Merge branch 'develop' into isovalent_batch_1

Author: patel-bhavin

detections/endpoint/windows_credential_target_information_structure_in_commandline.yml

@@ -0,0 +1,88 @@
+name: Windows Credential Target Information Structure in Commandline
+id: f79c5d7a-dd99-4263-93e1-49ace5634c82
+version: 1
+date: '2025-11-13'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: Detects DNS-based Kerberos coercion attacks where adversaries
+  inject marshaled credential structures into DNS records to spoof SPNs and 
+  redirect authentication such as in CVE-2025-33073. This detection leverages 
+  process creation events looking for specific CREDENTIAL_TARGET_INFORMATION structures. 
+data_source:
+- Sysmon EventID 1
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
+  as lastTime from datamodel=Endpoint.Processes where Processes.process="*1UWhRCA*" 
+  Processes.process="*AAAAA*" Processes.process="*YBAAAA*" by Processes.action 
+  Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec 
+  Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name 
+  Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid 
+  Processes.process_hash Processes.process_id Processes.process_integrity_level 
+  Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product 
+  | `drop_dm_object_name(Processes)`
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `windows_credential_target_information_structure_in_commandline_filter`'
+how_to_implement: The detection is based on data that originates from Endpoint Detection
+  and Response (EDR) agents. These agents are designed to provide security-related
+  telemetry from the endpoints where the agent is installed. To implement this search,
+  you must ingest logs that contain the process GUID, process name, and parent process.
+  Additionally, you must ingest complete command-line executions. These logs must
+  be processed using the appropriate Splunk Technology Add-ons that are specific to
+  the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
+  data model. Use the Splunk Common Information Model (CIM) to normalize the field
+  names and speed up the data modeling process.
+known_false_positives: Commands with all of these base64 encoded values are unusual in production
+  environments. Filter as needed.
+references:
+- https://web.archive.org/web/20250617122747/https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
+- https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
+- https://www.guidepointsecurity.com/blog/the-birth-and-death-of-loopyticket/
+drilldown_searches:
+- name: View the detection results for - "$user$" and "$dest$"
+  search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$user$" and "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$",
+    "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time)
+    as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk
+    Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: An instance of CREDENTIAL_TARGET_INFORMATION magic string was identified
+    in a command on endpoint $dest$ by user $user$.
+  risk_objects:
+  - field: user
+    type: user
+    score: 44
+  - field: dest
+    type: system
+    score: 44
+  threat_objects: []
+tags:
+  analytic_story:
+  - Compromised Windows Host
+  - Suspicious DNS Traffic
+  - Local Privilege Escalation With KrbRelayUp
+  - Kerberos Coercion with DNS
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1557.001
+  - T1187
+  - T1071.004
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+  cve:
+  - CVE-2025-33073
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.004/kerberos_coercion/sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_kerberos_coercion_via_dns.yml

@@ -0,0 +1,87 @@
+name: Windows Kerberos Coercion via DNS
+id: 9029b575-6f6b-4ab1-b660-67b24b7e9c3d
+version: 1
+date: '2025-11-12'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: Detects DNS-based Kerberos coercion attacks where adversaries
+  inject marshaled credential structures into DNS records to spoof SPNs and 
+  redirect authentication such as in CVE-2025-33073. This detection leverages 
+  Windows Security Event Codes 5136, 5137, 4662, looking for DNS events with
+  specific CREDENTIAL_TARGET_INFORMATION entries. 
+data_source:
+- Windows Event Log Security 4662
+- Windows Event Log Security 5136
+- Windows Event Log Security 5137
+search: '`wineventlog_security`  (((EventCode="5136" OR EventCode="5137") ObjectClass="dnsNode" 
+  ObjectDN="*1UWhRCA*" ObjectDN="*AAAAA*" ObjectDN="*YBAAAA*") OR (EventCode="4662" 
+  AdditionalInfo="*1UWhRCA*" AdditionalInfo="*AAAAA*" AdditionalInfo="*YBAAAA*"))
+  | eval Object=coalesce(lower(ObjectGUID), trim(AdditionalInfo2, "%{}"))
+  | eval user=coalesce(SubjectUserName, Caller_User_Name)
+  | stats min(_time) as firstTime, max(_time) as lastTime
+          values(EventCode) as event_codes
+          values(ObjectDN) as dns_record
+          values(user) as user
+          values(Computer) as dest
+          by Object
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `windows_kerberos_coercion_via_dns_filter`'
+how_to_implement: To successfully implement this search, you ned to be ingesting Event
+  codes `4662`, `5136`, `5137`. The Advanced Security Audit policy setting `Audit Directory
+  Services Changes` within `DS Access` needs to be enabled. For these event codes
+  to be generated, specific SACLs are required.
+known_false_positives: Creating a DNS entry matching this pattern is very unusual in a 
+  production environment. Filter as needed.
+references:
+- https://web.archive.org/web/20250617122747/https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
+- https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
+- https://www.guidepointsecurity.com/blog/the-birth-and-death-of-loopyticket/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  Computer = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A possible Kerberos coercion DNS object was created $dest$
+  risk_objects:
+  - field: dest
+    type: system
+    score: 74
+  - field: user
+    type: user
+    score: 74
+  threat_objects: []
+tags:
+  analytic_story:
+  - Compromised Windows Host
+  - Suspicious DNS Traffic
+  - Local Privilege Escalation With KrbRelayUp
+  - Kerberos Coercion with DNS
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1071.004
+  - T1557.001
+  - T1187
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+  cve:
+  - CVE-2025-33073
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.004/kerberos_coercion/windows-xml.log
+    source: XmlWinEventLog:Security
+    sourcetype: XmlWinEventLog

detections/endpoint/windows_short_lived_dns_record.yml

@@ -0,0 +1,89 @@
+name: Windows Short Lived DNS Record
+id: d585e253-1859-4170-977d-09376c731f74
+version: 1
+date: '2025-11-13'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: The following analytic identifies the creation and quick deletion of
+  a DNS object within 300 seconds in an Active Directory environment,
+  indicative of a potential attack abusing DNS. This detection leverages Windows Security
+  Event Codes 5136 and 5137, analyzing the duration between these events. This activity
+  is significant as temporary DNS entries allows attackers to cause unexpecting network trafficking,
+  leading to potential compromise.
+data_source:
+- Windows Event Log Security 5136
+- Windows Event Log Security 5137
+search: '`wineventlog_security` ((EventCode=5137  ObjectClass="dnsNode") OR (EventCode=5136 
+  ObjectClass="dnsNode" AttributeLDAPDisplayName="dNSTombstoned" AttributeValue="TRUE"))
+  | stats min(_time) as firstTime
+          max(_time) as lastTime
+          values(EventCode) as event_codes
+          values(ObjectDN) as dns_record
+          values(SubjectUserName) as user
+          values(Computer) as dest
+          by ObjectGUID
+  | where mvcount(event_codes)=2
+  | eval time_diff=lastTime - firstTime
+  | where time_diff <= 300
+  | table firstTime, lastTime, dns_record, user, dest, time_diff, ObjectGUID
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
+  | `windows_short_lived_dns_record_filter`'
+how_to_implement: To successfully implement this search, you ned to be ingesting Event
+  codes `5136` and `5137`. The Advanced Security Audit policy setting `Audit Directory
+  Services Changes` within `DS Access` needs to be enabled. For these event codes
+  to be generated, specific SACLs are required.
+known_false_positives: Creating and deleting a DNS server object within 30 seconds or
+  less is unusual but not impossible in a production environment. Filter as needed.
+references:
+- https://web.archive.org/web/20250617122747/https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
+- https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
+- https://www.guidepointsecurity.com/blog/the-birth-and-death-of-loopyticket/
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search  Computer = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A short-lived DNS object was created and deleted on $dest$
+  risk_objects:
+  - field: dest
+    type: system
+    score: 64
+  - field: user
+    type: user
+    score: 64
+  threat_objects: []
+tags:
+  analytic_story:
+  - Compromised Windows Host
+  - Suspicious DNS Traffic
+  - Local Privilege Escalation With KrbRelayUp
+  - Kerberos Coercion with DNS
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1071.004
+  - T1557.001
+  - T1187
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint
+  cve:
+  - CVE-2025-33073
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.004/kerberos_coercion/windows-xml.log
+    source: XmlWinEventLog:Security
+    sourcetype: XmlWinEventLog

detections/network/dns_kerberos_coercion.yml

@@ -0,0 +1,79 @@
+name: DNS Kerberos Coercion
+id: 8551252d-b5b6-4b6e-8a82-51460aeb29a3
+version: 1
+date: '2025-11-14'
+author: Raven Tait, Splunk
+status: production
+type: TTP
+description: Detects DNS-based Kerberos coercion attacks where adversaries
+  inject marshaled credential structures into DNS records to spoof SPNs and 
+  redirect authentication such as in CVE-2025-33073. This detection leverages 
+  suricata looking for specific CREDENTIAL_TARGET_INFORMATION structures in DNS
+  queries. 
+data_source:
+- Suricata
+- Sysmon EventID 22
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
+  max(_time) as lastTime values(DNS.src) as src values(DNS.dest) as dest from datamodel=Network_Resolution
+  where DNS.query="*1UWhRC*" DNS.query="*AAAAA*" DNS.query="*YBAAAA*" by DNS.answer
+  DNS.answer_count DNS.query DNS.query_count DNS.reply_code_id DNS.src DNS.vendor_product
+  | `drop_dm_object_name(DNS)`
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | table firstTime lastTime query count src dest
+  | `dns_kerberos_coercion_filter`'
+how_to_implement: To successfully implement this search, you will need to ensure that
+  DNS data is populating the Network_Resolution data model.
+known_false_positives: It's unlikely that a DNS entry contains the specific structure used by
+  this attack. Filter as needed for your organization.
+references:
+- https://web.archive.org/web/20250617122747/https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
+- https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
+- https://www.guidepointsecurity.com/blog/the-birth-and-death-of-loopyticket/
+drilldown_searches:
+- name: View the detection results for - "$src$"
+  search: '%original_detection_search% | search  host = "$src$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$")
+    starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime
+    values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
+    as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
+    as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A dns query $query$ with marshalled CREDENTIAL_TARGET_INFORMATION seen from $src$
+  risk_objects:
+  - field: src
+    type: system
+    score: 56
+  threat_objects: []
+tags:
+  analytic_story:
+  - Compromised Windows Host
+  - Suspicious DNS Traffic
+  - Local Privilege Escalation With KrbRelayUp
+  - Kerberos Coercion with DNS
+  asset_type: Endpoint
+  mitre_attack_id:
+  - T1557.001
+  - T1187
+  - T1071.004
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+  cve:
+  - CVE-2025-33073
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.004/kerberos_coercion/suricata.log
+    source: Suricata
+    sourcetype: suricata
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.004/kerberos_coercion/sysmon.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog

stories/kerberos_coercion_with_dns.yml

@@ -0,0 +1,30 @@
+name: Kerberos Coercion with DNS
+id: bc6762a6-b66f-4be2-8a90-c58521069858
+version: 1
+status: production
+date: '2025-11-13'
+author: Raven Tait, Splunk
+description: Detects Kerberos coercion attacks via DNS manipulation. Identifies DNS record modifications 
+  where the Distinguished Name contains a base64-encoded CREDENTIAL_TARGET_INFORMATION structure.
+narrative: CVE-2025-33073 is a critical vulnerability related to Kerberos 
+  Reflection attacks impacting Active Directory environments. The journey began with a 
+  configuration involving a Domain Controller set up in a lab environment where offensive 
+  tradecraft was being developed. The attacker utilized a DNS record manipulation technique 
+  that involved appending a specific "magic string" to the hostname, which ultimately 
+  enabled successful coercive authentication, leading to remote code execution as SYSTEM.
+references: 
+- https://web.archive.org/web/20250617122747/https://www.synacktiv.com/publications/ntlm-reflection-is-dead-long-live-ntlm-reflection-an-in-depth-analysis-of-cve-2025
+- https://www.synacktiv.com/publications/relaying-kerberos-over-smb-using-krbrelayx
+- https://www.guidepointsecurity.com/blog/the-birth-and-death-of-loopyticket/
+tags:
+  category:
+  - Adversary Tactics
+  - Account Compromise
+  - Lateral Movement
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
+  cve:
+  - CVE-2025-33073