From 4f16cb3115ee2786cdf927c709217245d9744b60 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 14 Jan 2025 20:02:52 +0100 Subject: [PATCH] update office macro --- ...e_product_spawned_child_process_for_download.yml | 2 +- .../windows_office_product_spawned_control.yml | 2 +- .../windows_office_product_spawned_msdt.yml | 2 +- ..._office_product_spawned_rundll32_with_no_dll.yml | 2 +- ...dows_office_product_spawned_uncommon_process.yml | 2 +- macros/process_office_products.yml | 13 ++----------- macros/process_office_products_parent.yml | 2 +- 7 files changed, 8 insertions(+), 17 deletions(-) diff --git a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml index 67916f2880..05cd8c0c25 100644 --- a/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml +++ b/detections/endpoint/windows_office_product_spawned_child_process_for_download.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("winword.exe","excel.exe","powerpnt.exe","mspub.exe","visio.exe","onenote.exe","onenotem.exe","onenoteviewer.exe","onenoteim.exe","msaccess.exe", "Graph.exe","winproj.exe") Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_spawned_child_process_for_download_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` Processes.process IN ("*http:*","*https:*") NOT (Processes.original_file_name IN("firefox.exe", "chrome.exe","iexplore.exe","msedge.exe")) by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.original_file_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_office_product_spawned_child_process_for_download_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: Default browser not in the filter list. references: diff --git a/detections/endpoint/windows_office_product_spawned_control.yml b/detections/endpoint/windows_office_product_spawned_control.yml index 2bec8c5dd6..e69030ff03 100644 --- a/detections/endpoint/windows_office_product_spawned_control.yml +++ b/detections/endpoint/windows_office_product_spawned_control.yml @@ -17,7 +17,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_office_product_spawned_control_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` Processes.process_name=control.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)`| `windows_office_product_spawned_control_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/windows_office_product_spawned_msdt.yml b/detections/endpoint/windows_office_product_spawned_msdt.yml index 99a38b7c32..0f67d0dab1 100644 --- a/detections/endpoint/windows_office_product_spawned_msdt.yml +++ b/detections/endpoint/windows_office_product_spawned_msdt.yml @@ -17,7 +17,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_msdt_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` Processes.process_name=msdt.exe by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_msdt_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml index 15b754c31b..53b0bfcd5c 100644 --- a/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml +++ b/detections/endpoint/windows_office_product_spawned_rundll32_with_no_dll.yml @@ -17,7 +17,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_rundll32_with_no_dll_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` `process_rundll32` (Processes.process!=*.dll*) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_rundll32_with_no_dll_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, diff --git a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml index fe3b519c03..6ff3bac2c6 100644 --- a/detections/endpoint/windows_office_product_spawned_uncommon_process.yml +++ b/detections/endpoint/windows_office_product_spawned_uncommon_process.yml @@ -10,7 +10,7 @@ data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") AND (`process_bitsadmin` OR `process_certutil` OR `process_cmd` OR `process_cscript` OR `process_mshta` OR `process_powershell` OR `process_regsvr32` OR `process_rundll32` OR `process_wmic` OR `process_wscript`) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_uncommon_process_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_office_products_parent` AND (`process_bitsadmin` OR `process_certutil` OR `process_cmd` OR `process_cscript` OR `process_mshta` OR `process_powershell` OR `process_regsvr32` OR `process_rundll32` OR `process_wmic` OR `process_wscript`) by Processes.dest Processes.user Processes.parent_process_name Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_office_product_spawned_uncommon_process_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: False positives should be limited, however filter as needed. references: diff --git a/macros/process_office_products.yml b/macros/process_office_products.yml index c5ad1f758c..d161fca52c 100644 --- a/macros/process_office_products.yml +++ b/macros/process_office_products.yml @@ -1,12 +1,3 @@ -definition: (Processes.process_name=ping.exe OR Processes.original_file_name=ping.exe) +definition: (Processes.process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") OR Processes.original_file_name IN ("EQNEDT32.EXE", "Excel.exe", "Graph.exe", "MSACCESS.EXE", "MSPUB.EXE", "OneNote.exe", "OneNoteIm.exe", "OneNoteM.exe", "OUTLOOK.EXE", "POWERPNT.EXE", "VISIO.EXE", "WinProj.exe", "WinWord.exe")) description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ -name: process_office_products - - -("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe") - -(Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe")) - - -Processes.process_name -Processes.original_file_name \ No newline at end of file +name: process_office_products \ No newline at end of file diff --git a/macros/process_office_products_parent.yml b/macros/process_office_products_parent.yml index fd0277400d..c4cd308613 100644 --- a/macros/process_office_products_parent.yml +++ b/macros/process_office_products_parent.yml @@ -1,3 +1,3 @@ -definition: (Processes.parent_process_name IN ("excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "onenoteviewer.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe")) +definition: (Processes.parent_process_name IN ("EQNEDT32.exe", "excel.exe", "Graph.exe", "msaccess.exe", "mspub.exe", "onenote.exe", "onenoteim.exe", "onenotem.exe", "outlook.exe", "powerpnt.exe", "visio.exe", "winproj.exe", "winword.exe")) description: Matches the process with its original file name, data for this macro came from https://strontic.github.io/ name: process_office_products_parent \ No newline at end of file