mitre.org/techniques/T1200/ - https://www.cisa.gov/news-events/news/using-caution-usb-drives - https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ - drilldown_searches: +drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ From d800ce420267d9e101cf1b6752b57826bb5cbff6 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 17 Jan 2025 16:09:20 -0500 Subject: [PATCH 05/18] Update windows_detect_wpdbbusenum_registry_key_modification.yml --- .../windows_detect_wpdbbusenum_registry_key_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml b/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml index 6c4df0e9af..50935663e0 100644 --- a/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml +++ b/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml @@ -21,7 +21,7 @@ references: - https://attack.mitre.org/techniques/T1200/ - https://www.cisa.gov/news-events/news/using-caution-usb-drives - https://www.bleepingcomputer.com/news/security/fbi-hackers-use-badusb-to-target-defense-firms-with-ransomware/ - drilldown_searches: +drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ From d51e7e13dc2724aa4ec0614847b1fc016ec8e01f Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 17 Jan 2025 16:15:08 -0500 Subject: [PATCH 06/18] Update windows_detect_wpdbbusenum_registry_key_modification.yml --- .../windows_detect_wpdbbusenum_registry_key_modification.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml b/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml index 50935663e0..f2a5f771cb 100644 --- a/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml +++ b/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml @@ -5,7 +5,7 @@ date: '2025-01-17' author: Steven Dick status: production type: Anomaly -description: This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the Windows Portable Device keys: HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ . Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration. +description: This analytic is used to identify when a USB removable media device is attached to a Windows host. In this scenario we are querying the Endpoint Registry data model to look for modifications to the Windows Portable Device keys HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ . Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration. data_source: - Sysmon Event ID 12 - Sysmon Event ID 13 From 4279cc47db6d67c2b6eb216b50bfa8c37b9f1320 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 17 Jan 2025 16:38:20 -0500 Subject: [PATCH 07/18] Update and rename windows_detect_wpdbbusenum_registry_key_modification.yml to windows_detect_wpdbusenum_registry_key_modification.yml --- ...ml => windows_detect_wpdbusenum_registry_key_modification.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename detections/endpoint/{windows_detect_wpdbbusenum_registry_key_modification.yml => windows_detect_wpdbusenum_registry_key_modification.yml} (100%) diff --git a/detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml b/detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml similarity index 100% rename from detections/endpoint/windows_detect_wpdbbusenum_registry_key_modification.yml rename to detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml From 9998dc9cbd8c6b2537afcb395514cbabacfe8691 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 17 Jan 2025 16:42:53 -0500 Subject: [PATCH 08/18] Update windows_detect_usbstor_registry_key_modification.yml --- .../windows_detect_usbstor_registry_key_modification.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml b/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml index 5d079bcfcf..719c2eeee5 100644 --- a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml +++ b/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml @@ -29,6 +29,7 @@ drilldown_searches: - name: View risk events for the last 7 days for - "$dest$" search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ - name: Investigate USB events on $dest$ search: '| from datamodel:Endpoint.Registry | search dest=$dest$ registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*")' earliest_offset: $info_min_time$ From 7d84fa2fcb270778676bda0d75c83f11b45d86b2 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 11:59:24 -0500 Subject: [PATCH 09/18] Update windows_detect_process_executed_from_removable_media.yml --- ..._process_executed_from_removable_media.yml | 53 ++++++------------- 1 file changed, 17 insertions(+), 36 deletions(-) diff --git a/detections/endpoint/windows_detect_process_executed_from_removable_media.yml b/detections/endpoint/windows_detect_process_executed_from_removable_media.yml index a7fb8a4d2d..ffe632d778 100644 --- a/detections/endpoint/windows_detect_process_executed_from_removable_media.yml +++ b/detections/endpoint/windows_detect_process_executed_from_removable_media.yml @@ -43,57 +43,38 @@ drilldown_searches: search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_current_directory=$object_handle$*' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: The process [$process_name$] was launched using files on a removable storage device named [$object_name$] by [$user$] on $dest$ + risk_objects: + - field: user + type: user + score: 35 + - field: dest + type: system + score: 35 + threat_objects: + - field: process_name + type: process_name + - field: object_name + type: registry_value_name + - field: object_handle + type: registry_value_text tags: analytic_story: - Data Protection asset_type: Endpoint - confidence: 50 - impact: 70 - message: The process [$process_name$] was launched using files on a removable storage device named [$object_name$] by [$user$] on $dest$ mitre_attack_id: - T1200 - T1025 - T1091 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: user - type: User - role: - - Victim - - name: object_name - type: Other - role: - - Attacker - - name: object_handle - type: Other - role: - - Attacker - - name: process_name - type: Process Name - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Processes.dest - - Processes.user - - Processes.process_name - - Processes.parent_process_name - - Processes.process_current_directory - - Registry.registry_path - - Registry.registry_value_name - - Registry.dest - - Registry.registry_value_data - risk_score: 35 security_domain: endpoint tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1200/sysmon_usb_use_execution/sysmon_usb_use_execution.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog From 3f78124ad056d813fae4336904d239664b234e75 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 12:01:19 -0500 Subject: [PATCH 10/18] Update windows_detect_usbstor_registry_key_modification.yml --- ...tect_usbstor_registry_key_modification.yml | 33 +++++++------------ 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml b/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml index 719c2eeee5..441318a149 100644 --- a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml +++ b/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml @@ -34,40 +34,29 @@ drilldown_searches: search: '| from datamodel:Endpoint.Registry | search dest=$dest$ registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*")' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A removable storage device named [$object_name$] with drive letter [$object_handle$] was attached to $dest$ + risk_objects: + - field: dest + type: system + score: 10 + threat_objects: + - field: object_name + type: registry_value_name + - field: object_handle + type: registry_value_text tags: analytic_story: - Data Protection asset_type: Endpoint - confidence: 50 - impact: 20 - message: A removable storage device named [$object_name$] with drive letter [$object_handle$] was attached to $dest$ mitre_attack_id: - T1200 - T1025 - T1091 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: object_name - type: Other - role: - - Attacker - - name: object_handle - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.registry_path - - Registry.registry_value_name - - Registry.dest - - Registry.registry_value_data - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test From 3175bad68501e93a5a40943e036af0c872949e45 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 31 Jan 2025 12:02:59 -0500 Subject: [PATCH 11/18] Update windows_detect_wpdbusenum_registry_key_modification.yml --- ...t_wpdbusenum_registry_key_modification.yml | 33 +++++++------------ 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml b/detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml index f2a5f771cb..57f9d2ea00 100644 --- a/detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml +++ b/detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml @@ -34,40 +34,29 @@ drilldown_searches: search: '| from datamodel:Endpoint.Registry | search dest=$dest$ registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*")' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +rba: + message: A removable storage device named [$object_name$] with drive letter [$object_handle$] was attached to $dest$ + risk_objects: + - field: dest + type: system + score: 10 + threat_objects: + - field: object_name + type: registry_value_name + - field: object_handle + type: registry_value_text tags: analytic_story: - Data Protection asset_type: Endpoint - confidence: 50 - impact: 20 - message: A removable storage device named [$object_name$] with drive letter [$object_handle$] was attached to $dest$ mitre_attack_id: - T1200 - T1025 - T1091 - observable: - - name: dest - type: Hostname - role: - - Victim - - name: object_name - type: Other - role: - - Attacker - - name: object_handle - type: Other - role: - - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - required_fields: - - Registry.registry_path - - Registry.registry_value_name - - Registry.dest - - Registry.registry_value_data - risk_score: 10 security_domain: endpoint tests: - name: True Positive Test From 42107eeea8ee8ff613fb88d83f6d134e9b82637d Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sun, 2 Feb 2025 12:33:22 -0500 Subject: [PATCH 12/18] Update windows_detect_process_executed_from_removable_media.yml update search yaml for better readability / remove single quote in SPL issues --- ..._process_executed_from_removable_media.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/detections/endpoint/windows_detect_process_executed_from_removable_media.yml b/detections/endpoint/windows_detect_process_executed_from_removable_media.yml index ffe632d778..c2fd9916a8 100644 --- a/detections/endpoint/windows_detect_process_executed_from_removable_media.yml +++ b/detections/endpoint/windows_detect_process_executed_from_removable_media.yml @@ -12,18 +12,19 @@ data_source: - Sysmon Event ID 12 - Sysmon Event ID 13 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_current_directory=* AND NOT Processes.process_current_directory IN ("C:\\*","*\\sysvol\\*") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name Processes.process_current_directory -| `drop_dm_object_name(Processes)` -| rex field=process_current_directory "^(?[^\\\]+\\\)" -| where isnotnull(object_handle) -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| join dest,object_handle +search: |- + | tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_current_directory=* AND NOT Processes.process_current_directory IN ("C:\\*","*\\sysvol\\*") by Processes.dest Processes.user Processes.process_name Processes.parent_process_name Processes.process_current_directory + | `drop_dm_object_name(Processes)` + | rex field=process_current_directory "^(?[^\\\]+\\\)" + | where isnotnull(object_handle) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | join dest,object_handle [| tstats `security_content_summariesonly` count from datamodel=Endpoint.Registry where Registry.registry_value_data="*:\\*" AND Registry.registry_path="*USBSTOR*" AND Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") by Registry.dest,Registry.registry_value_data,Registry.registry_path | `drop_dm_object_name(Registry)` | eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","") -] -| `windows_detect_process_executed_from_removable_media_filter`' + ] + | `windows_detect_process_executed_from_removable_media_filter` how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys as well as Process Execution commands. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. references: From a51cebbf035cb8d181c698bc51d6c0d101d3e8b3 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sun, 2 Feb 2025 12:33:46 -0500 Subject: [PATCH 13/18] Update windows_detect_usbstor_registry_key_modification.yml update search yaml for better readability / remove single quote in SPL issues --- ...ows_detect_usbstor_registry_key_modification.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml b/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml index 441318a149..76e0a7d02a 100644 --- a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml +++ b/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml @@ -9,12 +9,13 @@ description: This analytic is used to identify when a USB removable media device data_source: - Sysmon Event ID 12 - Sysmon Event ID 13 -search: '| tstats `security_content_summariesonly` values(Registry.registry_value_data) as registry_value_data, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*") AND Registry.registry_value_name ="FriendlyName" by Registry.dest,Registry.registry_value_data,Registry.registry_path -| `drop_dm_object_name(Registry)` -| eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0) -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `windows_detect_usbstor_registry_key_modification_filter`' +search: |- + | tstats `security_content_summariesonly` values(Registry.registry_value_data) as registry_value_data, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\System\\CurrentControlSet\\Enum\\USBSTOR\\*") AND Registry.registry_value_name ="FriendlyName" by Registry.dest,Registry.registry_value_data,Registry.registry_path + | `drop_dm_object_name(Registry)` + | eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_detect_usbstor_registry_key_modification_filter` how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ registry keys. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. references: From 315c7782ed96e14b519fc042086c76dd126e02d3 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Sun, 2 Feb 2025 12:34:10 -0500 Subject: [PATCH 14/18] Update windows_detect_wpdbusenum_registry_key_modification.yml update search yaml for better readability / remove single quote in SPL issues --- ..._detect_wpdbusenum_registry_key_modification.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml b/detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml index 57f9d2ea00..70cec09eef 100644 --- a/detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml +++ b/detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml @@ -9,12 +9,13 @@ description: This analytic is used to identify when a USB removable media device data_source: - Sysmon Event ID 12 - Sysmon Event ID 13 -search: '| tstats `security_content_summariesonly` latest(Registry.registry_path) as registry_path, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") AND Registry.registry_value_name ="FriendlyName" AND Registry.registry_path="*USBSTOR*" by Registry.dest,Registry.registry_value_data -| `drop_dm_object_name(Registry)` -| eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","") -| `security_content_ctime(firstTime)` -| `security_content_ctime(lastTime)` -| `windows_detect_wpdbusenum_registry_key_modification_filter`' +search: |- + | tstats `security_content_summariesonly` latest(Registry.registry_path) as registry_path, values(Registry.registry_value_name) as registry_value_name, min(_time) as firstTime, max(_time) as lastTime, count from datamodel=Endpoint.Registry where Registry.registry_path IN ("HKLM\\SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices\\*","HKLM\\System\\CurrentControlSet\\Enum\\SWD\\WPDBUSENUM\\*") AND Registry.registry_value_name ="FriendlyName" AND Registry.registry_path="*USBSTOR*" by Registry.dest,Registry.registry_value_data + | `drop_dm_object_name(Registry)` + | eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","") + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_detect_wpdbusenum_registry_key_modification_filter` how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. references: From 68d85a24e6d688a8889d2d20065698ce6febf907 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 12 Feb 2025 08:03:17 -0500 Subject: [PATCH 15/18] Update windows_detect_process_executed_from_removable_media.yml --- ...ndows_detect_process_executed_from_removable_media.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/windows_detect_process_executed_from_removable_media.yml b/detections/endpoint/windows_detect_process_executed_from_removable_media.yml index c2fd9916a8..6e3b66300b 100644 --- a/detections/endpoint/windows_detect_process_executed_from_removable_media.yml +++ b/detections/endpoint/windows_detect_process_executed_from_removable_media.yml @@ -1,11 +1,11 @@ -name: Windows Detect Process Executed From Removable Media +name: Windows Process Executed From Removable Media id: b483804a-4cc0-49a4-9f00-ac29ba844d08 version: 1 date: '2025-01-17' author: Steven Dick status: production type: Anomaly -description: This analytic is used to identify when a process is executed with a removable media device as it's current drive or run path. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration. +description: This analytic is used to identify when a removable media device is attached to a machine and then a process is executed from the same drive letter assigned to the removable media device. Adversaries and Insider Threats may use removable media devices for several malicious activities, including initial access, execution, and exfiltration. data_source: - Windows Security Event ID 4688 - Sysmon Event ID 1 @@ -24,8 +24,8 @@ search: |- | `drop_dm_object_name(Registry)` | eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","") ] - | `windows_detect_process_executed_from_removable_media_filter` -how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys as well as Process Execution commands. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. + | `windows_process_executed_from_removable_media_filter` +how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys as well as Process Execution commands. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. This analytic joins the Process and Registry datamodels together based on the drive letter extract to the "object_handle" field from both datasets. known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. references: - https://attack.mitre.org/techniques/T1200/ From 27c097d5de2f6c6871f1d78d0a78d574c050178a Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 12 Feb 2025 08:07:45 -0500 Subject: [PATCH 16/18] Update and rename windows_detect_process_executed_from_removable_media.yml to windows_process_executed_from_removable_media.yml --- ...edia.yml => windows_process_executed_from_removable_media.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename detections/endpoint/{windows_detect_process_executed_from_removable_media.yml => windows_process_executed_from_removable_media.yml} (100%) diff --git a/detections/endpoint/windows_detect_process_executed_from_removable_media.yml b/detections/endpoint/windows_process_executed_from_removable_media.yml similarity index 100% rename from detections/endpoint/windows_detect_process_executed_from_removable_media.yml rename to detections/endpoint/windows_process_executed_from_removable_media.yml From 90865c04a3a9bae875346e36cdb8c5454cdc5bf5 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 12 Feb 2025 08:08:19 -0500 Subject: [PATCH 17/18] Update and rename windows_detect_usbstor_registry_key_modification.yml to windows_usbstor_registry_key_modification.yml --- ...tion.yml => windows_usbstor_registry_key_modification.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename detections/endpoint/{windows_detect_usbstor_registry_key_modification.yml => windows_usbstor_registry_key_modification.yml} (95%) diff --git a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml b/detections/endpoint/windows_usbstor_registry_key_modification.yml similarity index 95% rename from detections/endpoint/windows_detect_usbstor_registry_key_modification.yml rename to detections/endpoint/windows_usbstor_registry_key_modification.yml index 76e0a7d02a..4ae1abf576 100644 --- a/detections/endpoint/windows_detect_usbstor_registry_key_modification.yml +++ b/detections/endpoint/windows_usbstor_registry_key_modification.yml @@ -1,4 +1,4 @@ -name: Windows Detect USBSTOR Registry Key Modification +name: Windows USBSTOR Registry Key Modification id: a345980a-417d-4ed3-9fb4-cac30c9405a0 version: 1 date: '2025-01-17' @@ -15,7 +15,7 @@ search: |- | eval object_name = registry_value_data, object_handle = split(mvindex(split(registry_path, "\\"),6),"&"), object_handle = mvindex(mvfilter(NOT len(object_handle)=1),0) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_detect_usbstor_registry_key_modification_filter` + | `windows_usbstor_registry_key_modification_filter` how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\System\CurrentControlSet\Enum\USBSTOR\ registry keys. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. references: From 370db3a337885a4f97aeccad2d1d679f47082325 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Wed, 12 Feb 2025 08:08:54 -0500 Subject: [PATCH 18/18] Update and rename windows_detect_wpdbusenum_registry_key_modification.yml to windows_wpdbusenum_registry_key_modification.yml --- ...n.yml => windows_wpdbusenum_registry_key_modification.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename detections/endpoint/{windows_detect_wpdbusenum_registry_key_modification.yml => windows_wpdbusenum_registry_key_modification.yml} (95%) diff --git a/detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml similarity index 95% rename from detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml rename to detections/endpoint/windows_wpdbusenum_registry_key_modification.yml index 70cec09eef..d87be77ae0 100644 --- a/detections/endpoint/windows_detect_wpdbusenum_registry_key_modification.yml +++ b/detections/endpoint/windows_wpdbusenum_registry_key_modification.yml @@ -1,4 +1,4 @@ -name: Windows Detect WPDBusEnum Registry Key Modification +name: Windows WPDBusEnum Registry Key Modification id: 52b48e8b-eb6e-48b0-b8f1-73273f6b134e version: 1 date: '2025-01-17' @@ -15,7 +15,7 @@ search: |- | eval object_handle = registry_value_data, object_name = replace(mvindex(split(mvindex(split(registry_path, "??"),1),"&"),2),"PROD_","") | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `windows_detect_wpdbusenum_registry_key_modification_filter` + | `windows_wpdbusenum_registry_key_modification_filter` how_to_implement: To successfully implement this search, you must ingest endpoint logging that tracks changes to the HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\ or HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\ registry keys. Ensure that the field from the event logs is being mapped to the proper fields in the Endpoint.Registry data model. known_false_positives: Legitimate USB activity will also be detected. Please verify and investigate as appropriate. references: