splunk · RavenTait · Apr 29, 2026 · May 1, 2026 · May 12, 2026 · patel-bhavin
@@ -0,0 +1,116 @@
+name: Windows Event Log Security 4723
+id: df19b271-57c8-4f31-817a-6c5566985484
+version: 3
+date: '2026-04-27'
+author: Raven Tait, Splunk
+description: Logs an event when an attempt is made to change an account's password,
+  whether successful or not.
+mitre_components:
+- User Account Modification
+source: XmlWinEventLog:Security
+sourcetype: XmlWinEventLog
+separator: EventCode
+separator_value: '4723'
+supported_TA:
+- name: Splunk Add-on for Microsoft Windows
+  url: https://splunkbase.splunk.com/app/742
+  version: 10.0.1
+fields:
+- _time
+- Caller_Domain
+- Caller_User_Name
+- CategoryString
+- Channel
+- Computer
+- Error_Code
+- EventCode
+- EventData_Xml
+- EventID
+- EventRecordID
+- Guid
+- Keywords
+- Level
+- Logon_ID
+- Name
+- Opcode
+- ProcessID
+- RecordNumber
+- SubjectDomainName
+- SubjectLogonId
+- SubjectUserName
+- SubjectUserSid
+- SystemTime
+- System_Props_Xml
+- TargetDomainName
+- TargetSid
+- TargetUserName
+- Target_Domain
+- Target_User_Name
+- Task
+- ThreadID
+- Version
+- action
+- app
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product
+output_fields:
+- dest
+example_log: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider 
+  Name="Microsoft-Windows-Security-Auditing" Guid="54849625-5478-4994-A5BA-3E3B0328C30D"></Provider>
+  <EventID>4723</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode>
+  <Keywords>0x8010000000000000</Keywords><TimeCreated SystemTime="2026-04-21T17:43:18.298641Z">
+  </TimeCreated><EventRecordID>781490</EventRecordID><Correlation ActivityID="9F3364FE-E417-0002-2065-339F17E4DA01">
+  </Correlation><Execution ProcessID="724" ThreadID="12596"></Execution><Channel>Security</Channel>
+  <Computer>WIN10-21H1.strt.labs</Computer><Security></Security></System><EventData>
+  <Data Name="TargetUserName">Administrator</Data><Data Name="TargetDomainName">WIN10-21H1</Data>
+  <Data Name="TargetSid">S-1-5-21-1538153195-943065003-848949206-500</Data><Data Name="SubjectUserSid">
+  S-1-5-21-1538153195-943065003-848949206-1003</Data><Data Name="SubjectUserName">bob</Data>
+  <Data Name="SubjectDomainName">WIN10-21H1</Data><Data Name="SubjectLogonId">0x61a292</Data>
+  <Data Name="PrivilegeList">-</Data></EventData></Event>
@@ -0,0 +1,69 @@
+name: Windows Admin Password Changed by Non-Admin
+id: 6d4c4d88-cd60-43a1-8c70-c74a9614f724
+version: 1
+date: '2026-04-27'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: "The following analytic detects when a unprivileged user changes an Admin accounts password. This is a common artifact of successful exploitation of the BlueHammer Windows Defender privilege escalation. The attacker's process momentarily changes the passwords of high-value local accounts including the built-in Administrator to spawn an authenticated shell session, then immediately reverts the passwords to avoid detection. This uses EventID 4723 to log this activity."
+data_source:
+    - Windows Event Log Security 4723
+search: |
+    `wineventlog_security` EventID="4723"
+    | rex field=_raw "<Data Name=\"TargetSid\">(?<TargetSid>[^<]+)<\/Data>"
+    | rex field=_raw "<Data Name=\"SubjectUserSid\">(?<SubjectUserSid>[^<]+)<\/Data>"
+    | rex field=_raw "<Data Name=\"TargetUserName\">(?<TargetUserName>[^<]+)<\/Data>"
+    | rex field=_raw "<Data Name=\"SubjectUserName\">(?<SubjectUserName>[^<]+)<\/Data>"
+    | rex field=_raw "<Data Name=\"SubjectLogonId\">(?<SubjectLogonId>[^<]+)<\/Data>"
+    | rex field=_raw "<Data Name=\"PrivilegeList\">(?<PrivilegeList>[^<]+)<\/Data>"
+    | rex field=TargetSid "-(?<target_rid>\d+)$"
+    | rex field=SubjectUserSid "-(?<subject_rid>\d+)$"
+    | where target_rid="500" OR tonumber(target_rid) IN (512,513,518,519,520)
+    | where tonumber(subject_rid) >= 1000
+    | where SubjectUserSid != TargetSid
+    | rename Computer as dest
+    | stats count by dest, TargetUserName, SubjectUserSid, EventID, SubjectUserName SubjectLogonId, PrivilegeList
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `windows_admin_password_changed_by_non_admin_filter`
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: Some IT support tools or automated scripts may change administrator passwords during maintenance. Verify changes against authorized administrative activities to reduce false alerts.
+references:
+    - https://github.com/Nightmare-Eclipse/BlueHammer
+drilldown_searches:
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View the detection results for - "$dest$"
+      search: '%original_detection_search% | search  dest = "$dest$"'
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View risk events for the last 7 days for - "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+rba:
+    message: Non-Administrator account changed password of Admin account on $dest$.
+    risk_objects:
+        - field: dest
+          type: system
+          score: 50
+    threat_objects: []
+tags:
+    analytic_story:
+        - Windows Privilege Escalation
+        - BlueHammer
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1068
+        - T1543.003
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+    cve:
+        - CVE-2026-33825
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/bluehammer/windows-security.log
+          source: XmlWinEventLog:Security
+          sourcetype: XmlWinEventLog
@@ -0,0 +1,52 @@
+name: Windows Cloud Files Filter Log Created by Non-System Process
+id: 2e0042b9-8a75-49ca-b3a2-948f04b752bf
+version: 1
+date: '2026-05-01'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: Detects a non-system process causing creation of CldFlt0.etl under C:\Windows\System32\LogFiles\CloudFiles\. This path is initialised by the CldFlt driver when a process calls CfRegisterSyncRoot() or CfConnectSyncRoot(). In the RedSun exploit this is a side-effect of the DoCloudStuff() function that registers a fake sync provider to create the cloud-tagged bait file. Legitimate cloud providers (OneDrive etc.) register sync roots from SYSTEM-level service processes, not from user-context executables.
+data_source:
+    - Sysmon EventID 11
+search: '`sysmon` EventCode=11 (TargetFilename = "*\\Windows\\System32\\LogFiles\\CloudFiles\\*" NOT Image IN ("*\\Windows\\System32*", "*\\Windows\\SysWOW64*","*\\Program Files\\WindowsApps*")) | stats count min(_time) as firstTime max(_time) as lastTime by action dest file_name file_path Image process_guid process_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`  | `windows_cloud_files_filter_log_created_by_non_system_process_filter`'
+how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
+known_false_positives: No false positives have been identified at this time.
+references:
+    - https://github.com/Nightmare-Eclipse/RedSun
+    - https://www.huntress.com/blog/nightmare-eclipse-intrusion
+drilldown_searches:
+    - name: View the detection results for - "$dest$"
+      search: '%original_detection_search% | search  dest = "$dest$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: "0"
+rba:
+    message: Non-System process creates a cloud files filter $file_name$ in host $dest$
+    risk_objects:
+        - field: dest
+          type: system
+          score: 50
+    threat_objects: []
+tags:
+    analytic_story:
+        - RedSun
+        - Windows Privilege Escalation
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1068
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+    cve:
+        - CVE-2026-33825
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/redsun/windows-sysmon.log
+          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+          sourcetype: XmlWinEventLog
@@ -0,0 +1,57 @@
+name: Windows MsMpEng Writing to System32
+id: dc615235-1241-411a-b170-b34a4c8924aa
+version: 1
+date: '2026-04-27'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: "Detects MsMpEng.exe creating a file in C:\\Windows\\System32\\ . This should never happen under normal operation Windows Defender does not install kernel drivers at runtime. In the BlueHammer exploit, the TOCTOU race causes MsMpEng (SYSTEM) to write the attacker's driver payload directly into the drivers directory."
+data_source:
+    - Sysmon EventID 15
+    - Sysmon EventID 11
+search: '`sysmon` (EventID=15 OR EventID=11) Image="*\\MsMpEng.exe" TargetFilename="C:\\Windows\\System32\\*" | fillnull | stats count by Computer, Image, TargetFilename, EventID, dest, dvc, file_hash, file_name, file_path, action, process_exec, process_guid, process_id, process_name, process_path, signature, signature_id, user_id, vendor_product| `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_msmpeng_writing_to_system32_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: Some legitimate system processes or antivirus updates may momentarily create files in the drivers directory during patching or maintenance. Verify with approved update activities before alerting.
+references:
+    - https://github.com/Nightmare-Eclipse/BlueHammer
+drilldown_searches:
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+rba:
+    message: MsMpEng wrote driver to System32 on $dest$.
+    risk_objects:
+        - field: dest
+          type: system
+          score: 50
+    threat_objects:
+        - field: Image
+          type: process
+tags:
+    analytic_story:
+        - Windows Drivers
+        - Windows Privilege Escalation
+        - BlueHammer
+        - RedSun
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1068
+        - T1543.003
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+    cve:
+        - CVE-2026-33825
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/bluehammer/windows-sysmon.log
+          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+          sourcetype: XmlWinEventLog
@@ -0,0 +1,55 @@
+name: Windows Non-System Process Querying Definition Update
+id: 9d375cfd-c9a5-48ff-b875-9bcaf6b63265
+version: 1
+date: '2026-04-27'
+author: Raven Tait, Splunk
+status: production
+type: Anomaly
+description: Detects DNS queries to definitionupdates.microsoft.com or the go.microsoft.com fwlink redirect used for WD update downloads, when the querying process is not a Windows system component. BlueHammer utilizes these definition updates as part of its exploit chain.
+data_source:
+    - Sysmon EventID 22
+search: '`sysmon` EventID="22" QueryName="*definitionupdates.microsoft.com*" NOT (Image IN ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\ProgramData\\Microsoft\\Windows Defender\\*", "C:\\Program Files\\Windows Defender\\*", "C:\\Program Files\\Microsoft Office\\*")) | stats count min(_time) as firstTime max(_time) as lastTime BY answer answer_count dvc Computer process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename Computer as dest | `windows_non_system_process_querying_definition_update_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: Legitimate third-party applications or security tools may query these update domains for Windows Defender updates. Filter alerts for trusted software and verified update mechanisms.
+references:
+    - https://github.com/Nightmare-Eclipse/BlueHammer
+drilldown_searches:
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+    - earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+      name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+rba:
+    message: Non-System process queried Windows Defender Definition Updates on $dest$.
+    risk_objects:
+        - field: dest
+          type: system
+          score: 20
+    threat_objects:
+        - field: process_name
+          type: process
+tags:
+    analytic_story:
+        - Windows Privilege Escalation
+        - BlueHammer
+        - RedSun
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1068
+        - T1071.001
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+    cve:
+        - CVE-2026-33825
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1068/bluehammer/windows-sysmon.log
+          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+          sourcetype: XmlWinEventLog