From 2b1b3fe2e18178e4269e547ba7df7bc3e5cde8df Mon Sep 17 00:00:00 2001 From: Raven Tait Date: Wed, 29 Apr 2026 13:16:03 -0400 Subject: [PATCH 1/3] Some BlueHammer detections --- .../windows_event_log_security_4723.yml | 116 ++++++++++++++++++ ...ws_admin_password_changed_by_non_admin.yml | 52 ++++++++ .../windows_msmpeng_writing_to_system32.yml | 57 +++++++++ ...tem_process_querying_definition_update.yml | 55 +++++++++ ...s_suspicious_burst_of_password_changes.yml | 66 ++++++++++ ...nder_engine_or_signature_files_created.yml | 53 ++++++++ ..._defender_update_activity_in_inetcache.yml | 54 ++++++++ stories/bluehammer.yml | 22 ++++ stories/redsun.yml | 21 ++++ 9 files changed, 496 insertions(+) create mode 100644 data_sources/windows_event_log_security_4723.yml create mode 100644 detections/endpoint/windows_admin_password_changed_by_non_admin.yml create mode 100644 detections/endpoint/windows_msmpeng_writing_to_system32.yml create mode 100644 detections/endpoint/windows_non_system_process_querying_definition_update.yml create mode 100644 detections/endpoint/windows_suspicious_burst_of_password_changes.yml create mode 100644 detections/endpoint/windows_suspicious_defender_engine_or_signature_files_created.yml create mode 100644 detections/endpoint/windows_suspicious_defender_update_activity_in_inetcache.yml create mode 100644 stories/bluehammer.yml create mode 100644 stories/redsun.yml diff --git a/data_sources/windows_event_log_security_4723.yml b/data_sources/windows_event_log_security_4723.yml new file mode 100644 index 0000000000..d8a83873c7 --- /dev/null +++ b/data_sources/windows_event_log_security_4723.yml @@ -0,0 +1,116 @@ +name: Windows Event Log Security 4723 +id: df19b271-57c8-4f31-817a-6c5566985484 +version: 3 +date: '2026-04-27' +author: Raven Tait, Splunk +description: Logs an event when an attempt is made to change an account's password, + whether successful or not. +mitre_components: +- User Account Modification +source: XmlWinEventLog:Security +sourcetype: XmlWinEventLog +separator: EventCode +separator_value: '4723' +supported_TA: +- name: Splunk Add-on for Microsoft Windows + url: https://splunkbase.splunk.com/app/742 + version: 10.0.1 +fields: +- _time +- Caller_Domain +- Caller_User_Name +- CategoryString +- Channel +- Computer +- Error_Code +- EventCode +- EventData_Xml +- EventID +- EventRecordID +- Guid +- Keywords +- Level +- Logon_ID +- Name +- Opcode +- ProcessID +- RecordNumber +- SubjectDomainName +- SubjectLogonId +- SubjectUserName +- SubjectUserSid +- SystemTime +- System_Props_Xml +- TargetDomainName +- TargetSid +- TargetUserName +- Target_Domain +- Target_User_Name +- Task +- ThreadID +- Version +- action +- app +- change_type +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- dest_nt_domain +- dvc +- dvc_nt_host +- event_id +- eventtype +- host +- id +- index +- linecount +- name +- object +- object_attrs +- object_category +- object_id +- product +- punct +- result +- session_id +- signature +- signature_id +- source +- sourcetype +- splunk_server +- src_nt_domain +- src_user +- src_user_name +- status +- subject +- ta_windows_action +- ta_windows_security_CategoryString +- tag +- tag::eventtype +- timeendpos +- timestartpos +- user +- user_group +- user_name +- vendor +- vendor_product +output_fields: +- dest +example_log: + 472300138240 + 0x8010000000000000 + 781490 + Security + WIN10-21H1.strt.labs + AdministratorWIN10-21H1 + S-1-5-21-1538153195-943065003-848949206-500 + S-1-5-21-1538153195-943065003-848949206-1003bob + WIN10-21H10x61a292 + - diff --git a/detections/endpoint/windows_admin_password_changed_by_non_admin.yml b/detections/endpoint/windows_admin_password_changed_by_non_admin.yml new file mode 100644 index 0000000000..754c83a1be --- /dev/null +++ b/detections/endpoint/windows_admin_password_changed_by_non_admin.yml @@ -0,0 +1,52 @@ +name: Windows Admin Password Changed by Non-Admin +id: 6d4c4d88-cd60-43a1-8c70-c74a9614f724 +version: 1 +date: '2026-04-27' +author: Raven Tait, Splunk +status: production +type: TTP +description: "Following successful exploitation of the BlueHammer Windows Defender privilege escalation, the attacker's process momentarily changes the passwords of high-value local accounts including the built-in Administrator to spawn an authenticated shell session, then immediately reverts the passwords to avoid detection. This uses EventID 4723 to log this activity." +data_source: + - Windows Event Log Security 4723 +search: '`wineventlog_security` EventID="4723" | rex field=_raw "(?[^<]+)<\/Data>" | rex field=_raw "(?[^<]+)<\/Data>" | rex field=_raw "(?[^<]+)<\/Data>" | rex field=_raw "(?[^<]+)<\/Data>" | rex field=_raw "(?[^<]+)<\/Data>" | rex field=_raw "(?[^<]+)<\/Data>" | rex field=TargetSid "-(?\d+)$" | rex field=SubjectUserSid "-(?\d+)$" | where target_rid="500" OR tonumber(target_rid) IN (512,513,518,519,520) | where tonumber(subject_rid) >= 1000 | where SubjectUserSid != TargetSid | rename Computer as dest | stats count by dest, TargetUserName, SubjectUserSid, EventID, SubjectUserName SubjectLogonId, PrivilegeList | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admin_password_changed_by_non_admin_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Some IT support tools or automated scripts may change administrator passwords during maintenance. Verify changes against authorized administrative activities to reduce false alerts. +references: + - https://github.com/Nightmare-Eclipse/BlueHammer +drilldown_searches: + - earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + - earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +rba: + message: Non-Administrator account changed password of Admin account on $dest$. + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: [] +tags: + analytic_story: + - Windows Privilege Escalation + - BlueHammer + asset_type: Endpoint + mitre_attack_id: + - T1068 + - T1543.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-33825 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/bluehammer/windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_msmpeng_writing_to_system32.yml b/detections/endpoint/windows_msmpeng_writing_to_system32.yml new file mode 100644 index 0000000000..3ac5cefc63 --- /dev/null +++ b/detections/endpoint/windows_msmpeng_writing_to_system32.yml @@ -0,0 +1,57 @@ +name: Windows MsMpEng Writing to System32 +id: dc615235-1241-411a-b170-b34a4c8924aa +version: 1 +date: '2026-04-27' +author: Raven Tait, Splunk +status: production +type: TTP +description: "Detects MsMpEng.exe creating a file in C:\\Windows\\System32\\ . This should never happen under normal operation Windows Defender does not install kernel drivers at runtime. In the BlueHammer exploit, the TOCTOU race causes MsMpEng (SYSTEM) to write the attacker's driver payload directly into the drivers directory." +data_source: + - Sysmon EventID 15 + - Sysmon EventID 11 +search: '`sysmon` (EventID=15 OR EventID=11) Image="*\\MsMpEng.exe" TargetFilename="C:\\Windows\\System32\\*" | fillnull | stats count by Computer, Image, TargetFilename, EventID, dest, dvc, file_hash, file_name, file_path, action, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_msmpeng_writing_to_system32_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Some legitimate system processes or antivirus updates may momentarily create files in the drivers directory during patching or maintenance. Verify with approved update activities before alerting. +references: + - https://github.com/Nightmare-Eclipse/BlueHammer +drilldown_searches: + - earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + - earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +rba: + message: MsMpEng wrote driver to System32 on $dest$. + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: + - field: Image + type: process +tags: + analytic_story: + - Windows Drivers + - Windows Privilege Escalation + - BlueHammer + - RedSun + asset_type: Endpoint + mitre_attack_id: + - T1068 + - T1543.003 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-33825 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/bluehammer/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_non_system_process_querying_definition_update.yml b/detections/endpoint/windows_non_system_process_querying_definition_update.yml new file mode 100644 index 0000000000..903fbe4e6c --- /dev/null +++ b/detections/endpoint/windows_non_system_process_querying_definition_update.yml @@ -0,0 +1,55 @@ +name: Windows Non-System Process Querying Definition Update +id: 9d375cfd-c9a5-48ff-b875-9bcaf6b63265 +version: 1 +date: '2026-04-27' +author: Raven Tait, Splunk +status: production +type: Anomaly +description: Detects DNS queries to definitionupdates.microsoft.com or the go.microsoft.com fwlink redirect used for WD update downloads, when the querying process is not a Windows system component. BlueHammer utilizes these definition updates as part of its exploit chain. +data_source: + - Sysmon EventID 22 +search: '`sysmon` EventID="22" QueryName="*definitionupdates.microsoft.com*" NOT (Image IN ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\ProgramData\\Microsoft\\Windows Defender\\*", "C:\\Program Files\\Windows Defender\\*", "C:\\Program Files\\Microsoft Office\\*")) | stats count min(_time) as firstTime max(_time) as lastTime BY answer answer_count dvc Computer process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename Computer as dest | `windows_non_system_process_querying_definition_update_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Legitimate third-party applications or security tools may query these update domains for Windows Defender updates. Filter alerts for trusted software and verified update mechanisms. +references: + - https://github.com/Nightmare-Eclipse/BlueHammer +drilldown_searches: + - earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + - earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +rba: + message: Non-System process queried Windows Defender Definition Updates on $dest$. + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: process_name + type: process +tags: + analytic_story: + - Windows Privilege Escalation + - BlueHammer + - RedSun + asset_type: Endpoint + mitre_attack_id: + - T1068 + - T1071.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-33825 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/bluehammer/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_suspicious_burst_of_password_changes.yml b/detections/endpoint/windows_suspicious_burst_of_password_changes.yml new file mode 100644 index 0000000000..41bec043d4 --- /dev/null +++ b/detections/endpoint/windows_suspicious_burst_of_password_changes.yml @@ -0,0 +1,66 @@ +name: Windows Suspicious Burst of Password Changes +id: 0dcfcab9-e936-43bc-8203-005e17dc0744 +version: 1 +date: '2026-04-29' +author: Raven Tait, Splunk +status: production +type: TTP +description: A regular user account performed rapid, repeated password changes across multiple local accounts within a 2-second window. This pattern is consistent with automated credential manipulation tools that cycle account passwords to deny access to defenders or escalate privileges The speed and volume of changes indicates scripted or tooled activity rather than manual administration, as legitimate password resets do not occur at machine speed across multiple accounts simultaneously. +data_source: + - Windows Event Log Security 4723 + - Windows Event Log Security 4724 +search: '`wineventlog_security` EventCode=4723 OR EventCode=4724 + + | eval log_time = strptime(SystemTime, "%Y-%m-%dT%H:%M:%S.%6NZ") | eval log_time = coalesce(log_time, _time) | eval time_bucket = floor(log_time / 2) * 2 | eval SubjectRID = tonumber(replace(SubjectUserSid, ".*-(\d+)$", "\1")) + + | where SubjectRID >= 1000 + + | stats count AS EventsForAccount, min(log_time) AS firstTime, max(log_time) AS lastTime by Computer, TargetUserName, SubjectUserName, time_bucket + + | where EventsForAccount >= 4 + + | eval DurationSecs = round(lastTime - firstTime, 3), DurationSecs = if(DurationSecs = 0, 0.001, DurationSecs), ChangeRatePerSec = round(EventsForAccount / DurationSecs, 2) + + | stats dc(TargetUserName) AS AffectedAccounts, values(TargetUserName) AS Accounts, values(SubjectUserName) AS InitiatingAccounts, sum(EventsForAccount) AS TotalEvents, max(ChangeRatePerSec) AS PeakChangeRatePerSec, min(DurationSecs) AS FastestBurstSecs, min(firstTime) AS firstTime, max(lastTime) AS lastTime by Computer, time_bucket + + | sort - PeakChangeRatePerSec | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspicious_burst_of_password_changes_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting EventID 4723 and EventID 4724 events with the Windows TA. +known_false_positives: Service accounts may be responsible for the creation, deletion or modification of accounts for legitimate purposes. Filter as needed. +references: + - https://github.com/Nightmare-Eclipse/BlueHammer +drilldown_searches: + - earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + - earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +rba: + message: Rapid burst of password changes of local accounts by $SubjectUserName$ on $dest$ + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: [] +tags: + analytic_story: + - Windows Privilege Escalation + - BlueHammer + asset_type: Endpoint + mitre_attack_id: + - T1068 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-33825 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/bluehammer/windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_suspicious_defender_engine_or_signature_files_created.yml b/detections/endpoint/windows_suspicious_defender_engine_or_signature_files_created.yml new file mode 100644 index 0000000000..0e02f71f68 --- /dev/null +++ b/detections/endpoint/windows_suspicious_defender_engine_or_signature_files_created.yml @@ -0,0 +1,53 @@ +name: Windows Suspicious Defender Engine or Signature Files Created +id: 42e848eb-1d5f-4ffb-88c2-088c4a6fdfb3 +version: 1 +date: '2026-04-27' +author: Raven Tait, Splunk +status: production +type: Anomaly +description: Detects Windows Defender engine (mpengine.dll) or signature database files (*.vdm) being created by any process that is not a Windows Defender component. BlueHammer extracts these files from the downloaded mpam-fe update package into a UUID-named subdirectory of %TEMP% as part of staging the TOCTOU privilege escalation. +data_source: + - Sysmon EventID 11 +search: '`sysmon` EventID="11" TargetFilename IN ("*mpengine.dll*", "*mpavbase.vdm*", "*mpavdlta.vdm*", "*mpasbase.vdm*", "*mpasdlta.vdm*") NOT (Image IN ("C:\\ProgramData\\Microsoft\\Windows Defender\\*", "C:\\Program Files\\Windows Defender\\*")) | fillnull | stats count by Computer, TargetFilename, Image, EventID, action, file_name, file_path, process_guid, process_id, user, vendor_product | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspicious_defender_engine_or_signature_files_created_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Some legitimate software updates or security tools may create Windows Defender engine or signature files in user temp folders during scanning or updating processes. Filter detections for trusted update utilities and system maintenance tasks. +references: + - https://github.com/Nightmare-Eclipse/BlueHammer +drilldown_searches: + - earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + - earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +rba: + message: Defender Engine or Signature files created by Non-Defender Process on $dest$. + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: Image + type: process +tags: + analytic_story: + - Windows Privilege Escalation + - BlueHammer + asset_type: Endpoint + mitre_attack_id: + - T1068 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-33825 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/bluehammer/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_suspicious_defender_update_activity_in_inetcache.yml b/detections/endpoint/windows_suspicious_defender_update_activity_in_inetcache.yml new file mode 100644 index 0000000000..a02c1dfc18 --- /dev/null +++ b/detections/endpoint/windows_suspicious_defender_update_activity_in_inetcache.yml @@ -0,0 +1,54 @@ +name: Windows Suspicious Defender Update Activity in INetCache +id: 3e25f906-6319-44ad-ab9a-22d162eb3925 +version: 1 +date: '2026-04-27' +author: Raven Tait, Splunk +status: production +type: Anomaly +description: Detects a non-Defender process writing mpam-fe*.exe to the Windows Internet Cache (INetCache). BlueHammer downloads the WD signature update package directly using WinINet as a low-privileged user. The [1].exe naming suffix is produced by Windows HTTP caching and is a reliable artifact of this download method. +data_source: + - Sysmon EventID 11 +search: '`sysmon` EventID IN ("11","23") TargetFilename="*\\INetCache*" TargetFilename="*\\mpam-fe[1].exe*" NOT (Image IN ("C:\\ProgramData\\Microsoft\\Windows Defender*", "C:\\Program Files\\Windows Defender*", "C:\\Windows\\System32\\MpSigStub.exe*")) | fillnull | stats count by Computer, TargetFilename, Image, EventID, action, dest, file_name, file_path, process_guid, process_id, user, vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_suspicious_defender_update_activity_in_inetcache_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Some legitimate system maintenance tools or security scanners may download updates using WinINet and write to INetCache with similar naming patterns. Filter alerts when these tools are verified and approved. +references: + - https://github.com/Nightmare-Eclipse/BlueHammer +drilldown_searches: + - earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + - earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +rba: + message: Defender Update package downloaded to INetCache by unexpected process observed on $dest$. + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: Image + type: process +tags: + analytic_story: + - Windows Persistence Techniques + - BlueHammer + asset_type: Endpoint + mitre_attack_id: + - T1068 + - T1105 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-33825 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/bluehammer/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/stories/bluehammer.yml b/stories/bluehammer.yml new file mode 100644 index 0000000000..137d96be2f --- /dev/null +++ b/stories/bluehammer.yml @@ -0,0 +1,22 @@ +name: BlueHammer +id: 9e2f91be-796f-4363-8c6f-a6d5dbdaede6 +version: 1 +status: production +date: '2026-04-29' +author: Raven Tait, Splunk +description: Detect activity associated with BlueHammer exploit. Released by Nightmare-Eclipse on GitHub alongside RedSun and UnDefend, it is part of a set of attacks that abuse Windows Defender to disrupt the system or elevate privileges. +narrative: BlueHammer is a Windows local privilege escalation (LPE) exploit that allows a threat actor who already has a foothold on a system to elevate from a low-privileged user account to full SYSTEM-level control. It abuses the Windows Defender update process via Volume Shadow Copy, using Cloud Files callbacks and oplocks to pause Defender at a critical moment — exposing the SAM, SYSTEM, and SECURITY registry hives. This enables an attacker to read the SAM database, decrypt NTLM password hashes, take over a local administrator account, and spawn a SYSTEM-level shell, while restoring the original hash to avoid detection. +references: +- https://github.com/Nightmare-Eclipse/BlueHammer +- http://huntress.com/blog/nightmare-eclipse-intrusion +- https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection + cve: + - CVE-2026-33825 diff --git a/stories/redsun.yml b/stories/redsun.yml new file mode 100644 index 0000000000..5f3eeb1031 --- /dev/null +++ b/stories/redsun.yml @@ -0,0 +1,21 @@ +name: RedSun +id: fa31fe1f-ddad-4238-b438-2b7741b7cf34 +version: 1 +status: production +date: '2026-04-29' +author: Raven Tait, Splunk +description: Detect activity associated with RedSun exploit. Released by Nightmare-Eclipse on GitHub alongside BlueHammer and UnDefend, it is part of a set of attacks that abuse Windows Defender to disrupt the system or elevate privileges. +narrative: RedSun is a zero-day LPE vulnerability in Microsoft Defender that allows a low-privileged user to gain full NT AUTHORITY\SYSTEM access without any kernel exploit or administrator interaction. It abuses a logic flaw in how Defender handles cloud-tagged files during remediation — when Defender detects a malicious file carrying a cloud tag, it attempts to restore the file to its original location rather than quarantine it, running that restore operation with full SYSTEM privileges without validating whether the target path has been tampered with. An attacker redirects that write via an NTFS junction into C:\Windows\System32, dropping an attacker-controlled binary and executing it as SYSTEM through a COM service invocation — never touching credentials. +references: +- https://github.com/Nightmare-Eclipse/RedSun +- https://www.huntress.com/blog/nightmare-eclipse-intrusion +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection + cve: + - CVE-2026-33825 From 3b76a770f98ce57118daa2768854d9aa4f5ecd80 Mon Sep 17 00:00:00 2001 From: Raven Tait Date: Fri, 1 May 2026 12:18:09 -0400 Subject: [PATCH 2/3] Redsun Detections --- ...lter_log_created_by_non_system_process.yml | 52 ++++++++++++++++++ ...ld_process_of_tieringengineservice_exe.yml | 54 +++++++++++++++++++ ...ssvc_process_accessing_defender_engine.yml | 52 ++++++++++++++++++ lookups/suspicious_named_pipes.csv | 1 + 4 files changed, 159 insertions(+) create mode 100644 detections/endpoint/windows_cloud_files_filter_log_created_by_non_system_process.yml create mode 100644 detections/endpoint/windows_suspicious_child_process_of_tieringengineservice_exe.yml create mode 100644 detections/endpoint/windows_vssvc_process_accessing_defender_engine.yml diff --git a/detections/endpoint/windows_cloud_files_filter_log_created_by_non_system_process.yml b/detections/endpoint/windows_cloud_files_filter_log_created_by_non_system_process.yml new file mode 100644 index 0000000000..84b349148d --- /dev/null +++ b/detections/endpoint/windows_cloud_files_filter_log_created_by_non_system_process.yml @@ -0,0 +1,52 @@ +name: Windows Cloud Files Filter Log Created by Non-System Process +id: 2e0042b9-8a75-49ca-b3a2-948f04b752bf +version: 1 +date: '2026-05-01' +author: Raven Tait, Splunk +status: production +type: TTP +description: Detects a non-system process causing creation of CldFlt0.etl under C:\Windows\System32\LogFiles\CloudFiles\. This path is initialised by the CldFlt driver when a process calls CfRegisterSyncRoot() or CfConnectSyncRoot(). In the RedSun exploit this is a side-effect of the DoCloudStuff() function that registers a fake sync provider to create the cloud-tagged bait file. Legitimate cloud providers (OneDrive etc.) register sync roots from SYSTEM-level service processes, not from user-context executables. +data_source: + - Sysmon EventID 11 +search: '`sysmon` EventCode=11 (TargetFilename = "*\\Windows\\System32\\LogFiles\\CloudFiles\\*" NOT Image IN ("*\\Windows\\System32*", "*\\Windows\\SysWOW64*","*\\Program Files\\WindowsApps*")) | stats count min(_time) as firstTime max(_time) as lastTime by action dest file_name file_path Image process_guid process_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_cloud_files_filter_log_created_by_non_system_process_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. +known_false_positives: No false positives have been identified at this time. +references: + - https://github.com/Nightmare-Eclipse/RedSun + - https://www.huntress.com/blog/nightmare-eclipse-intrusion +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: Non-System process creates a cloud files filter $file_name$ in host $dest$ + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: [] +tags: + analytic_story: + - RedSun + - Windows Privilege Escalation + asset_type: Endpoint + mitre_attack_id: + - T1068 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-33825 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/redsun/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_suspicious_child_process_of_tieringengineservice_exe.yml b/detections/endpoint/windows_suspicious_child_process_of_tieringengineservice_exe.yml new file mode 100644 index 0000000000..e438a7e2c5 --- /dev/null +++ b/detections/endpoint/windows_suspicious_child_process_of_tieringengineservice_exe.yml @@ -0,0 +1,54 @@ +name: Windows Suspicious Child Process of TieringEngineService.exe +id: 69edec6c-877e-4423-9b9b-025b589123a8 +version: 1 +date: '2026-05-01' +author: Raven Tait, Splunk +status: production +type: TTP +description: Detects the RedSun privilege escalation exploit delivering a SYSTEM-level shell to the attacker's session. RedSun replaces the legitimate TieringEngineService.exe with a malicious binary, which launches a process as SYSTEM, usually some sort of shell or shell spawner (conhost.exe, cmd.exe, PowerShell, etc.) in the attacker's active session. +data_source: + - Sysmon EventID 1 +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE ( Processes.parent_process_name="*TieringEngineService.exe*" ) Processes.process IN ("*conhost.exe*","*cmd.exe*","*powershell.exe*","*rundll32.exe*","*bitsadmin.exe*","*wmic.exe*","*cscript.exe*") Processes.user IN ("*AUTHORITY*","*System*") BY Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name action parent_process_exec parent_process_guid parent_process_path process_exec process_guid process_hash process_integrity_level process_path user_id vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_suspicious_child_process_of_tieringengineservice_exe_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: This process should normally never be spawning these child processes. +references: + - https://github.com/Nightmare-Eclipse/RedSun + - https://www.huntress.com/blog/nightmare-eclipse-intrusion +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: Possible RedSun Privilege escalation on $dest$ + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: + - field: parent_process_name + type: parent_process_name +tags: + analytic_story: + - RedSun + - Windows Privilege Escalation + asset_type: Endpoint + mitre_attack_id: + - T1068 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-33825 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/redsun/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_vssvc_process_accessing_defender_engine.yml b/detections/endpoint/windows_vssvc_process_accessing_defender_engine.yml new file mode 100644 index 0000000000..c650211665 --- /dev/null +++ b/detections/endpoint/windows_vssvc_process_accessing_defender_engine.yml @@ -0,0 +1,52 @@ +name: Windows VSSVC Process Accessing Defender Engine +id: 0c398be7-e33a-4882-9546-12166ceaf73c +version: 1 +date: '2026-05-01' +author: Raven Tait, Splunk +status: production +type: TTP +description: Detects vssvc.exe opening a handle to MsMpEng.exe. In the RedSun exploit, VSS participates in the cloud-file restore race that directs WD to write through the NTFS junction. This handle acquisition is observed at the exact moment of exploitation. vssvc querying MsMpEng is not expected in normal operation. +data_source: + - Sysmon EventID 10 +search: '`sysmon` EventCode=10 TargetImage="*MsMpEng.exe" SourceImage="*vssvc.exe" | stats count min(_time) as firstTime max(_time) as lastTime BY EventID GrantedAccess Guid Opcode ProcessID SourceImage SourceProcessGUID SourceProcessId TargetImage TargetProcessGUID TargetProcessId UserID dest CallTrace user_id parent_process_name parent_process_guid process_name process_guid process_id signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_vssvc_process_accessing_defender_engine_filter`' +how_to_implement: This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives. +known_false_positives: No false positives have been identified at this time. +references: + - https://github.com/Nightmare-Eclipse/RedSun + - https://www.huntress.com/blog/nightmare-eclipse-intrusion +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: Possible RedSun Privilege escalation on $dest$ + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: [] +tags: + analytic_story: + - RedSun + - Windows Privilege Escalation + asset_type: Endpoint + mitre_attack_id: + - T1068 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint + cve: + - CVE-2026-33825 +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/redsun/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/lookups/suspicious_named_pipes.csv b/lookups/suspicious_named_pipes.csv index cc0b5f22eb..39e4d1ad97 100644 --- a/lookups/suspicious_named_pipes.csv +++ b/lookups/suspicious_named_pipes.csv @@ -70,6 +70,7 @@ suspicious_pipe_name,tool,description,type *\pipey,RpcSsImpersonator,faxhell / printjacker / RpcSsImpersonator - Elevation to SYSTEM,Privilege Escalation *\PrivFuPipe*,PrivFu,Privilege escalation PoCs,Privilege Escalation *\protected_storage,impacket,impacket dcerpc pipe name,Credential Access +*\REDSUN,RedSun, RedSun privilege escalation PoCs,Privilege Escalation *\RemCom_Commuincation,Remcom,Remote execution like PsExec,Lateral Movement *\remcom*,Remcom,Remote execution like PsExec,Lateral Movement *\RemoteMaint,impacketremoteshell,impacketremoteshell default pipe name,Lateral Movement From 3ffd317384c101bff2c1ca95ec9038749d418727 Mon Sep 17 00:00:00 2001 From: Raven Tait Date: Tue, 12 May 2026 10:26:13 -0400 Subject: [PATCH 3/3] Updates per comments --- ...ws_admin_password_changed_by_non_admin.yml | 29 +++++++++++++++---- ...ld_process_of_tieringengineservice_exe.yml | 15 +++++++++- 2 files changed, 37 insertions(+), 7 deletions(-) diff --git a/detections/endpoint/windows_admin_password_changed_by_non_admin.yml b/detections/endpoint/windows_admin_password_changed_by_non_admin.yml index 754c83a1be..6a91123896 100644 --- a/detections/endpoint/windows_admin_password_changed_by_non_admin.yml +++ b/detections/endpoint/windows_admin_password_changed_by_non_admin.yml @@ -5,10 +5,27 @@ date: '2026-04-27' author: Raven Tait, Splunk status: production type: TTP -description: "Following successful exploitation of the BlueHammer Windows Defender privilege escalation, the attacker's process momentarily changes the passwords of high-value local accounts including the built-in Administrator to spawn an authenticated shell session, then immediately reverts the passwords to avoid detection. This uses EventID 4723 to log this activity." +description: "The following analytic detects when a unprivileged user changes an Admin accounts password. This is a common artifact of successful exploitation of the BlueHammer Windows Defender privilege escalation. The attacker's process momentarily changes the passwords of high-value local accounts including the built-in Administrator to spawn an authenticated shell session, then immediately reverts the passwords to avoid detection. This uses EventID 4723 to log this activity." data_source: - Windows Event Log Security 4723 -search: '`wineventlog_security` EventID="4723" | rex field=_raw "(?[^<]+)<\/Data>" | rex field=_raw "(?[^<]+)<\/Data>" | rex field=_raw "(?[^<]+)<\/Data>" | rex field=_raw "(?[^<]+)<\/Data>" | rex field=_raw "(?[^<]+)<\/Data>" | rex field=_raw "(?[^<]+)<\/Data>" | rex field=TargetSid "-(?\d+)$" | rex field=SubjectUserSid "-(?\d+)$" | where target_rid="500" OR tonumber(target_rid) IN (512,513,518,519,520) | where tonumber(subject_rid) >= 1000 | where SubjectUserSid != TargetSid | rename Computer as dest | stats count by dest, TargetUserName, SubjectUserSid, EventID, SubjectUserName SubjectLogonId, PrivilegeList | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_admin_password_changed_by_non_admin_filter`' +search: | + `wineventlog_security` EventID="4723" + | rex field=_raw "(?[^<]+)<\/Data>" + | rex field=_raw "(?[^<]+)<\/Data>" + | rex field=_raw "(?[^<]+)<\/Data>" + | rex field=_raw "(?[^<]+)<\/Data>" + | rex field=_raw "(?[^<]+)<\/Data>" + | rex field=_raw "(?[^<]+)<\/Data>" + | rex field=TargetSid "-(?\d+)$" + | rex field=SubjectUserSid "-(?\d+)$" + | where target_rid="500" OR tonumber(target_rid) IN (512,513,518,519,520) + | where tonumber(subject_rid) >= 1000 + | where SubjectUserSid != TargetSid + | rename Computer as dest + | stats count by dest, TargetUserName, SubjectUserSid, EventID, SubjectUserName SubjectLogonId, PrivilegeList + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_admin_password_changed_by_non_admin_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Some IT support tools or automated scripts may change administrator passwords during maintenance. Verify changes against authorized administrative activities to reduce false alerts. references: @@ -16,12 +33,12 @@ references: drilldown_searches: - earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View the detection results for - "$user$" and "$dest$" - search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' - earliest_offset: $info_min_time$ latest_offset: $info_max_time$ - name: View risk events for the last 7 days for - "$user$" and "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' rba: message: Non-Administrator account changed password of Admin account on $dest$. risk_objects: diff --git a/detections/endpoint/windows_suspicious_child_process_of_tieringengineservice_exe.yml b/detections/endpoint/windows_suspicious_child_process_of_tieringengineservice_exe.yml index e438a7e2c5..31670d5378 100644 --- a/detections/endpoint/windows_suspicious_child_process_of_tieringengineservice_exe.yml +++ b/detections/endpoint/windows_suspicious_child_process_of_tieringengineservice_exe.yml @@ -8,7 +8,20 @@ type: TTP description: Detects the RedSun privilege escalation exploit delivering a SYSTEM-level shell to the attacker's session. RedSun replaces the legitimate TieringEngineService.exe with a malicious binary, which launches a process as SYSTEM, usually some sort of shell or shell spawner (conhost.exe, cmd.exe, PowerShell, etc.) in the attacker's active session. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE ( Processes.parent_process_name="*TieringEngineService.exe*" ) Processes.process IN ("*conhost.exe*","*cmd.exe*","*powershell.exe*","*rundll32.exe*","*bitsadmin.exe*","*wmic.exe*","*cscript.exe*") Processes.user IN ("*AUTHORITY*","*System*") BY Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.parent_process_name action parent_process_exec parent_process_guid parent_process_path process_exec process_guid process_hash process_integrity_level process_path user_id vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| `windows_suspicious_child_process_of_tieringengineservice_exe_filter`' +search: | + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + FROM datamodel=Endpoint.Processes + WHERE + (Processes.parent_process_name="*TieringEngineService.exe*" ) + Processes.process IN ("*conhost.exe*","*cmd.exe*","*powershell.exe*","*rundll32.exe*","*bitsadmin.exe*","*wmic.exe*","*cscript.exe*") + Processes.user IN ("*AUTHORITY*","*System*") + BY Processes.dest Processes.user Processes.original_file_name Processes.parent_process Processes.process_name Processes.process + Processes.process_id Processes.parent_process_id Processes.parent_process_name action parent_process_exec parent_process_guid + parent_process_path process_exec process_guid process_hash process_integrity_level process_path user_id vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_suspicious_child_process_of_tieringengineservice_exe_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: This process should normally never be spawning these child processes. references: