Adding coverage from Splunk Security Content

[josehelps]

@ikiril01 from our earlier conversation, attached is a PR with the following detections from [Splunk Security Content]():

• https://github.com/splunk/security_content/blob/develop/detections/endpoint/attempt_to_add_certificate_to_untrusted_store.yml
• https://github.com/splunk/security_content/blob/develop/detections/endpoint/batch_file_write_to_system32.yml
• https://github.com/splunk/security_content/blob/develop/detections/endpoint/bcdedit_failure_recovery_modification.yml
• https://github.com/splunk/security_content/blob/develop/detections/endpoint/bits_job_persistence.yml
• https://github.com/splunk/security_content/blob/develop/detections/endpoint/bitsadmin_download_file.yml
• https://github.com/splunk/security_content/blob/develop/detections/endpoint/certutil_download_with_urlcache_and_split_arguments.yml
• https://github.com/splunk/security_content/blob/develop/detections/endpoint/certutil_download_with_verifyctl_and_split_arguments.yml
• https://github.com/splunk/security_content/blob/develop/detections/endpoint/certutil_exe_certificate_extraction.yml
• https://github.com/splunk/security_content/blob/develop/detections/endpoint/certutil_with_decode_argument.yml
• https://github.com/splunk/security_content/blob/develop/detections/endpoint/create_local_admin_accounts_using_net_exe.yml
• https://github.com/splunk/security_content/blob/develop/detections/endpoint/create_remote_thread_into_lsass.yml
• https://github.com/splunk/security_content/blob/develop/detections/endpoint/create_service_in_suspicious_file_path.yml

to CAR analytics yml format, I did this via a script called splunk_security_content_to_car.py I added under scripts/

I am sure I made mistakes along the way please let me know what modifications the generated output might need. Thank you again for your help!

[ikiril01]

@d1vious awesome, much appreciated! We'll review and let you know if any changes need to be made.

[ikiril01]

@d1vious this looks awesome. A few things I noticed:

• id is hard-coded to a value of analytics, when it should be the ID of the CAR analytic (e.g., CAR-2021-05-001).
• There's probably a bit of clean-up we can do to make the SPL queries more generic, since they still contain things like bits_job_persistence_filter. Let us know if there's anything we can do to help in this regard.

[josehelps]

@d1vious this looks awesome. A few things I noticed:

* `id` is hard-coded to a value of `analytics`, when it should be the ID of the CAR analytic (e.g., `CAR-2021-05-001`).

* There's probably a bit of clean-up we can do to make the SPL queries more generic, since they still contain things like `bits_job_persistence_filter`. Let us know if there's anything we can do to help in this regard.

Ah, I can clean up the SPL a bit automatically so it removes the macros thank you for reminding me, also let me fix up that id issue, sounds like a fat finger on my end. If you see anything else wrong let me know happy to clean things up further.

[ikiril01]

Sounds great! Yeah I think if we can clean up the macros, it would make the SPL much more generalizable.

[josehelps]

@ikiril01 just updated the PR, removed all the unnecessary macros, and updated the code base to do this as well. Also found a bug with how I was calculated the ID which I fixed. Let me know if you find any other inconsistencies. Cheers 😄

[josehelps]

Ok @d1vious , this looks pretty good. I'm merging this in; I will add in the CAR data-model pseudocode implementations afterwards. In some cases I will add descriptions as well, where they are missing. Thanks!

Thank you so much for merging @pcmcpherson! Quick question to get https://car.mitre.org/coverage/ updated with a column for splunk would I have to create another PR for https://github.com/mitre-attack/car/blob/master/docs/coverage/index.md ?