From 136c5a0981ca9a708149f761fa9c15490a241b4a Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 6 Nov 2025 13:48:58 -0800 Subject: [PATCH 1/2] testing --- .../endpoint/windows_svchost_exe_parent_process_anomaly.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml b/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml index 4dd0285a47..f3417c13fe 100644 --- a/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml +++ b/detections/endpoint/windows_svchost_exe_parent_process_anomaly.yml @@ -5,7 +5,7 @@ date: '2025-05-02' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects an anomaly where an svchost.exe process is spawned by a parent process other than the standard services.exe. In a typical Windows environment, svchost.exe is a system process that hosts Windows service DLLs, and is expected to be a child of services.exe. A process deviation from this hierarchy may indicate suspicious behavior, such as malicious code attempting to masquerade as a legitimate system process or evade detection. It is essential to investigate the parent process and associated behavior for further signs of compromise or unauthorized activity. +description: The following analytic detects an anomaly where an svchost.exe process is spawned by a parent process other than the standard services.exe. In a typical Windows environment, svchost.exe is a system process that hosts Windows service DLLs, and is expected to be a child of services.exe. A process deviation from this hierarchy may indicate suspicious behavior, such as malicious code attempting to masquerade as a legitimate system process or evade detection. It is essential to investigate the parent process and associated behavior for further signs of compromise or unauthorized activity. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 From 9663e97c7352c3125466935b0da26d5994cd1fd7 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 6 Nov 2025 15:21:37 -0800 Subject: [PATCH 2/2] updating app to 9.1.0 --- contentctl.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/contentctl.yml b/contentctl.yml index 78902fbffb..00689f7b0f 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -65,9 +65,9 @@ apps: - uid: 742 title: Splunk Add-on for Microsoft Windows appid: SPLUNK_ADD_ON_FOR_MICROSOFT_WINDOWS - version: 9.0.1 + version: 9.1.0 description: description of app - hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Splunk_TA_windows-9.0.1.spl + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-microsoft-windows_910.tgz - uid: 5709 title: Splunk Add-on for Sysmon appid: Splunk_TA_microsoft_sysmon