Merge branch 'develop' into captcha

patel-bhavin · web-flow · commit 4a58ea160509 · 2025-05-20T09:59:03.000-07:00
diff --git a/contentctl.yml b/contentctl.yml
@@ -101,9 +101,9 @@ apps:
 - uid: 5466
   title: TA for Zeek
   appid: SPLUNK_TA_FOR_ZEEK
-  version: 1.0.9
+  version: 1.0.10
   description: description of app
-  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-zeek_109.tgz
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/ta-for-zeek_1010.tgz
 - uid: 3258
   title: Splunk Add-on for NGINX
   appid: SPLUNK_ADD_ON_FOR_NGINX
diff --git a/data_sources/bro_conn.yml b/data_sources/bro_conn.yml
@@ -15,4 +15,4 @@ sourcetype: bro:conn:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.9
+  version: 1.0.10
diff --git a/data_sources/bro_dns.yml b/data_sources/bro_dns.yml
@@ -16,4 +16,4 @@ sourcetype: bro:dns:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.9
+  version: 1.0.10
diff --git a/data_sources/bro_files.yml b/data_sources/bro_files.yml
@@ -17,4 +17,4 @@ sourcetype: bro:files:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.9
+  version: 1.0.10
diff --git a/data_sources/bro_http.yml b/data_sources/bro_http.yml
@@ -16,4 +16,4 @@ sourcetype: bro:http:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.9
+  version: 1.0.10
diff --git a/data_sources/bro_loaded_scripts.yml b/data_sources/bro_loaded_scripts.yml
@@ -15,4 +15,4 @@ sourcetype: bro:loaded_scripts:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.9
+  version: 1.0.10
diff --git a/data_sources/bro_ntp.yml b/data_sources/bro_ntp.yml
@@ -15,4 +15,4 @@ sourcetype: bro:ntp:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.9
+  version: 1.0.10
diff --git a/data_sources/bro_ocsp.yml b/data_sources/bro_ocsp.yml
@@ -16,4 +16,4 @@ sourcetype: bro:ocsp:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.9
+  version: 1.0.10
diff --git a/data_sources/bro_ssl.yml b/data_sources/bro_ssl.yml
@@ -16,4 +16,4 @@ sourcetype: bro:ssl:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.9
+  version: 1.0.10
diff --git a/data_sources/bro_weird.yml b/data_sources/bro_weird.yml
@@ -16,4 +16,4 @@ sourcetype: bro:weird:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.9
+  version: 1.0.10
diff --git a/data_sources/bro_x509.yml b/data_sources/bro_x509.yml
@@ -16,4 +16,4 @@ sourcetype: bro:x509:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.9
+  version: 1.0.10
diff --git a/data_sources/zeek_conn.yml b/data_sources/zeek_conn.yml
@@ -9,7 +9,7 @@ sourcetype: bro:conn:json
 supported_TA:
 - name: TA for Zeek
   url: https://splunkbase.splunk.com/app/5466
-  version: 1.0.9
+  version: 1.0.10
 fields:
 - action
 - bytes
diff --git a/detections/endpoint/ping_sleep_batch_command.yml b/detections/endpoint/ping_sleep_batch_command.yml
@@ -1,11 +1,12 @@
 name: Ping Sleep Batch Command
 id: ce058d6c-79f2-11ec-b476-acde48001122
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-05-19'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic identifies the execution of ping sleep batch commands.
+description: |
+  The following analytic identifies the execution of ping sleep batch commands.
   It leverages data from Endpoint Detection and Response (EDR) agents, focusing on
   process and parent process command-line details. This activity is significant as
   it indicates an attempt to delay malicious code execution, potentially evading detection
@@ -17,9 +18,21 @@ data_source:
 - Sysmon EventID 1
 - CrowdStrike ProcessRollup2
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
-  as lastTime from datamodel=Endpoint.Processes where `process_ping` (Processes.parent_process
-  = "*ping*" Processes.parent_process = *-n* Processes.parent_process="* Nul*"Processes.parent_process="*&gt;*")
-  OR (Processes.process = "*ping*" Processes.process = *-n* Processes.process="* Nul*"Processes.process="*&gt;*")
+  as lastTime from datamodel=Endpoint.Processes where 
+      (
+      Processes.parent_process= "*ping*" 
+      Processes.parent_process = *-n* 
+      Processes.parent_process="* Nul*"
+      Processes.parent_process IN ("*&gt;*", "*>*")
+      Processes.parent_process IN ("*&amp;*", "*& *")
+      )
+    OR (
+      Processes.process = "*ping*"
+      Processes.process = *-n* 
+      Processes.process="* Nul*" 
+      Processes.process IN ("*&gt;*", "*>*")
+      Processes.process IN ("*&amp;*", "*& *")
+      )
   by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
   Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
diff --git a/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml b/detections/endpoint/schtasks_scheduling_job_on_remote_system.yml
@@ -1,7 +1,7 @@
 name: Schtasks scheduling job on remote system
 id: 1297fb80-f42a-4b4a-9c8a-88c066237cf6
-version: 14
-date: '2025-05-02'
+version: 15
+date: '2025-05-19'
 author: David Dorsey, Mauricio Velazco, Splunk
 status: production
 type: TTP
@@ -20,7 +20,7 @@ data_source:
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = schtasks.exe
   OR Processes.original_file_name=schtasks.exe) (Processes.process="*/create*" AND
-  Processes.process="*/s*") by Processes.action Processes.dest Processes.original_file_name
+  Processes.process="*/s *") by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
   Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
diff --git a/detections/endpoint/windows_msiexec_dllregisterserver.yml b/detections/endpoint/windows_msiexec_dllregisterserver.yml
@@ -1,7 +1,7 @@
 name: Windows MSIExec DLLRegisterServer
 id: fdb59aef-d88f-4909-8369-ec2afbd2c398
-version: 9
-date: '2025-05-02'
+version: 10
+date: '2025-05-19'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -21,7 +21,7 @@ data_source:
 search:
   '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_msiexec` Processes.process
-  IN ("*/y*", "*-y*") by Processes.action Processes.dest Processes.original_file_name
+  IN ("* /y*", "* -y*") by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
   Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid Processes.process_hash
diff --git a/detections/endpoint/windows_process_commandline_discovery.yml b/detections/endpoint/windows_process_commandline_discovery.yml
@@ -1,7 +1,7 @@
 name: Windows Process Commandline Discovery
 id: 67d2a52e-a7e2-4a5d-ae44-a21212048bc2
-version: 6
-date: '2025-05-02'
+version: 7
+date: '2025-05-19'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -20,7 +20,7 @@ description: The following analytic detects the use of Windows Management Instru
   further exploitation or lateral movement.
 search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
   as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process=
-  "* process *" Processes.process= "* get commandline *" by Processes.action Processes.dest
+  "* process *" Processes.process= "* get *" Processes.process= "*CommandLine*" by Processes.action Processes.dest
   Processes.original_file_name Processes.parent_process Processes.parent_process_exec
   Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name
   Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid
