From 30a6a9fb218029e47ac0c898d4da617f88200c4f Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Wed, 17 Dec 2025 11:46:11 -0800 Subject: [PATCH 1/3] Add some missing products. I assume all these detections want to be for all 3 splunk products. --- detections/application/cisco_asa___aaa_policy_tampering.yml | 2 +- .../application/cisco_asa___device_file_copy_activity.yml | 1 + .../cisco_asa___device_file_copy_to_remote_location.yml | 1 + detections/application/cisco_asa___logging_disabled_via_cli.yml | 1 + .../cisco_asa___logging_filters_configuration_tampering.yml | 1 + .../application/cisco_asa___logging_message_suppression.yml | 1 + .../application/cisco_asa___new_local_user_account_created.yml | 1 + detections/application/cisco_asa___packet_capture_activity.yml | 1 + .../application/cisco_asa___reconnaissance_command_activity.yml | 1 + .../cisco_asa___user_account_deleted_from_local_database.yml | 1 + .../cisco_asa___user_account_lockout_threshold_exceeded.yml | 1 + .../application/cisco_asa___user_privilege_level_change.yml | 1 + .../endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml | 1 + .../cisco_nvm___installation_of_typosquatted_python_package.yml | 1 + ...m___mshtml_or_mshta_network_execution_without_url_in_cli.yml | 1 + ...cisco_nvm___non_network_binary_making_network_connection.yml | 1 + .../cisco_nvm___outbound_connection_to_suspicious_port.yml | 1 + .../cisco_nvm___rclone_execution_with_network_activity.yml | 1 + ..._nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml | 1 + ...m___susp_script_from_archive_triggering_network_activity.yml | 1 + ...isco_nvm___suspicious_download_from_file_sharing_website.yml | 1 + ...isco_nvm___suspicious_file_download_via_headless_browser.yml | 1 + ..._suspicious_network_connection_from_process_with_no_args.yml | 1 + ..._nvm___suspicious_network_connection_initiated_via_msxsl.yml | 1 + ...__suspicious_network_connection_to_ip_lookup_service_api.yml | 1 + ...cisco_nvm___webserver_download_from_file_sharing_website.yml | 1 + .../cisco_secure_firewall___binary_file_type_download.yml | 1 + ...cure_firewall___citrix_netscaler_memory_overread_attempt.yml | 1 + ...cisco_secure_firewall___file_download_over_uncommon_port.yml | 1 + .../network/cisco_secure_firewall___malware_file_downloaded.yml | 1 + ...co_secure_firewall___react_server_components_rce_attempt.yml | 1 + 31 files changed, 31 insertions(+), 1 deletion(-) diff --git a/detections/application/cisco_asa___aaa_policy_tampering.yml b/detections/application/cisco_asa___aaa_policy_tampering.yml index 5dc07b9f4c..3e47efad5b 100644 --- a/detections/application/cisco_asa___aaa_policy_tampering.yml +++ b/detections/application/cisco_asa___aaa_policy_tampering.yml @@ -74,7 +74,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security - security_domain: network + - Splunk Cloud tests: - name: True Positive Test attack_data: diff --git a/detections/application/cisco_asa___device_file_copy_activity.yml b/detections/application/cisco_asa___device_file_copy_activity.yml index c4df139edc..833bca355d 100644 --- a/detections/application/cisco_asa___device_file_copy_activity.yml +++ b/detections/application/cisco_asa___device_file_copy_activity.yml @@ -78,6 +78,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___device_file_copy_to_remote_location.yml b/detections/application/cisco_asa___device_file_copy_to_remote_location.yml index 12d9dad7a4..eb0d6e88d5 100644 --- a/detections/application/cisco_asa___device_file_copy_to_remote_location.yml +++ b/detections/application/cisco_asa___device_file_copy_to_remote_location.yml @@ -103,6 +103,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___logging_disabled_via_cli.yml b/detections/application/cisco_asa___logging_disabled_via_cli.yml index 3d8ce8a2eb..bced4aecb5 100644 --- a/detections/application/cisco_asa___logging_disabled_via_cli.yml +++ b/detections/application/cisco_asa___logging_disabled_via_cli.yml @@ -76,6 +76,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___logging_filters_configuration_tampering.yml b/detections/application/cisco_asa___logging_filters_configuration_tampering.yml index 959af04c10..a94319994b 100644 --- a/detections/application/cisco_asa___logging_filters_configuration_tampering.yml +++ b/detections/application/cisco_asa___logging_filters_configuration_tampering.yml @@ -87,6 +87,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___logging_message_suppression.yml b/detections/application/cisco_asa___logging_message_suppression.yml index e8789858f8..abdd9a7ec4 100644 --- a/detections/application/cisco_asa___logging_message_suppression.yml +++ b/detections/application/cisco_asa___logging_message_suppression.yml @@ -74,6 +74,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___new_local_user_account_created.yml b/detections/application/cisco_asa___new_local_user_account_created.yml index c4d203eafa..fc9863515a 100644 --- a/detections/application/cisco_asa___new_local_user_account_created.yml +++ b/detections/application/cisco_asa___new_local_user_account_created.yml @@ -66,6 +66,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___packet_capture_activity.yml b/detections/application/cisco_asa___packet_capture_activity.yml index 06608e8a62..ec15e73fc4 100644 --- a/detections/application/cisco_asa___packet_capture_activity.yml +++ b/detections/application/cisco_asa___packet_capture_activity.yml @@ -74,6 +74,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___reconnaissance_command_activity.yml b/detections/application/cisco_asa___reconnaissance_command_activity.yml index bc70f87281..36c5da7053 100644 --- a/detections/application/cisco_asa___reconnaissance_command_activity.yml +++ b/detections/application/cisco_asa___reconnaissance_command_activity.yml @@ -130,6 +130,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___user_account_deleted_from_local_database.yml b/detections/application/cisco_asa___user_account_deleted_from_local_database.yml index 98fc7b8611..66f78aee3d 100644 --- a/detections/application/cisco_asa___user_account_deleted_from_local_database.yml +++ b/detections/application/cisco_asa___user_account_deleted_from_local_database.yml @@ -66,6 +66,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml b/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml index e709b74354..e2580ab23f 100644 --- a/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml +++ b/detections/application/cisco_asa___user_account_lockout_threshold_exceeded.yml @@ -66,6 +66,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/application/cisco_asa___user_privilege_level_change.yml b/detections/application/cisco_asa___user_privilege_level_change.yml index 27ebe5a70f..87f9c397ce 100644 --- a/detections/application/cisco_asa___user_privilege_level_change.yml +++ b/detections/application/cisco_asa___user_privilege_level_change.yml @@ -67,6 +67,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: network tests: - name: True Positive Test diff --git a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml index edacc0da30..4ddb2d2918 100644 --- a/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml +++ b/detections/endpoint/cisco_nvm___curl_execution_with_insecure_flags.yml @@ -92,6 +92,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml b/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml index f478e4faaa..a4cb49b4f1 100644 --- a/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml +++ b/detections/endpoint/cisco_nvm___installation_of_typosquatted_python_package.yml @@ -89,6 +89,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml index ca6e533e72..d920498dec 100644 --- a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml +++ b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml @@ -95,6 +95,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml b/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml index ff85219298..9405a8663a 100644 --- a/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml +++ b/detections/endpoint/cisco_nvm___non_network_binary_making_network_connection.yml @@ -91,6 +91,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml b/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml index 86e61a3607..021b86e6c9 100644 --- a/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml +++ b/detections/endpoint/cisco_nvm___outbound_connection_to_suspicious_port.yml @@ -88,6 +88,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml b/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml index babc267a82..0f35866595 100644 --- a/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml +++ b/detections/endpoint/cisco_nvm___rclone_execution_with_network_activity.yml @@ -99,6 +99,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml b/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml index 0d9401e795..20e91b5094 100644 --- a/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml +++ b/detections/endpoint/cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download.yml @@ -86,6 +86,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml b/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml index 280763f4c4..45fe1dff49 100644 --- a/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml +++ b/detections/endpoint/cisco_nvm___susp_script_from_archive_triggering_network_activity.yml @@ -87,6 +87,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml index fd1a19227c..130f343ec3 100644 --- a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml +++ b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml @@ -105,6 +105,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml index 87caf2a5a9..7c725ef175 100644 --- a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml +++ b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml @@ -125,6 +125,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml index d0ce493ffb..c0893c79ac 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_from_process_with_no_args.yml @@ -95,6 +95,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml index 5165ef79e4..4e9623fe9e 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_initiated_via_msxsl.yml @@ -88,6 +88,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml index d73175d5a9..6d37c3a68d 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml @@ -101,6 +101,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml index b2ff76c975..efb48720e4 100644 --- a/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml +++ b/detections/endpoint/cisco_nvm___webserver_download_from_file_sharing_website.yml @@ -95,6 +95,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test - Cisco NVM diff --git a/detections/network/cisco_secure_firewall___binary_file_type_download.yml b/detections/network/cisco_secure_firewall___binary_file_type_download.yml index 7ae6a6b587..8a9a6eb332 100644 --- a/detections/network/cisco_secure_firewall___binary_file_type_download.yml +++ b/detections/network/cisco_secure_firewall___binary_file_type_download.yml @@ -72,6 +72,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml b/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml index c45d80ec15..f2ce12f560 100644 --- a/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml +++ b/detections/network/cisco_secure_firewall___citrix_netscaler_memory_overread_attempt.yml @@ -82,6 +82,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml b/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml index 8d7806b14c..52a6ec39ee 100644 --- a/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml +++ b/detections/network/cisco_secure_firewall___file_download_over_uncommon_port.yml @@ -69,6 +69,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/network/cisco_secure_firewall___malware_file_downloaded.yml b/detections/network/cisco_secure_firewall___malware_file_downloaded.yml index b9cda1571e..444a4b2dda 100644 --- a/detections/network/cisco_secure_firewall___malware_file_downloaded.yml +++ b/detections/network/cisco_secure_firewall___malware_file_downloaded.yml @@ -67,6 +67,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test diff --git a/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml b/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml index cb3c1c7c5c..c9504ef0dc 100644 --- a/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml +++ b/detections/network/cisco_secure_firewall___react_server_components_rce_attempt.yml @@ -78,6 +78,7 @@ tags: product: - Splunk Enterprise - Splunk Enterprise Security + - Splunk Cloud security_domain: endpoint tests: - name: True Positive Test From 9fe76df136a8e511c16d44e5cd82243ab5c0d81f Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Wed, 17 Dec 2025 11:48:57 -0800 Subject: [PATCH 2/3] accidentally removed security_domain from detection. removed filter macro that was part of baseline, but should not be --- baselines/baseline_of_open_s3_bucket_decommissioning.yml | 4 ++-- detections/application/cisco_asa___aaa_policy_tampering.yml | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/baselines/baseline_of_open_s3_bucket_decommissioning.yml b/baselines/baseline_of_open_s3_bucket_decommissioning.yml index 4f3ca4f8df..f775257b63 100644 --- a/baselines/baseline_of_open_s3_bucket_decommissioning.yml +++ b/baselines/baseline_of_open_s3_bucket_decommissioning.yml @@ -37,7 +37,7 @@ search: '`cloudtrail` eventSource="s3.amazonaws.com" (eventName=DeleteBucket OR | eval policy_details = if(isPublicPolicy==1, "Policy: Principal=" . mvjoin(principals, ", ") . " Effect=" . mvjoin(effects, ", ") . " Action=" . mvjoin(actions, ", "), "No Public Policy") | eval website_details = if(isWebsite==1, "Static Website Enabled", "No Website Hosting") | table bucketName, hosts, firstEvent, lastEvent, events, policy_details, website_details, accountIds, userARNs, awsRegions -| outputlookup append=true decommissioned_buckets | `baseline_of_open_s3_bucket_decommissioning_filter`' +| outputlookup append=true decommissioned_buckets' how_to_implement: To implement this baseline, you need to have AWS CloudTrail logs being ingested into Splunk with the AWS Add-on properly configured. The search looks for S3 bucket events related to bucket policies, website hosting configuration, and bucket deletion. The results are stored in a lookup KVStore named decommissioned_buckets which tracks the history of deleted buckets that were previously exposed to the public. known_false_positives: Some buckets may be intentionally made public for legitimate business purposes before being decommissioned. Review the policy_details and website_details fields to understand the nature of the public access that was configured. references: @@ -61,4 +61,4 @@ deployment: cron_schedule: 0 2 * * 0 earliest_time: -30d@d latest_time: -1d@d - schedule_window: auto \ No newline at end of file + schedule_window: auto diff --git a/detections/application/cisco_asa___aaa_policy_tampering.yml b/detections/application/cisco_asa___aaa_policy_tampering.yml index 3e47efad5b..c669895672 100644 --- a/detections/application/cisco_asa___aaa_policy_tampering.yml +++ b/detections/application/cisco_asa___aaa_policy_tampering.yml @@ -75,6 +75,7 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud + security_domain: network tests: - name: True Positive Test attack_data: From 0f1862c4eb43777c3a31d125b68743e4d30ba39c Mon Sep 17 00:00:00 2001 From: Eric McGinnis Date: Mon, 22 Dec 2025 13:21:40 -0800 Subject: [PATCH 3/3] add deprecation info to one detection --- detections/deprecated/cobalt_strike_named_pipes.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/detections/deprecated/cobalt_strike_named_pipes.yml b/detections/deprecated/cobalt_strike_named_pipes.yml index 4d70e5ef5d..076645944b 100644 --- a/detections/deprecated/cobalt_strike_named_pipes.yml +++ b/detections/deprecated/cobalt_strike_named_pipes.yml @@ -4,6 +4,14 @@ version: 13 date: '2025-12-04' author: Michael Haag, Splunk status: deprecated +deprecation_info: + content_type: Search + full_stanza_name: ESCU - Cobalt Strike Named Pipes - Rule + reason: Detection is now part of a larger collection of suspicious named pipes + removed_in_version: 5.22.0 + replacement_content: [] + # TODO - commented out for now. This will be updated after a parsing improvement. + #- Windows Suspicious C2 Named Pipe type: TTP description: The following analytic detects the use of default or publicly known named pipes associated with Cobalt Strike. It leverages Sysmon EventID 17 and 18 to identify