splunk · nasbench · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 18, 2026
@@ -1,30 +1,38 @@
 name: Detect Computer Changed with Anonymous Account
 id: 1400624a-d42d-484d-8843-e6753e6e3645
-version: 9
-date: '2026-02-25'
+version: 10
+date: '2026-03-18'
 author: Rod Soto, Jose Hernandez, Splunk
-status: experimental
+status: production
 type: Hunting
-description: The following analytic detects changes to computer accounts using an anonymous logon. It leverages Windows Security Event Codes 4742 (Computer Change) and 4624 (Successful Logon) with the TargetUserName set to "ANONYMOUS LOGON" and LogonType 3. This activity is significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration. If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.
+description: |
+    The following analytic detects changes to computer accounts using an anonymous logon.
+    It leverages Windows Security Event Codes 4742 (Computer Change) with a SubjectUserName of a value "ANONYMOUS LOGON".
+    This activity can be significant because anonymous logons should not typically be modifying computer accounts, indicating potential unauthorized access or misconfiguration.
+    If confirmed malicious, this could allow an attacker to alter computer accounts, potentially leading to privilege escalation or persistent access within the network.
 data_source:
-    - Windows Event Log Security 4624
     - Windows Event Log Security 4742
 search: |-
-    `wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3
-      | stats count min(_time) as firstTime max(_time) as lastTime
-        BY action app authentication_method
-           dest dvc process
-           process_id process_name process_path
-           signature signature_id src
-           src_port status subject
-           user user_group vendor_product
-      | `security_content_ctime(firstTime)`
-      | `security_content_ctime(lastTime)`
-      | `detect_computer_changed_with_anonymous_account_filter`
-how_to_implement: This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
-known_false_positives: No false positives have been identified at this time.
+    `wineventlog_security`
+    EventCode=4742
+    SubjectUserName="ANONYMOUS LOGON"
+    PasswordLastSet="*"
+    | stats count min(_time) as firstTime max(_time) as lastTime
+        BY action app dest ProcessID PasswordLastSet
+           signature signature_id src_user status
+           SubjectDomainName user user_group vendor_product
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `detect_computer_changed_with_anonymous_account_filter`
+how_to_implement: |
+    This search requires "Audit Computer Account Management" sub-category in the audit policy to be enabled on the system in order to generate Event ID 4742, as well as "Audit Logon" to generate Event ID 4624.
+    We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs.
+    Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.
+known_false_positives: Some legitimate, legacy devices may utilize this functionality and generate false positives. Apply additional tuning as needed.
 references:
     - https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/
+    - https://netwrix.com/en/cybersecurity-glossary/cyber-security-attacks/zerologon-vulnerability/
+    - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Credential%20Access/Zerologon_VoidSec_CVE-2020-1472_4626_LT3_Anonym_follwedby_4742_DC_Anony_DC.evtx
 tags:
     analytic_story:
         - Detect Zerologon Attack
@@ -38,3 +46,9 @@ tags:
         - Splunk Enterprise Security
         - Splunk Cloud
     security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1212/zerologon/zerologon.log
+          source: XmlWinEventLog:Security
+          sourcetype: XmlWinEventLog
@@ -1,56 +1,65 @@
 name: Outbound Network Connection from Java Using Default Ports
 id: d2c14d28-5c47-11ec-9892-acde48001122
-version: 10
-date: '2026-03-10'
+version: 11
+date: '2026-03-18'
 author: Mauricio Velazco, Lou Stella, Splunk
 status: production
 type: TTP
-description: "The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs. Monitoring this activity is crucial as it can signify an attacker’s attempt to perform JNDI lookups and retrieve malicious payloads. If confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server."
+description: |
+    The following analytic detects outbound network connections from Java processes to default ports used by LDAP and RMI protocols, which may indicate exploitation of the CVE-2021-44228-Log4j vulnerability.
+    This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and network traffic logs.
+    Monitoring this activity is crucial as it can signify an attacker's attempt to perform JNDI lookups and retrieve malicious payloads.
+    If confirmed malicious, this activity could lead to remote code execution and further compromise of the affected server.
 data_source:
     - Sysmon EventID 1 AND Sysmon EventID 3
 search: |-
-    | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
-      WHERE (
-            Processes.process_name="java.exe"
-            OR
-            Processes.process_name=javaw.exe
-            OR
-            Processes.process_name=javaw.exe
-        )
-      BY Processes.action Processes.dest Processes.original_file_name
-         Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
-         Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
-         Processes.process Processes.process_exec Processes.process_guid
-         Processes.process_hash Processes.process_id Processes.process_integrity_level
-         Processes.process_name Processes.process_path Processes.user
-         Processes.user_id Processes.vendor_product
+    | tstats `security_content_summariesonly` count
+    FROM datamodel=Endpoint.Processes WHERE
+
+    Processes.process_name IN (
+        "java.exe",
+        "javaw.exe"
+    )
+    BY Processes.action Processes.dest Processes.original_file_name
+       Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
+       Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
+       Processes.process Processes.process_exec Processes.process_guid
+       Processes.process_hash Processes.process_id Processes.process_integrity_level
+       Processes.process_name Processes.process_path Processes.user
+       Processes.user_id Processes.vendor_product
+
     | `drop_dm_object_name(Processes)`
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
-    | join process_id [
-    | tstats `security_content_summariesonly` count FROM datamodel=Network_Traffic.All_Traffic
-      WHERE (
-            All_Traffic.dest_port= 389
-            OR
-            All_Traffic.dest_port= 636
-            OR
-            All_Traffic.dest_port = 1389
-            OR
-            All_Traffic.dest_port = 1099
+    | join process_id
+    [
+        | tstats `security_content_summariesonly` count
+        FROM datamodel=Network_Traffic.All_Traffic WHERE
+        All_Traffic.dest_port IN (
+                    389,
+                    636,
+                    1099,
+                    1389
         )
-      BY All_Traffic.action All_Traffic.app All_Traffic.bytes
-         All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest
-         All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc
-         All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src
-         All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport
-         All_Traffic.user All_Traffic.vendor_product All_Traffic.direction
-         All_Traffic.process_id
-    | `drop_dm_object_name(All_Traffic)`
-    | rename dest as connection_to_CNC]
-    | table _time dest parent_process_name process_name process_path process dest_port
+        BY All_Traffic.action All_Traffic.app All_Traffic.bytes
+            All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest
+            All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc
+            All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src
+            All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport
+            All_Traffic.user All_Traffic.vendor_product All_Traffic.direction
+            All_Traffic.process_id
+        | `drop_dm_object_name(All_Traffic)`
+        | rename dest as connection_to_CNC
+    ]
+    | table _time dest
+            parent_process_path parent_process_name parent_process
+            process_path process_name process process_hash
+            connection_to_CNC dest_port user
     | `outbound_network_connection_from_java_using_default_ports_filter`
-how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
-known_false_positives: Legitimate Java applications may use perform outbound connections to these ports. Filter as needed
+how_to_implement: |
+    The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: |
+    Legitimate Java applications may use perform outbound connections to these ports. Filter as needed
 references:
     - https://www.lunasec.io/docs/blog/log4j-zero-day/
     - https://www.govcert.admin.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/

@@ -1,18 +1,64 @@
 name: Possible Lateral Movement PowerShell Spawn
 id: cb909b3e-512b-11ec-aa31-3e22fbd008af
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-18'
 author: Mauricio Velazco, Michael Haag, Splunk
 status: production
 type: TTP
-description: The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions. This activity is significant as it often indicates lateral movement or remote code execution attempts by adversaries. If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment.
+description: |
+    The following analytic detects the spawning of a PowerShell process as a child or grandchild of commonly abused processes like services.exe, wmiprvse.exe, svchost.exe, wsmprovhost.exe, and mmc.exe.
+    It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process names, as well as command-line executions.
+    This activity is significant as it could indicates lateral movement or remote code execution attempts by adversaries.
+    If confirmed malicious, this behavior could allow attackers to execute code remotely, escalate privileges, or persist within the environment.
 data_source:
     - Sysmon EventID 1
     - Windows Event Log Security 4688
     - CrowdStrike ProcessRollup2
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=wmiprvse.exe OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe) (Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*) OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN ("*c:\\windows\\ccm\\*")) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`'
-how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
-known_false_positives: Legitimate applications may spawn PowerShell as a child process of the the identified processes. Filter as needed.
+search: |-
+    | tstats `security_content_summariesonly`
+    count min(_time) as firstTime
+          max(_time) as lastTime
+    from datamodel=Endpoint.Processes where
+
+    Processes.parent_process_name IN (
+        "mmc.exe",
+        "services.exe",
+        "svchost.exe",
+        "wmiprvse.exe",
+        "wsmprovhost.exe"
+    )
+    AND
+    (
+        Processes.process_name IN ("powershell.exe", "pwsh.exe")
+        OR
+        (
+            Processes.process_name=cmd.exe
+            Processes.process IN (
+                "*powershell*",
+                "*pwsh*"
+            )
+        )
+    )
+    NOT Processes.process IN ("*:\\Windows\\CCM\\*")
+
+    by Processes.action Processes.dest Processes.original_file_name
+       Processes.parent_process Processes.parent_process_exec
+       Processes.parent_process_guid Processes.parent_process_id
+       Processes.parent_process_name Processes.parent_process_path
+       Processes.process Processes.process_exec Processes.process_guid
+       Processes.process_hash Processes.process_id Processes.process_integrity_level
+       Processes.process_name Processes.process_path Processes.user
+       Processes.user_id Processes.vendor_product
+
+    | `drop_dm_object_name(Processes)`
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `possible_lateral_movement_powershell_spawn_filter`
+how_to_implement: |
+    The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
+known_false_positives: |
+    Legitimate applications may spawn PowerShell as a child process of the the identified processes.
+    Filter as needed.
 references:
     - https://attack.mitre.org/techniques/T1021/003/
     - https://attack.mitre.org/techniques/T1021/006/
@@ -34,7 +80,13 @@ rba:
         - field: dest
           type: system
           score: 50
-    threat_objects: []
+    threat_objects:
+        - field: parent_process_name
+          type: parent_process_name
+        - field: process_name
+          type: process_name
+        - field: process
+          type: process
 tags:
     analytic_story:
         - Active Directory Lateral Movement