block indicators

Detect Indicator Blocking with these free splunk Detection Rules

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting or even disabling host-based sensors, such as Event Tracing for Windows (ETW), by tampering settings that control the collection and flow of event telemetry.  These settings may be stored on the system in configuration files…

File and Directory Permissions threat hunting

Detect File and Directory Permissions Modification with this free Splunk Detection Rule

File and directory permissions are commonly managed by discretionary access control lists (DACLs) specified by the file or directory owner. File and directory DACL implementations may vary by platform, but generally they are explicitly designated so that users/groups can perform actions ie.read, write, execute, etc. Adversaries may modify file or directory permissions/attributes to evade intended…

Detect-Malicious-Control-Panel threat hunting

Detect Malicious Control Panel items with this free Splunk Detection Rule

Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. Control Panel items can be executed directly from the command line, programmatically via an…

Threat HDetect CMSTP.exe with Malicious INF Files via Free Splunk Detection Rule

Detect CMSTP.exe with INF Files Infected with Malicious Commands with Free Splunk Detection Rule

The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. ID: T1191 Tactic: Defense Evasion, Execution Platform: Windows Permissions Required: User Data Sources: Process monitoring, Process command-line…