Splunk Security Content Analytic Story
All the Analytic Stories shipped to different Splunk products. Below is a breakdown by Category.
Abuse
Brand monitoring
Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Email, Web
- Last Updated: 2017-12-19
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Monitor Email For Brand Abuse | TTP | |||
Monitor Web Traffic For Brand Abuse | TTP |
Kill Chain Phase
- Delivery
Reference
version: 1
Dns amplification attacks
DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Network_Resolution
- Last Updated: 2016-09-13
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Large Volume of DNS ANY Queries |
Reflection Amplification |
Impact |
Anomaly |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Data protection
Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Network_Resolution
- Last Updated: 2017-09-14
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect hosts connecting to dynamic domain providers |
Drive-by Compromise |
Initial Access |
TTP |
Kill Chain Phase
- Actions on Objectives
- Command and Control
Reference
version: 1
Netsh abuse
Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2017-01-05
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Processes launching netsh |
Disable or Modify System Firewall |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Adversary Tactics
Active directory discovery
Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-08-20
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
AdsiSearcher Account Discovery |
T1087.002, T1482, T1018, T1069.002, T1201, T1069.001, T1033, T1087.001, T1049 |
Domain Account, Domain Trust Discovery, Remote System Discovery, Domain Groups, Password Policy Discovery, Local Groups, System Owner/User Discovery, Local Account, System Network Connections Discovery |
Discovery, Discovery, Discovery, Discovery, Discovery, Discovery, Discovery, Discovery, Discovery |
TTP |
DSQuery Domain Discovery |
Domain Trust Discovery, Remote System Discovery |
Discovery, Discovery |
TTP | |
Domain Account Discovery With Net App |
Domain Account |
Discovery |
TTP | |
Domain Account Discovery with Dsquery |
Domain Account |
Discovery |
Hunting | |
Domain Account Discovery with Wmic |
Domain Account |
Discovery |
TTP | |
Domain Controller Discovery with Nltest |
Remote System Discovery |
Discovery |
TTP | |
Domain Controller Discovery with Wmic |
Remote System Discovery |
Discovery |
Hunting | |
Domain Group Discovery With Dsquery |
Domain Groups |
Discovery |
Hunting | |
Domain Group Discovery With Net |
Domain Groups |
Discovery |
Hunting | |
Domain Group Discovery With Wmic |
Domain Groups |
Discovery |
Hunting | |
Domain Group Discovery with Adsisearcher |
Domain Groups |
Discovery |
TTP | |
Elevated Group Discovery With Net |
Domain Groups |
Discovery |
TTP | |
Elevated Group Discovery With Wmic |
Domain Groups |
Discovery |
TTP | |
Elevated Group Discovery with PowerView |
Domain Groups |
Discovery |
Hunting | |
Get ADDefaultDomainPasswordPolicy with Powershell |
Password Policy Discovery |
Discovery |
Hunting | |
Get ADDefaultDomainPasswordPolicy with Powershell Script Block |
Password Policy Discovery |
Discovery |
Hunting | |
Get ADUser with PowerShell |
Domain Account |
Discovery |
Hunting | |
Get ADUser with PowerShell Script Block |
Domain Account |
Discovery |
Hunting | |
Get ADUserResultantPasswordPolicy with Powershell |
Password Policy Discovery |
Discovery |
TTP | |
Get ADUserResultantPasswordPolicy with Powershell Script Block |
Password Policy Discovery |
Discovery |
TTP | |
Get DomainPolicy with Powershell |
Password Policy Discovery |
Discovery |
TTP | |
Get DomainPolicy with Powershell Script Block |
Password Policy Discovery |
Discovery |
TTP | |
Get DomainUser with PowerShell |
Domain Account |
Discovery |
TTP | |
Get DomainUser with PowerShell Script Block |
Domain Account |
Discovery |
TTP | |
Get WMIObject Group Discovery |
Local Groups |
Discovery |
Hunting | |
Get WMIObject Group Discovery with Script Block Logging |
Local Groups |
Discovery |
Hunting | |
Get-DomainTrust with PowerShell |
Domain Trust Discovery |
Discovery |
TTP | |
Get-DomainTrust with PowerShell Script Block |
Domain Trust Discovery |
Discovery |
TTP | |
Get-ForestTrust with PowerShell |
Domain Trust Discovery |
Discovery |
TTP | |
Get-ForestTrust with PowerShell Script Block |
Domain Trust Discovery |
Discovery |
TTP | |
GetAdComputer with PowerShell |
Remote System Discovery |
Discovery |
Hunting | |
GetAdComputer with PowerShell Script Block |
Remote System Discovery |
Discovery |
Hunting | |
GetAdGroup with PowerShell |
Domain Groups |
Discovery |
Hunting | |
GetAdGroup with PowerShell Script Block |
Domain Groups |
Discovery |
Hunting | |
GetCurrent User with PowerShell |
System Owner/User Discovery |
Discovery |
Hunting | |
GetCurrent User with PowerShell Script Block |
System Owner/User Discovery |
Discovery |
Hunting | |
GetDomainComputer with PowerShell |
Remote System Discovery |
Discovery |
TTP | |
GetDomainComputer with PowerShell Script Block |
Remote System Discovery |
Discovery |
TTP | |
GetDomainController with PowerShell |
Remote System Discovery |
Discovery |
Hunting | |
GetDomainController with PowerShell Script Block |
Remote System Discovery |
Discovery |
TTP | |
GetDomainGroup with PowerShell |
Domain Groups |
Discovery |
TTP | |
GetDomainGroup with PowerShell Script Block |
Domain Groups |
Discovery |
TTP | |
GetLocalUser with PowerShell |
Local Account |
Discovery |
Hunting | |
GetLocalUser with PowerShell Script Block |
Local Account |
Discovery |
Hunting | |
GetNetTcpconnection with PowerShell |
System Network Connections Discovery |
Discovery |
Hunting | |
GetNetTcpconnection with PowerShell Script Block |
System Network Connections Discovery |
Discovery |
Hunting | |
GetWmiObject DS User with PowerShell |
Domain Account |
Discovery |
TTP | |
GetWmiObject DS User with PowerShell Script Block |
Domain Account |
Discovery |
TTP | |
GetWmiObject Ds Computer with PowerShell |
Remote System Discovery |
Discovery |
TTP | |
GetWmiObject Ds Computer with PowerShell Script Block |
Remote System Discovery |
Discovery |
TTP | |
GetWmiObject Ds Group with PowerShell |
Domain Groups |
Discovery |
TTP | |
GetWmiObject Ds Group with PowerShell Script Block |
Domain Groups |
Discovery |
TTP | |
GetWmiObject User Account with PowerShell |
Local Account |
Discovery |
Hunting | |
GetWmiObject User Account with PowerShell Script Block |
Local Account |
Discovery |
Hunting | |
Local Account Discovery With Wmic |
Local Account |
Discovery |
Hunting | |
Local Account Discovery with Net |
Local Account |
Discovery |
Hunting | |
NLTest Domain Trust Discovery |
Domain Trust Discovery |
Discovery |
TTP | |
Net Localgroup Discovery |
Local Groups |
Discovery |
Hunting | |
Network Connection Discovery With Arp |
System Network Connections Discovery |
Discovery |
Hunting | |
Network Connection Discovery With Net |
System Network Connections Discovery |
Discovery |
Hunting | |
Network Connection Discovery With Netstat |
System Network Connections Discovery |
Discovery |
Hunting | |
Password Policy Discovery with Net |
Password Policy Discovery |
Discovery |
Hunting | |
PowerShell Get LocalGroup Discovery |
Local Groups |
Discovery |
Hunting | |
Powershell Get LocalGroup Discovery with Script Block Logging |
Local Groups |
Discovery |
Hunting | |
Remote System Discovery with Adsisearcher |
Remote System Discovery |
Discovery |
TTP | |
Remote System Discovery with Dsquery |
Remote System Discovery |
Discovery |
Hunting | |
Remote System Discovery with Net |
Remote System Discovery |
Discovery |
Hunting | |
Remote System Discovery with Wmic |
Remote System Discovery |
Discovery |
TTP | |
System User Discovery With Query |
System Owner/User Discovery |
Discovery |
Hunting | |
System User Discovery With Whoami |
System Owner/User Discovery |
Discovery |
Hunting | |
User Discovery With Env Vars PowerShell |
System Owner/User Discovery |
Discovery |
Hunting | |
User Discovery With Env Vars PowerShell Script Block |
System Owner/User Discovery |
Discovery |
Hunting | |
Wmic Group Discovery |
Local Groups |
Discovery |
Hunting |
Kill Chain Phase
- Exploitation
- Reconnaissance
Reference
version: 1
Active directory password spraying
Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-04-07
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Multiple Disabled Users Failing To Authenticate From Host Using Kerberos |
Password Spraying |
Credential Access |
Anomaly | |
Multiple Invalid Users Failing To Authenticate From Host Using Kerberos |
Password Spraying |
Credential Access |
Anomaly | |
Multiple Invalid Users Failing To Authenticate From Host Using NTLM |
Password Spraying |
Credential Access |
Anomaly | |
Multiple Users Attempting To Authenticate Using Explicit Credentials |
Password Spraying |
Credential Access |
Anomaly | |
Multiple Users Failing To Authenticate From Host Using Kerberos |
Password Spraying |
Credential Access |
Anomaly | |
Multiple Users Failing To Authenticate From Host Using NTLM |
Password Spraying |
Credential Access |
Anomaly | |
Multiple Users Failing To Authenticate From Process |
Password Spraying |
Credential Access |
Anomaly | |
Multiple Users Remotely Failing To Authenticate From Host |
Password Spraying |
Credential Access |
Anomaly |
Kill Chain Phase
- Exploitation
Reference
version: 1
Bits jobs
Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-03-26
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
BITS Job Persistence |
BITS Jobs, Ingress Tool Transfer |
Defense Evasion, Persistence, Command And Control |
TTP | |
BITSAdmin Download File |
BITS Jobs, Ingress Tool Transfer |
Defense Evasion, Persistence, Command And Control |
TTP | |
PowerShell Start-BitsTransfer |
BITS Jobs |
Defense Evasion, Persistence |
TTP |
Kill Chain Phase
- Exploitation
Reference
version: 1
Baron samedit cve-2021-3156
Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2021-01-27
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Baron Samedit CVE-2021-3156 |
Exploitation for Privilege Escalation |
Privilege Escalation |
TTP | |
Detect Baron Samedit CVE-2021-3156 Segfault |
Exploitation for Privilege Escalation |
Privilege Escalation |
TTP | |
Detect Baron Samedit CVE-2021-3156 via OSQuery |
Exploitation for Privilege Escalation |
Privilege Escalation |
TTP |
Kill Chain Phase
- Exploitation
Reference
version: 1
Cobalt strike
Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-02-16
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Anomalous usage of 7zip |
T1560.001, T1059.003, T1543.003, T1055, T1071.002, T1218.010, T1218.005, T1569.002, T1027, T1218.011, T1053.005, T1548, T1203, T1505.003, T1127.001, T1036.003, T1127, T1071.001, T1018 |
Archive via Utility, Windows Command Shell, Windows Service, Process Injection, File Transfer Protocols, Regsvr32, Mshta, Service Execution, Obfuscated Files or Information, Rundll32, Scheduled Task, Abuse Elevation Control Mechanism, Exploitation for Client Execution, Web Shell, MSBuild, Rename System Utilities, Trusted Developer Utilities Proxy Execution, Web Protocols, Remote System Discovery |
Collection, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Command And Control, Defense Evasion, Defense Evasion, Execution, Defense Evasion, Defense Evasion, Execution, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Execution, Persistence, Defense Evasion, Defense Evasion, Defense Evasion, Command And Control, Discovery |
Anomaly |
CMD Echo Pipe - Escalation |
Windows Command Shell, Windows Service |
Execution, Persistence, Privilege Escalation |
TTP | |
Cobalt Strike Named Pipes |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
DLLHost with no Command Line Arguments with Network |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Detect Regsvr32 Application Control Bypass |
Regsvr32 |
Defense Evasion |
TTP | |
GPUpdate with no Command Line Arguments with Network |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Rundll32 with no Command Line Arguments with Network |
Rundll32 |
Defense Evasion |
TTP | |
SearchProtocolHost with no Command Line with Network |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Services Escalate Exe |
Abuse Elevation Control Mechanism |
Privilege Escalation, Defense Evasion |
TTP | |
Suspicious DLLHost no Command Line Arguments |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Suspicious GPUpdate no Command Line Arguments |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Suspicious MSBuild Rename |
MSBuild, Rename System Utilities |
Defense Evasion, Defense Evasion |
TTP | |
Suspicious Rundll32 StartW |
Rundll32 |
Defense Evasion |
TTP | |
Suspicious Rundll32 no Command Line Arguments |
Rundll32 |
Defense Evasion |
TTP | |
Suspicious SearchProtocolHost no Command Line Arguments |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Suspicious microsoft workflow compiler rename |
Trusted Developer Utilities Proxy Execution, Rename System Utilities |
Defense Evasion, Defense Evasion |
Hunting | |
Suspicious msbuild path |
MSBuild, Rename System Utilities |
Defense Evasion, Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objective
- Actions on Objectives
- Exploitation
- Privilege Escalation
Reference
version: 1
Collection and staging
Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Traffic
- Last Updated: 2020-02-03
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Renamed 7-Zip |
Archive via Utility, Local Email Collection, Remote Email Collection, Masquerading |
Collection, Collection, Collection, Defense Evasion |
Hunting | |
Detect Renamed WinRAR |
Archive via Utility |
Collection |
Hunting | |
Email files written outside of the Outlook directory |
Local Email Collection |
Collection |
TTP | |
Email servers sending high volume traffic to hosts |
Remote Email Collection |
Collection |
Anomaly | |
Hosts receiving high volume of network traffic from email server |
Remote Email Collection |
Collection |
Anomaly | |
Suspicious writes to windows Recycle Bin |
Masquerading |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exfiltration
- Exploitation
Reference
version: 1
Command and control
Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate command and control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Resolution, Network_Traffic
- Last Updated: 2018-06-01
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
DNS Exfiltration Using Nslookup App |
T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001 |
Exfiltration Over Alternative Protocol, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Drive-by Compromise, Transfer Data to Cloud Account, Local Email Collection, Email Collection, Email Forwarding Rule, Web Protocols |
Exfiltration, Command And Control, Exfiltration, Command And Control, Exfiltration, Initial Access, Exfiltration, Collection, Collection, Collection, Command And Control |
TTP |
DNS Query Length Outliers - MLTK |
DNS |
Command And Control |
Anomaly | |
DNS Query Length With High Standard Deviation |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Exfiltration |
Anomaly | |
Detect Large Outbound ICMP Packets |
Non-Application Layer Protocol |
Command And Control |
TTP | |
Detect Spike in blocked Outbound Traffic from your AWS | Anomaly | |||
Detect hosts connecting to dynamic domain providers |
Drive-by Compromise |
Initial Access |
TTP | |
Excessive DNS Failures |
DNS |
Command And Control |
Anomaly | |
Excessive Usage of NSLOOKUP App |
Exfiltration Over Alternative Protocol |
Exfiltration |
Anomaly | |
Multiple Archive Files Http Post Traffic |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Exfiltration |
TTP | |
Plain HTTP POST Exfiltrated Data |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Exfiltration |
TTP | |
Prohibited Network Traffic Allowed |
Exfiltration Over Alternative Protocol |
Exfiltration |
TTP | |
Protocol or Port Mismatch |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Exfiltration |
Anomaly | |
TOR Traffic |
Web Protocols |
Command And Control |
TTP |
Kill Chain Phase
- Actions on Objectives
- Command and Control
- Delivery
- Exfiltration
- Exploitation
Reference
version: 1
Credential dumping
Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2020-02-04
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Access LSASS Memory for Dump Creation |
T1003.001, T1055, T1068, T1078, T1098, T1134, T1543, T1547, T1548, T1554, T1556, T1558, T1555, T1087, T1201, T1552, T1003, T1003.002, T1003.003, T1558.003, T1059.001 |
LSASS Memory, Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Modify Authentication Process, Steal or Forge Kerberos Tickets, Credentials from Password Stores, Account Discovery, Password Policy Discovery, Unsecured Credentials, OS Credential Dumping, Security Account Manager, NTDS, Kerberoasting, PowerShell |
Credential Access, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Defense Evasion, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Credential Access, Defense Evasion, Persistence, Credential Access, Credential Access, Discovery, Discovery, Credential Access, Credential Access, Credential Access, Credential Access, Credential Access, Execution |
TTP |
Applying Stolen Credentials via Mimikatz modules |
T1055, T1068, T1078, T1098, T1134, T1543, T1547, T1548, T1554, T1556, T1558 |
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Modify Authentication Process, Steal or Forge Kerberos Tickets |
Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Defense Evasion, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Credential Access, Defense Evasion, Persistence, Credential Access |
TTP |
Applying Stolen Credentials via PowerSploit modules |
T1055, T1068, T1078, T1098, T1134, T1543, T1547, T1548, T1554, T1555, T1558 |
Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Credentials from Password Stores, Steal or Forge Kerberos Tickets |
Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Defense Evasion, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Credential Access, Credential Access |
TTP |
Assessment of Credential Strength via DSInternals modules |
Valid Accounts, Account Manipulation, Account Discovery, Password Policy Discovery, Unsecured Credentials, Credentials from Password Stores |
Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Discovery, Discovery, Credential Access, Credential Access |
TTP | |
Attempted Credential Dump From Registry via Reg exe |
OS Credential Dumping |
Credential Access |
TTP | |
Attempted Credential Dump From Registry via Reg exe |
T1003.002, T1197, T1105, T1218.003, T1055, T1490, T1003.001, T1021.002, T1020, T1569.002, T1486, T1548.002 |
Security Account Manager, BITS Jobs, Ingress Tool Transfer, CMSTP, Process Injection, Inhibit System Recovery, LSASS Memory, SMB/Windows Admin Shares, Automated Exfiltration, Service Execution, Data Encrypted for Impact, Bypass User Account Control |
Credential Access, Defense Evasion, Persistence, Command And Control, Defense Evasion, Defense Evasion, Privilege Escalation, Impact, Credential Access, Lateral Movement, Exfiltration, Execution, Impact, Privilege Escalation, Defense Evasion |
TTP |
Create Remote Thread into LSASS |
LSASS Memory |
Credential Access |
TTP | |
Creation of Shadow Copy |
NTDS |
Credential Access |
TTP | |
Creation of Shadow Copy with wmic and powershell |
NTDS |
Credential Access |
TTP | |
Creation of lsass Dump with Taskmgr |
LSASS Memory |
Credential Access |
TTP | |
Credential Dumping via Copy Command from Shadow Copy |
NTDS |
Credential Access |
TTP | |
Credential Dumping via Symlink to Shadow Copy |
NTDS |
Credential Access |
TTP | |
Credential Extraction indicative of FGDump and CacheDump with s option |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction indicative of FGDump and CacheDump with v option |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction indicative of Lazagne command line options |
OS Credential Dumping, Credentials from Password Stores |
Credential Access, Credential Access |
TTP | |
Credential Extraction indicative of use of DSInternals credential conversion modules |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction indicative of use of DSInternals modules |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction indicative of use of Mimikatz modules |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction indicative of use of PowerSploit modules |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction native Microsoft debuggers peek into the kernel |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction native Microsoft debuggers via z command line option |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction via Get-ADDBAccount module present in PowerSploit and DSInternals |
OS Credential Dumping |
Credential Access |
TTP | |
Detect Copy of ShadowCopy with Script Block Logging |
Security Account Manager |
Credential Access |
TTP | |
Detect Credential Dumping through LSASS access |
LSASS Memory |
Credential Access |
TTP | |
Detect Dump LSASS Memory using comsvcs |
NTDS |
Credential Access |
TTP | |
Detect Kerberoasting |
Kerberoasting |
Credential Access |
TTP | |
Detect Mimikatz Using Loaded Images |
LSASS Memory |
Credential Access |
TTP | |
Dump LSASS via comsvcs DLL |
LSASS Memory |
Credential Access |
TTP | |
Dump LSASS via procdump |
LSASS Memory |
Credential Access |
TTP | |
Esentutl SAM Copy |
Security Account Manager |
Credential Access |
Hunting | |
Extraction of Registry Hives |
Security Account Manager |
Credential Access |
TTP | |
Ntdsutil Export NTDS |
NTDS |
Credential Access |
TTP | |
SAM Database File Access Attempt |
Security Account Manager |
Credential Access |
Hunting | |
SecretDumps Offline NTDS Dumping Tool |
NTDS |
Credential Access |
TTP | |
Set Default PowerShell Execution Policy To Unrestricted or Bypass |
PowerShell |
Execution |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
- Installation
- Lateral Movement
- Privilege Escalation
Reference
version: 3
Dns hijacking
Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Network_Resolution
- Last Updated: 2020-02-04
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect hosts connecting to dynamic domain providers |
Drive-by Compromise |
Initial Access |
TTP |
Kill Chain Phase
- Actions on Objectives
- Command and Control
Reference
version: 1
Data exfiltration
The stealing of data by an adversary.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Traffic
- Last Updated: 2020-10-21
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
DNS Exfiltration Using Nslookup App |
T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001 |
Exfiltration Over Alternative Protocol, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Drive-by Compromise, Transfer Data to Cloud Account, Local Email Collection, Email Collection, Email Forwarding Rule, Web Protocols |
Exfiltration, Command And Control, Exfiltration, Command And Control, Exfiltration, Initial Access, Exfiltration, Collection, Collection, Collection, Command And Control |
TTP |
Detect SNICat SNI Exfiltration |
Exfiltration Over C2 Channel |
Exfiltration |
TTP | |
Detect shared ec2 snapshot |
Transfer Data to Cloud Account |
Exfiltration |
TTP | |
Excessive Usage of NSLOOKUP App |
Exfiltration Over Alternative Protocol |
Exfiltration |
Anomaly | |
Mailsniper Invoke functions |
Local Email Collection |
Collection |
TTP | |
Multiple Archive Files Http Post Traffic |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Exfiltration |
TTP | |
O365 PST export alert |
Email Collection |
Collection |
TTP | |
O365 Suspicious Admin Email Forwarding |
Email Forwarding Rule |
Collection |
Anomaly | |
O365 Suspicious User Email Forwarding |
Email Forwarding Rule |
Collection |
Anomaly | |
Plain HTTP POST Exfiltrated Data |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Exfiltration |
TTP |
Kill Chain Phase
- Actions on Objective
- Actions on Objectives
- Exfiltration
- Exploitation
Reference
version: 1
Deobfuscate-decode files or information
Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-03-24
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
CertUtil With Decode Argument |
Deobfuscate/Decode Files or Information |
Defense Evasion |
TTP |
Kill Chain Phase
- Exploitation
Reference
version: 1
Detect zerologon attack
Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-09-18
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Computer Changed with Anonymous Account |
Exploitation of Remote Services, LSASS Memory, Exploit Public-Facing Application |
Lateral Movement, Credential Access, Initial Access |
Hunting | |
Detect Credential Dumping through LSASS access |
LSASS Memory |
Credential Access |
TTP | |
Detect Mimikatz Using Loaded Images |
LSASS Memory |
Credential Access |
TTP | |
Detect Zerologon via Zeek |
Exploit Public-Facing Application |
Initial Access |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
Reference
version: 1
Disabling security tools
Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2020-02-04
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Attempt To Add Certificate To Untrusted Store |
Install Root Certificate, Disable or Modify Tools, Disable or Modify System Firewall, Windows Service, Modify Registry |
Defense Evasion, Defense Evasion, Defense Evasion, Persistence, Privilege Escalation, Defense Evasion |
TTP | |
Attempt To Stop Security Service |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Processes launching netsh |
Disable or Modify System Firewall |
Defense Evasion |
TTP | |
Sc exe Manipulating Windows Services |
Windows Service |
Persistence, Privilege Escalation |
TTP | |
Suspicious Reg exe Process |
Modify Registry |
Defense Evasion |
TTP | |
Unload Sysmon Filter Driver |
Disable or Modify Tools |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
- Installation
Reference
version: 2
Domain trust discovery
Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-03-25
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
DSQuery Domain Discovery |
Domain Trust Discovery, Remote System Discovery |
Discovery, Discovery |
TTP | |
NLTest Domain Trust Discovery |
Domain Trust Discovery |
Discovery |
TTP | |
Windows AdFind Exe |
Remote System Discovery |
Discovery |
TTP |
Kill Chain Phase
- Exploitation
Reference
version: 1
F5 tmui rce cve-2020-5902
Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-08-02
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect F5 TMUI RCE CVE-2020-5902 |
Exploit Public-Facing Application |
Initial Access |
TTP |
Kill Chain Phase
- Exploitation
Reference
version: 1
Hafnium group
HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Traffic
- Last Updated: 2021-03-03
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Any Powershell DownloadString |
T1059.001, T1505.003, T1136.001, T1021.002, T1569.002, T1003.001, T1114.002, T1003.003, T1190 |
PowerShell, Web Shell, Local Account, SMB/Windows Admin Shares, Service Execution, LSASS Memory, Remote Email Collection, NTDS, Exploit Public-Facing Application |
Execution, Persistence, Persistence, Lateral Movement, Execution, Credential Access, Collection, Credential Access, Initial Access |
TTP |
Detect Exchange Web Shell |
Web Shell, Exploit Public-Facing Application, PowerShell |
Persistence, Initial Access, Execution |
TTP | |
Detect New Local Admin account |
Local Account |
Persistence |
TTP | |
Detect PsExec With accepteula Flag |
SMB/Windows Admin Shares |
Lateral Movement |
TTP | |
Detect Renamed PSExec |
Service Execution |
Execution |
Hunting | |
Dump LSASS via comsvcs DLL |
LSASS Memory |
Credential Access |
TTP | |
Dump LSASS via procdump |
LSASS Memory |
Credential Access |
TTP | |
Email servers sending high volume traffic to hosts |
Remote Email Collection |
Collection |
Anomaly | |
Malicious PowerShell Process - Connect To Internet With Hidden Window |
PowerShell, Registry Run Keys / Startup Folder |
Execution, Persistence, Privilege Escalation |
TTP | |
Malicious PowerShell Process - Execution Policy Bypass |
PowerShell |
Execution |
TTP | |
Nishang PowershellTCPOneLine |
PowerShell |
Execution |
TTP | |
Ntdsutil Export NTDS |
NTDS |
Credential Access |
TTP | |
Set Default PowerShell Execution Policy To Unrestricted or Bypass |
PowerShell |
Execution |
TTP | |
Unified Messaging Service Spawning a Process |
Exploit Public-Facing Application |
Initial Access |
TTP | |
W3WP Spawning Shell |
Web Shell |
Persistence |
TTP |
Kill Chain Phase
- Actions on Objectives
- Command and Control
- Execution
- Exploitation
- Installation
- Lateral Movement
Reference
version: 1
Ingress tool transfer
Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-03-24
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Any Powershell DownloadFile |
T1059.001, T1197, T1105, T1003, T1021, T1113, T1123, T1563, T1053, T1134, T1548, T1055, T1106, T1569, T1027, T1027.005, T1546.015, T1140, T1592, T1562 |
PowerShell, BITS Jobs, Ingress Tool Transfer, OS Credential Dumping, Remote Services, Screen Capture, Audio Capture, Remote Service Session Hijacking, Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism, Process Injection, Native API, System Services, Obfuscated Files or Information, Indicator Removal from Tools, Component Object Model Hijacking, Deobfuscate/Decode Files or Information, Gather Victim Host Information, Impair Defenses |
Execution, Defense Evasion, Persistence, Command And Control, Credential Access, Lateral Movement, Collection, Collection, Lateral Movement, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Defense Evasion, Privilege Escalation, Execution, Execution, Defense Evasion, Defense Evasion, Privilege Escalation, Persistence, Defense Evasion, Reconnaissance, Defense Evasion |
TTP |
Any Powershell DownloadString |
T1059.001, T1505.003, T1136.001, T1021.002, T1569.002, T1003.001, T1114.002, T1003.003, T1190 |
PowerShell, Web Shell, Local Account, SMB/Windows Admin Shares, Service Execution, LSASS Memory, Remote Email Collection, NTDS, Exploit Public-Facing Application |
Execution, Persistence, Persistence, Lateral Movement, Execution, Credential Access, Collection, Credential Access, Initial Access |
TTP |
BITSAdmin Download File |
BITS Jobs, Ingress Tool Transfer |
Defense Evasion, Persistence, Command And Control |
TTP | |
CertUtil Download With URLCache and Split Arguments |
Ingress Tool Transfer |
Command And Control |
TTP | |
CertUtil Download With VerifyCtl and Split Arguments |
Ingress Tool Transfer |
Command And Control |
TTP | |
Suspicious Curl Network Connection |
Ingress Tool Transfer, Launch Agent, Data Staged |
Command And Control, Persistence, Privilege Escalation, Collection |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
Reference
version: 1
Lateral movement
Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Traffic
- Last Updated: 2020-02-04
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Activity Related to Pass the Hash Attacks |
T1550.002, T1021.002, T1569.002, T1558.003, T1021.001, T1053.005 |
Pass the Hash, SMB/Windows Admin Shares, Service Execution, Kerberoasting, Remote Desktop Protocol, Scheduled Task |
Defense Evasion, Lateral Movement, Lateral Movement, Execution, Credential Access, Lateral Movement, Execution, Persistence, Privilege Escalation |
TTP |
Detect Pass the Hash |
Pass the Hash |
Defense Evasion, Lateral Movement |
TTP | |
Detect PsExec With accepteula Flag |
SMB/Windows Admin Shares |
Lateral Movement |
TTP | |
Detect Renamed PSExec |
Service Execution |
Execution |
Hunting | |
Kerberoasting spn request with RC4 encryption |
Kerberoasting |
Credential Access |
TTP | |
Potential Pass the Token or Hash Observed at the Destination Device |
Pass the Hash |
Defense Evasion, Lateral Movement |
TTP | |
Potential Pass the Token or Hash Observed by an Event Collecting Device |
Pass the Hash |
Defense Evasion, Lateral Movement |
TTP | |
Remote Desktop Network Traffic |
Remote Desktop Protocol |
Lateral Movement |
Anomaly | |
Remote Desktop Process Running On System |
Remote Desktop Protocol |
Lateral Movement |
Hunting | |
Schtasks scheduling job on remote system |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP |
Kill Chain Phase
- Actions on Objectives
- Execution
- Exploitation
- Lateral Movement
Reference
version: 2
Malicious powershell
Attackers are finding stealthy ways "live off the land," leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2017-08-23
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Any Powershell DownloadFile |
T1059.001, T1197, T1105, T1003, T1021, T1113, T1123, T1563, T1053, T1134, T1548, T1055, T1106, T1569, T1027, T1027.005, T1546.015, T1140, T1592, T1562 |
PowerShell, BITS Jobs, Ingress Tool Transfer, OS Credential Dumping, Remote Services, Screen Capture, Audio Capture, Remote Service Session Hijacking, Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism, Process Injection, Native API, System Services, Obfuscated Files or Information, Indicator Removal from Tools, Component Object Model Hijacking, Deobfuscate/Decode Files or Information, Gather Victim Host Information, Impair Defenses |
Execution, Defense Evasion, Persistence, Command And Control, Credential Access, Lateral Movement, Collection, Collection, Lateral Movement, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Defense Evasion, Privilege Escalation, Execution, Execution, Defense Evasion, Defense Evasion, Privilege Escalation, Persistence, Defense Evasion, Reconnaissance, Defense Evasion |
TTP |
Any Powershell DownloadString |
T1059.001, T1505.003, T1136.001, T1021.002, T1569.002, T1003.001, T1114.002, T1003.003, T1190 |
PowerShell, Web Shell, Local Account, SMB/Windows Admin Shares, Service Execution, LSASS Memory, Remote Email Collection, NTDS, Exploit Public-Facing Application |
Execution, Persistence, Persistence, Lateral Movement, Execution, Credential Access, Collection, Credential Access, Initial Access |
TTP |
Credential Extraction indicative of use of DSInternals credential conversion modules |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction indicative of use of DSInternals modules |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction indicative of use of PowerSploit modules |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction via Get-ADDBAccount module present in PowerSploit and DSInternals |
OS Credential Dumping |
Credential Access |
TTP | |
Detect Empire with PowerShell Script Block Logging |
PowerShell |
Execution |
TTP | |
Detect Mimikatz With PowerShell Script Block Logging |
OS Credential Dumping |
Credential Access |
TTP | |
Illegal Access To User Content via PowerSploit modules |
Remote Services, Screen Capture, Audio Capture, Remote Service Session Hijacking |
Lateral Movement, Collection, Collection, Lateral Movement |
TTP | |
Illegal Privilege Elevation and Persistence via PowerSploit modules |
Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism |
Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion |
TTP | |
Illegal Service and Process Control via PowerSploit modules |
Process Injection, Native API, System Services |
Defense Evasion, Privilege Escalation, Execution, Execution |
TTP | |
Malicious PowerShell Process - Connect To Internet With Hidden Window |
PowerShell, Registry Run Keys / Startup Folder |
Execution, Persistence, Privilege Escalation |
TTP | |
Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Defense Evasion |
Hunting | |
Malicious PowerShell Process With Obfuscation Techniques |
PowerShell |
Execution |
TTP | |
PowerShell 4104 Hunting |
PowerShell |
Execution |
Hunting | |
PowerShell Domain Enumeration |
PowerShell |
Execution |
TTP | |
PowerShell Loading DotNET into Memory via System Reflection Assembly |
PowerShell |
Execution |
TTP | |
Powershell Creating Thread Mutex |
Indicator Removal from Tools |
Defense Evasion |
TTP | |
Powershell Enable SMB1Protocol Feature |
Indicator Removal from Tools |
Defense Evasion |
TTP | |
Powershell Execute COM Object |
Component Object Model Hijacking |
Privilege Escalation, Persistence |
TTP | |
Powershell Fileless Process Injection via GetProcAddress |
Process Injection, PowerShell |
Defense Evasion, Privilege Escalation, Execution |
TTP | |
Powershell Fileless Script Contains Base64 Encoded Content |
Obfuscated Files or Information, PowerShell |
Defense Evasion, Execution |
TTP | |
Powershell Processing Stream Of Data |
PowerShell |
Execution |
TTP | |
Powershell Using memory As Backing Store |
Deobfuscate/Decode Files or Information |
Defense Evasion |
TTP | |
Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
Reconnaissance |
TTP | |
Recon Using WMI Class |
Gather Victim Host Information |
Reconnaissance |
TTP | |
Set Default PowerShell Execution Policy To Unrestricted or Bypass |
PowerShell |
Execution |
TTP | |
Unloading AMSI via Reflection |
Impair Defenses |
Defense Evasion |
TTP | |
WMI Recon Running Process Or Services |
Gather Victim Host Information |
Reconnaissance |
TTP |
Kill Chain Phase
- Actions on Objectives
- Command and Control
- Exploitation
- Installation
- Privilege Escalation
- Reconnaissance
Reference
version: 5
Masquerading - rename system utilities
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-04-26
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Execution of File with Multiple Extensions |
Rename System Utilities, MSBuild, Rundll32, Trusted Developer Utilities Proxy Execution, Masquerading |
Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion |
TTP | |
Suspicious MSBuild Rename |
MSBuild, Rename System Utilities |
Defense Evasion, Defense Evasion |
TTP | |
Suspicious Rundll32 Rename |
Rundll32, Rename System Utilities |
Defense Evasion, Defense Evasion |
Hunting | |
Suspicious microsoft workflow compiler rename |
Trusted Developer Utilities Proxy Execution, Rename System Utilities |
Defense Evasion, Defense Evasion |
Hunting | |
Suspicious msbuild path |
MSBuild, Rename System Utilities |
Defense Evasion, Defense Evasion |
TTP | |
System Process Running from Unexpected Location |
Masquerading |
Defense Evasion |
Anomaly | |
System Processes Run From Unexpected Locations |
Rename System Utilities |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
Reference
version: 1
Meterpreter
Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-06-08
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Excessive number of taskhost processes |
System Owner/User Discovery |
Discovery |
Anomaly |
Kill Chain Phase
- Exploitation
Reference
version: 1
Microsoft mshtml remote code execution cve-2021-40444
CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-09-08
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Control Loading from World Writable Directory |
Control Panel, Spearphishing Attachment, Rundll32 |
Defense Evasion, Initial Access, Defense Evasion |
TTP | |
MSHTML Module Load in Office Product |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Product Writing cab or inf |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Spawning Control |
Spearphishing Attachment |
Initial Access |
TTP | |
Rundll32 Control RunDLL Hunt |
Rundll32 |
Defense Evasion |
Hunting | |
Rundll32 Control RunDLL World Writable Directory |
Rundll32 |
Defense Evasion |
TTP |
Kill Chain Phase
- Exploitation
Reference
version: 1
Nobelium group
Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Traffic, Web
- Last Updated: 2020-12-14
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Anomalous usage of 7zip |
T1560.001, T1059.003, T1543.003, T1055, T1071.002, T1218.010, T1218.005, T1569.002, T1027, T1218.011, T1053.005, T1548, T1203, T1505.003, T1127.001, T1036.003, T1127, T1071.001, T1018 |
Archive via Utility, Windows Command Shell, Windows Service, Process Injection, File Transfer Protocols, Regsvr32, Mshta, Service Execution, Obfuscated Files or Information, Rundll32, Scheduled Task, Abuse Elevation Control Mechanism, Exploitation for Client Execution, Web Shell, MSBuild, Rename System Utilities, Trusted Developer Utilities Proxy Execution, Web Protocols, Remote System Discovery |
Collection, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Command And Control, Defense Evasion, Defense Evasion, Execution, Defense Evasion, Defense Evasion, Execution, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Execution, Persistence, Defense Evasion, Defense Evasion, Defense Evasion, Command And Control, Discovery |
Anomaly |
Detect Outbound SMB Traffic |
File Transfer Protocols |
Command And Control |
TTP | |
Detect Prohibited Applications Spawning cmd exe |
Windows Command Shell, Command and Scripting Interpreter, Exploitation for Privilege Escalation, Rename System Utilities |
Execution, Execution, Privilege Escalation, Defense Evasion |
Hunting | |
Detect Rundll32 Inline HTA Execution |
Mshta |
Defense Evasion |
TTP | |
First Time Seen Running Windows Service |
Service Execution, Process Injection, Native API, System Services, Services Registry Permissions Weakness, Windows Service |
Execution, Defense Evasion, Privilege Escalation, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation |
Anomaly | |
Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Defense Evasion |
Hunting | |
Sc exe Manipulating Windows Services |
Windows Service |
Persistence, Privilege Escalation |
TTP | |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP | |
Schtasks scheduling job on remote system |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP | |
Sunburst Correlation DLL and Network Event |
Exploitation for Client Execution |
Execution |
TTP | |
Supernova Webshell |
Web Shell |
Persistence |
TTP | |
TOR Traffic |
Web Protocols |
Command And Control |
TTP | |
Windows AdFind Exe |
Remote System Discovery |
Discovery |
TTP |
Kill Chain Phase
- Actions on Objective
- Actions on Objectives
- Command and Control
- Exfiltration
- Exploitation
- Installation
Reference
version: 2
Petitpotam ntlm relay on active directory certificate services
PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2021-08-31
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
PetitPotam Network Share Access Request |
Forced Authentication, OS Credential Dumping |
Credential Access, Credential Access |
TTP | |
PetitPotam Suspicious Kerberos TGT Request |
OS Credential Dumping |
Credential Access |
TTP |
Kill Chain Phase
- Exploitation
- Lateral Movement
Reference
version: 1
Possible backdoor activity associated with mudcarp espionage campaigns
Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2020-01-22
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Malicious PowerShell Process - Connect To Internet With Hidden Window |
PowerShell, Registry Run Keys / Startup Folder |
Execution, Persistence, Privilege Escalation |
TTP | |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder |
Persistence, Privilege Escalation |
TTP | |
Unusually Long Command Line | Anomaly | |||
Unusually Long Command Line - MLTK | Anomaly |
Kill Chain Phase
- Actions on Objectives
- Command and Control
Reference
version: 1
Proxyshell
ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-08-24
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Exchange Web Shell |
Web Shell, Exploit Public-Facing Application, PowerShell |
Persistence, Initial Access, Execution |
TTP | |
Exchange PowerShell Abuse via SSRF |
Exploit Public-Facing Application |
Initial Access |
TTP | |
Exchange PowerShell Module Usage |
PowerShell |
Execution |
TTP | |
W3WP Spawning Shell |
Web Shell |
Persistence |
TTP |
Kill Chain Phase
- Exploitation
- Reconnaissance
Reference
version: 1
Sql injection
Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Web
- Last Updated: 2017-09-19
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
SQL Injection with Long URLs |
Exploit Public-Facing Application |
Initial Access |
TTP |
Kill Chain Phase
- Delivery
Reference
version: 1
Silver sparrow
Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-02-24
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Suspicious Curl Network Connection |
Ingress Tool Transfer, Launch Agent, Data Staged |
Command And Control, Persistence, Privilege Escalation, Collection |
TTP | |
Suspicious PlistBuddy Usage |
Launch Agent |
Persistence, Privilege Escalation |
TTP | |
Suspicious PlistBuddy Usage via OSquery |
Launch Agent |
Persistence, Privilege Escalation |
TTP | |
Suspicious SQLite3 LSQuarantine Behavior |
Data Staged |
Collection |
TTP |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Spearphishing attachments
Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2019-04-29
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Outlook exe writing a zip file |
Spearphishing Attachment, Security Account Manager, Spearphishing Link |
Initial Access, Credential Access, Initial Access |
TTP | |
Excel Spawning PowerShell |
Security Account Manager |
Credential Access |
TTP | |
Excel Spawning Windows Script Host |
Security Account Manager |
Credential Access |
TTP | |
MSHTML Module Load in Office Product |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Application Spawn rundll32 process |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Document Creating Schedule Task |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Document Executing Macro Code |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Document Spawned Child Process To Download |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Product Spawning BITSAdmin |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Product Spawning CertUtil |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Product Spawning MSHTA |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Product Spawning Rundll32 with no DLL |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Product Spawning Wmic |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Product Writing cab or inf |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Spawning Control |
Spearphishing Attachment |
Initial Access |
TTP | |
Process Creating LNK file in Suspicious Location |
Spearphishing Link |
Initial Access |
TTP | |
Winword Spawning Cmd |
Spearphishing Attachment |
Initial Access |
TTP | |
Winword Spawning PowerShell |
Spearphishing Attachment |
Initial Access |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
- Installation
Reference
version: 1
Suspicious command-line executions
Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2020-02-03
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Prohibited Applications Spawning cmd exe |
Windows Command Shell, Command and Scripting Interpreter, Exploitation for Privilege Escalation, Rename System Utilities |
Execution, Execution, Privilege Escalation, Defense Evasion |
Hunting | |
Detect Prohibited Applications Spawning cmd exe |
Command and Scripting Interpreter |
Execution |
TTP | |
Detect Use of cmd exe to Launch Script Interpreters |
Windows Command Shell, Software Deployment Tools, Registry Run Keys / Startup Folder, SMB/Windows Admin Shares, Spearphishing Attachment |
Execution, Execution, Lateral Movement, Persistence, Privilege Escalation, Lateral Movement, Initial Access |
TTP | |
System Processes Run From Unexpected Locations |
Rename System Utilities |
Defense Evasion |
TTP | |
Unusually Long Command Line | Anomaly | |||
Unusually Long Command Line - MLTK | Anomaly |
Kill Chain Phase
- Actions on Objectives
- Exploitation
Reference
version: 2
Suspicious compiled html activity
Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-02-11
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect HTML Help Renamed |
Compiled HTML File |
Defense Evasion |
Hunting | |
Detect HTML Help Spawn Child Process |
Compiled HTML File |
Defense Evasion |
TTP | |
Detect HTML Help URL in Command Line |
Compiled HTML File |
Defense Evasion |
TTP | |
Detect HTML Help Using InfoTech Storage Handlers |
Compiled HTML File |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Suspicious dns traffic
Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Resolution
- Last Updated: 2017-09-18
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
DNS Exfiltration Using Nslookup App |
T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001 |
Exfiltration Over Alternative Protocol, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Drive-by Compromise, Transfer Data to Cloud Account, Local Email Collection, Email Collection, Email Forwarding Rule, Web Protocols |
Exfiltration, Command And Control, Exfiltration, Command And Control, Exfiltration, Initial Access, Exfiltration, Collection, Collection, Collection, Command And Control |
TTP |
DNS Query Length Outliers - MLTK |
DNS |
Command And Control |
Anomaly | |
DNS Query Length With High Standard Deviation |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Exfiltration |
Anomaly | |
Detect hosts connecting to dynamic domain providers |
Drive-by Compromise |
Initial Access |
TTP | |
Excessive DNS Failures |
DNS |
Command And Control |
Anomaly | |
Excessive Usage of NSLOOKUP App |
Exfiltration Over Alternative Protocol |
Exfiltration |
Anomaly |
Kill Chain Phase
- Actions on Objectives
- Command and Control
- Exploitation
Reference
version: 1
Suspicious emails
Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Email
- Last Updated: 2020-01-27
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Email Attachments With Lots Of Spaces | Anomaly | |||
Monitor Email For Brand Abuse | TTP | |||
Suspicious Email Attachment Extensions |
Spearphishing Attachment |
Initial Access |
Anomaly |
Kill Chain Phase
- Delivery
Reference
version: 1
Suspicious mshta activity
Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-01-20
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect MSHTA Url in Command Line |
Mshta, Windows Command Shell, Command and Scripting Interpreter, Registry Run Keys / Startup Folder |
Defense Evasion, Execution, Execution, Persistence, Privilege Escalation |
TTP | |
Detect Prohibited Applications Spawning cmd exe |
Windows Command Shell, Command and Scripting Interpreter, Exploitation for Privilege Escalation, Rename System Utilities |
Execution, Execution, Privilege Escalation, Defense Evasion |
Hunting | |
Detect Prohibited Applications Spawning cmd exe |
Command and Scripting Interpreter |
Execution |
TTP | |
Detect Rundll32 Inline HTA Execution |
Mshta |
Defense Evasion |
TTP | |
Detect mshta inline hta execution |
Mshta |
Defense Evasion |
TTP | |
Detect mshta renamed |
Mshta |
Defense Evasion |
Hunting | |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder |
Persistence, Privilege Escalation |
TTP | |
Suspicious mshta child process |
Mshta |
Defense Evasion |
TTP | |
Suspicious mshta spawn |
Mshta |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
Reference
version: 2
Suspicious okta activity
Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-04-02
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Multiple Okta Users With Invalid Credentials From The Same IP |
Default Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
TTP | |
Okta Account Lockout Events |
Default Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly | |
Okta Failed SSO Attempts |
Default Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly | |
Okta User Logins From Multiple Cities |
Default Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly |
Kill Chain Phase
Reference
- https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work
version: 1
Suspicious regsvcs regasm activity
Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-02-11
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Regasm Spawning a Process |
Regsvcs/Regasm |
Defense Evasion |
TTP | |
Detect Regasm with Network Connection |
Regsvcs/Regasm |
Defense Evasion |
TTP | |
Detect Regasm with no Command Line Arguments |
Regsvcs/Regasm |
Defense Evasion |
TTP | |
Detect Regsvcs Spawning a Process |
Regsvcs/Regasm |
Defense Evasion |
TTP | |
Detect Regsvcs with Network Connection |
Regsvcs/Regasm |
Defense Evasion |
TTP | |
Detect Regsvcs with No Command Line Arguments |
Regsvcs/Regasm |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Suspicious regsvr32 activity
Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-01-29
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Regsvr32 Application Control Bypass |
Regsvr32 |
Defense Evasion |
TTP | |
Suspicious Regsvr32 Register Suspicious Path |
Regsvr32 |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Suspicious rundll32 activity
Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-02-03
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Rundll32 Application Control Bypass - advpack |
Rundll32, LSASS Memory, Rename System Utilities |
Defense Evasion, Credential Access, Defense Evasion |
TTP | |
Detect Rundll32 Application Control Bypass - setupapi |
Rundll32 |
Defense Evasion |
TTP | |
Detect Rundll32 Application Control Bypass - syssetup |
Rundll32 |
Defense Evasion |
TTP | |
Dump LSASS via comsvcs DLL |
LSASS Memory |
Credential Access |
TTP | |
Rundll32 Control RunDLL Hunt |
Rundll32 |
Defense Evasion |
Hunting | |
Rundll32 Control RunDLL World Writable Directory |
Rundll32 |
Defense Evasion |
TTP | |
Rundll32 with no Command Line Arguments with Network |
Rundll32 |
Defense Evasion |
TTP | |
Suspicious Rundll32 Rename |
Rundll32, Rename System Utilities |
Defense Evasion, Defense Evasion |
Hunting | |
Suspicious Rundll32 StartW |
Rundll32 |
Defense Evasion |
TTP | |
Suspicious Rundll32 dllregisterserver |
Rundll32 |
Defense Evasion |
TTP | |
Suspicious Rundll32 no Command Line Arguments |
Rundll32 |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
Reference
version: 1
Suspicious wmi use
Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2018-10-23
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect WMI Event Subscription Persistence |
Windows Management Instrumentation Event Subscription, Windows Management Instrumentation |
Privilege Escalation, Persistence, Execution |
TTP | |
Process Execution via WMI |
Windows Management Instrumentation |
Execution |
TTP | |
Remote Process Instantiation via WMI |
Windows Management Instrumentation |
Execution |
TTP | |
Remote WMI Command Attempt |
Windows Management Instrumentation |
Execution |
TTP | |
Script Execution via WMI |
Windows Management Instrumentation |
Execution |
TTP | |
WMI Permanent Event Subscription |
Windows Management Instrumentation |
Execution |
TTP | |
WMI Permanent Event Subscription - Sysmon |
Windows Management Instrumentation Event Subscription |
Privilege Escalation, Persistence |
TTP | |
WMI Temporary Event Subscription |
Windows Management Instrumentation |
Execution |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
Reference
version: 2
Suspicious windows registry activities
Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2018-05-31
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Disabling Remote User Account Control |
T1548.002, T1036, T1547.010, T1070, T1547.001, T1546.012, T1546.011, T1113, T1543 |
Bypass User Account Control, Masquerading, Port Monitors, Indicator Removal on Host, Registry Run Keys / Startup Folder, Image File Execution Options Injection, Application Shimming, Screen Capture, Create or Modify System Process |
Privilege Escalation, Defense Evasion, Defense Evasion, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Collection, Persistence, Privilege Escalation |
TTP |
Monitor Registry Keys for Print Monitors |
Port Monitors |
Persistence, Privilege Escalation |
TTP | |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder |
Persistence, Privilege Escalation |
TTP | |
Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection |
Privilege Escalation, Persistence |
TTP | |
Registry Keys for Creating SHIM Databases |
Application Shimming |
Privilege Escalation, Persistence |
TTP |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Suspicious zoom child processes
Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2020-04-13
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Prohibited Applications Spawning cmd exe |
Windows Command Shell, Command and Scripting Interpreter, Exploitation for Privilege Escalation, Rename System Utilities |
Execution, Execution, Privilege Escalation, Defense Evasion |
Hunting | |
Detect Prohibited Applications Spawning cmd exe |
Command and Scripting Interpreter |
Execution |
TTP | |
First Time Seen Child Process of Zoom |
Exploitation for Privilege Escalation |
Privilege Escalation |
Anomaly |
Kill Chain Phase
- Actions on Objectives
- Exploitation
Reference
version: 1
Trusted developer utilities proxy execution
Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-01-12
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Suspicious microsoft workflow compiler rename |
Trusted Developer Utilities Proxy Execution, Rename System Utilities |
Defense Evasion, Defense Evasion |
Hunting | |
Suspicious microsoft workflow compiler usage |
Trusted Developer Utilities Proxy Execution |
Defense Evasion |
TTP |
Kill Chain Phase
- Exploitation
Reference
version: 1
Trusted developer utilities proxy execution msbuild
Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-01-21
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Suspicious MSBuild Rename |
MSBuild, Rename System Utilities |
Defense Evasion, Defense Evasion |
TTP | |
Suspicious MSBuild Spawn |
MSBuild |
Defense Evasion |
TTP | |
Suspicious msbuild path |
MSBuild, Rename System Utilities |
Defense Evasion, Defense Evasion |
TTP |
Kill Chain Phase
- Exploitation
Reference
version: 1
Windows dns sigred cve-2020-1350
Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Network_Resolution
- Last Updated: 2020-07-28
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Windows DNS SIGRed via Splunk Stream |
Exploitation for Client Execution |
Execution |
TTP | |
Detect Windows DNS SIGRed via Zeek |
Exploitation for Client Execution |
Execution |
TTP |
Kill Chain Phase
- Exploitation
Reference
version: 1
Windows defense evasion tactics
Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2018-05-31
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Disable Registry Tool |
Disable or Modify Tools, Hidden Files and Directories, Bypass User Account Control, Modify Registry, Windows File and Directory Permissions Modification, Masquerading |
Defense Evasion, Defense Evasion, Privilege Escalation, Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion |
TTP | |
Disable Show Hidden Files |
Hidden Files and Directories, Disable or Modify Tools |
Defense Evasion, Defense Evasion |
TTP | |
Disable Windows Behavior Monitoring |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Disable Windows SmartScreen Protection |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Disabling CMD Application |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Disabling ControlPanel |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Disabling Firewall with Netsh |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Disabling FolderOptions Windows Feature |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Disabling NoRun Windows App |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Disabling Remote User Account Control |
T1548.002, T1036, T1547.010, T1070, T1547.001, T1546.012, T1546.011, T1113, T1543 |
Bypass User Account Control, Masquerading, Port Monitors, Indicator Removal on Host, Registry Run Keys / Startup Folder, Image File Execution Options Injection, Application Shimming, Screen Capture, Create or Modify System Process |
Privilege Escalation, Defense Evasion, Defense Evasion, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Collection, Persistence, Privilege Escalation |
TTP |
Disabling SystemRestore In Registry |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Disabling Task Manager |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Eventvwr UAC Bypass |
Bypass User Account Control |
Privilege Escalation, Defense Evasion |
TTP | |
Excessive number of service control start as disabled |
Disable or Modify Tools |
Defense Evasion |
Anomaly | |
FodHelper UAC Bypass |
Modify Registry, Bypass User Account Control |
Defense Evasion, Privilege Escalation, Defense Evasion |
TTP | |
Hiding Files And Directories With Attrib exe |
Windows File and Directory Permissions Modification |
Defense Evasion |
TTP | |
NET Profiler UAC bypass |
Bypass User Account Control |
Privilege Escalation, Defense Evasion |
TTP | |
SLUI RunAs Elevated |
Bypass User Account Control |
Privilege Escalation, Defense Evasion |
TTP | |
SLUI Spawning a Process |
Bypass User Account Control |
Privilege Escalation, Defense Evasion |
TTP | |
Sdclt UAC Bypass |
Bypass User Account Control |
Privilege Escalation, Defense Evasion |
TTP | |
SilentCleanup UAC Bypass |
Bypass User Account Control |
Privilege Escalation, Defense Evasion |
TTP | |
Suspicious Reg exe Process |
Modify Registry |
Defense Evasion |
TTP | |
System Process Running from Unexpected Location |
Masquerading |
Defense Evasion |
Anomaly | |
UAC Bypass MMC Load Unsigned Dll |
Bypass User Account Control |
Privilege Escalation, Defense Evasion |
TTP | |
WSReset UAC Bypass |
Bypass User Account Control |
Privilege Escalation, Defense Evasion |
TTP | |
Windows DisableAntiSpyware Registry |
Disable or Modify Tools |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
- Delivery
- Exploitation
- Privilege Escalation
Reference
version: 1
Windows discovery techniques
Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.
- Product: Splunk Behavioral Analytics, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2021-03-04
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Reconnaissance and Access to Accounts Groups and Policies via PowerSploit modules |
T1078, T1087, T1484, T1199, T1482, T1590, T1591, T1595, T1592, T1007, T1012, T1046, T1047, T1057, T1083, T1518, T1592.002, T1021.002, T1135, T1039, T1053, T1068, T1543, T1547, T1574, T1589.001, T1590.001, T1590.003, T1098, T1595.002, T1055 |
Valid Accounts, Account Discovery, Domain Policy Modification, Trusted Relationship, Domain Trust Discovery, Gather Victim Network Information, Gather Victim Org Information, Active Scanning, Gather Victim Host Information, System Service Discovery, Query Registry, Network Service Scanning, Windows Management Instrumentation, Process Discovery, File and Directory Discovery, Software Discovery, Software, SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive, Scheduled Task/Job, Exploitation for Privilege Escalation, Create or Modify System Process, Boot or Logon Autostart Execution, Hijack Execution Flow, Credentials, Domain Properties, Network Trust Dependencies, Account Manipulation, Vulnerability Scanning, Process Injection |
Defense Evasion, Persistence, Privilege Escalation, Initial Access, Discovery, Defense Evasion, Privilege Escalation, Initial Access, Discovery, Reconnaissance, Reconnaissance, Reconnaissance, Reconnaissance, Discovery, Discovery, Discovery, Execution, Discovery, Discovery, Discovery, Reconnaissance, Lateral Movement, Discovery, Collection, Execution, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Reconnaissance, Reconnaissance, Reconnaissance, Persistence, Reconnaissance, Defense Evasion, Privilege Escalation |
TTP |
Reconnaissance and Access to Accounts and Groups via Mimikatz modules |
Valid Accounts, Account Discovery, Domain Policy Modification |
Defense Evasion, Persistence, Privilege Escalation, Initial Access, Discovery, Defense Evasion, Privilege Escalation |
TTP | |
Reconnaissance and Access to Active Directoty Infrastructure via PowerSploit modules |
Trusted Relationship, Domain Trust Discovery, Gather Victim Network Information, Gather Victim Org Information, Active Scanning |
Initial Access, Discovery, Reconnaissance, Reconnaissance, Reconnaissance |
TTP | |
Reconnaissance and Access to Computers and Domains via PowerSploit modules |
Gather Victim Host Information, Gather Victim Network Information, Account Discovery |
Reconnaissance, Reconnaissance, Discovery |
TTP | |
Reconnaissance and Access to Computers via Mimikatz modules |
Gather Victim Host Information |
Reconnaissance |
TTP | |
Reconnaissance and Access to Operating System Elements via PowerSploit modules |
System Service Discovery, Query Registry, Network Service Scanning, Windows Management Instrumentation, Process Discovery, File and Directory Discovery, Software Discovery, Software |
Discovery, Discovery, Discovery, Execution, Discovery, Discovery, Discovery, Reconnaissance |
TTP | |
Reconnaissance and Access to Processes and Services via Mimikatz modules |
System Service Discovery, Network Service Scanning, Process Discovery |
Discovery, Discovery, Discovery |
TTP | |
Reconnaissance and Access to Shared Resources via Mimikatz modules |
SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive |
Lateral Movement, Discovery, Collection |
TTP | |
Reconnaissance and Access to Shared Resources via PowerSploit modules |
SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive |
Lateral Movement, Discovery, Collection |
TTP | |
Reconnaissance of Access and Persistence Opportunities via PowerSploit modules |
Scheduled Task/Job, Exploitation for Privilege Escalation, Valid Accounts, Create or Modify System Process, Boot or Logon Autostart Execution, Hijack Execution Flow |
Execution, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion |
TTP | |
Reconnaissance of Connectivity via PowerSploit modules |
SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive |
Lateral Movement, Discovery, Collection |
TTP | |
Reconnaissance of Credential Stores and Services via Mimikatz modules |
Credentials, Domain Properties, Network Trust Dependencies, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation |
Reconnaissance, Reconnaissance, Reconnaissance, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence |
TTP | |
Reconnaissance of Defensive Tools via PowerSploit modules |
Vulnerability Scanning, Software |
Reconnaissance, Reconnaissance |
TTP | |
Reconnaissance of Privilege Escalation Opportunities via PowerSploit modules |
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation |
Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence |
TTP | |
Reconnaissance of Process or Service Hijacking Opportunities via Mimikatz modules |
Create or Modify System Process, Process Injection, Hijack Execution Flow |
Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Windows log manipulation
Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2017-09-12
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Deleting Shadow Copies |
Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs |
Impact, Defense Evasion, Defense Evasion |
TTP | |
Illegal Deletion of Logs via Mimikatz modules |
Indicator Removal on Host |
Defense Evasion |
TTP | |
Suspicious Event Log Service Behavior |
Clear Windows Event Logs |
Defense Evasion |
TTP | |
Suspicious wevtutil Usage |
Clear Windows Event Logs |
Defense Evasion |
TTP | |
USN Journal Deletion |
Indicator Removal on Host |
Defense Evasion |
TTP | |
WevtUtil Usage To Clear Logs |
Clear Windows Event Logs |
Defense Evasion |
TTP | |
Wevtutil Usage To Disable Logs |
Clear Windows Event Logs |
Defense Evasion |
TTP | |
Windows Event Log Cleared |
Clear Windows Event Logs |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
Reference
version: 2
Windows persistence techniques
Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2018-05-31
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Certutil exe certificate extraction | TTP | |||
Detect Path Interception By Creation Of program exe |
T1574.009, T1222.001, T1585, T1078, T1098, T1207, T1484, T1053, T1134, T1548, T1547.010, T1574.011, T1547.001, T1546.011, T1543.003, T1053.005, T1068 |
Path Interception by Unquoted Path, Windows File and Directory Permissions Modification, Establish Accounts, Valid Accounts, Account Manipulation, Rogue Domain Controller, Domain Policy Modification, Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism, Port Monitors, Services Registry Permissions Weakness, Registry Run Keys / Startup Folder, Application Shimming, Windows Service, Scheduled Task, Exploitation for Privilege Escalation |
Persistence, Privilege Escalation, Defense Evasion, Defense Evasion, Resource Development, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Defense Evasion, Defense Evasion, Privilege Escalation, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Persistence, Privilege Escalation, Execution, Persistence, Privilege Escalation, Privilege Escalation |
TTP |
Hiding Files And Directories With Attrib exe |
Windows File and Directory Permissions Modification |
Defense Evasion |
TTP | |
Illegal Account Creation via PowerSploit modules |
Establish Accounts |
Resource Development |
TTP | |
Illegal Enabling or Disabling of Accounts via DSInternals modules |
Valid Accounts, Account Manipulation |
Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence |
TTP | |
Illegal Management of Active Directory Elements and Policies via DSInternals modules |
Account Manipulation, Rogue Domain Controller, Domain Policy Modification |
Persistence, Defense Evasion, Defense Evasion, Privilege Escalation |
TTP | |
Illegal Management of Computers and Active Directory Elements via PowerSploit modules |
Account Manipulation, Rogue Domain Controller, Domain Policy Modification |
Persistence, Defense Evasion, Defense Evasion, Privilege Escalation |
TTP | |
Illegal Privilege Elevation and Persistence via PowerSploit modules |
Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism |
Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion |
TTP | |
Monitor Registry Keys for Print Monitors |
Port Monitors |
Persistence, Privilege Escalation |
TTP | |
Reg exe Manipulating Windows Services Registry Keys |
Services Registry Permissions Weakness |
Persistence, Privilege Escalation, Defense Evasion |
TTP | |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder |
Persistence, Privilege Escalation |
TTP | |
Registry Keys for Creating SHIM Databases |
Application Shimming |
Privilege Escalation, Persistence |
TTP | |
Sc exe Manipulating Windows Services |
Windows Service |
Persistence, Privilege Escalation |
TTP | |
Schedule Task with HTTP Command Arguments |
Scheduled Task/Job |
Execution, Persistence, Privilege Escalation |
TTP | |
Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
Execution, Persistence, Privilege Escalation |
TTP | |
Schtasks used for forcing a reboot |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP | |
Setting Credentials via DSInternals modules |
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation |
Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence |
TTP | |
Setting Credentials via Mimikatz modules |
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation |
Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence |
TTP | |
Setting Credentials via PowerSploit modules |
Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation |
Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence |
TTP | |
Shim Database File Creation |
Application Shimming |
Privilege Escalation, Persistence |
TTP | |
Shim Database Installation With Suspicious Parameters |
Application Shimming |
Privilege Escalation, Persistence |
TTP | |
Suspicious Scheduled Task from Public Directory |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
Anomaly | |
WinEvent Scheduled Task Created Within Public Path |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP | |
WinEvent Scheduled Task Created to Spawn Shell |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
- Installation
- Privilege Escalation
Reference
version: 2
Windows privilege escalation
Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2020-02-04
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Child Processes of Spoolsv exe |
Exploitation for Privilege Escalation, Access Token Manipulation, Abuse Elevation Control Mechanism, Accessibility Features, Valid Accounts, Account Manipulation, Image File Execution Options Injection |
Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Privilege Escalation, Persistence, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Privilege Escalation, Persistence |
TTP | |
Illegal Privilege Elevation via Mimikatz modules |
Access Token Manipulation, Abuse Elevation Control Mechanism |
Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion |
TTP | |
Overwriting Accessibility Binaries |
Accessibility Features |
Privilege Escalation, Persistence |
TTP | |
Probing Access with Stolen Credentials via PowerSploit modules |
Valid Accounts, Account Manipulation |
Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence |
TTP | |
Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection |
Privilege Escalation, Persistence |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
Reference
version: 2
Best Practices
Asset tracking
Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Network_Sessions
- Last Updated: 2017-09-13
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Unauthorized Assets by MAC address | TTP |
Kill Chain Phase
- Actions on Objectives
- Delivery
- Reconnaissance
Reference
version: 1
Monitor for updates
Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Updates
- Last Updated: 2017-09-15
- Use Case: Compliance
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
No Windows Updates in a time frame | Hunting |
Kill Chain Phase
Reference
version: 1
Prohibited traffic allowed or protocol mismatch
Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Resolution, Network_Traffic
- Last Updated: 2017-09-11
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Allow Inbound Traffic By Firewall Rule Registry |
Remote Desktop Protocol, Drive-by Compromise, Remote Services, Exfiltration Over Alternative Protocol, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Web Protocols |
Lateral Movement, Initial Access, Lateral Movement, Exfiltration, Exfiltration, Command And Control |
TTP | |
Allow Inbound Traffic In Firewall Rule |
Remote Desktop Protocol |
Lateral Movement |
TTP | |
Detect hosts connecting to dynamic domain providers |
Drive-by Compromise |
Initial Access |
TTP | |
Enable RDP In Other Port Number |
Remote Services |
Lateral Movement |
TTP | |
Prohibited Network Traffic Allowed |
Exfiltration Over Alternative Protocol |
Exfiltration |
TTP | |
Protocol or Port Mismatch |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Exfiltration |
Anomaly | |
TOR Traffic |
Web Protocols |
Command And Control |
TTP |
Kill Chain Phase
- Actions on Objectives
- Command and Control
- Delivery
- Exploitation
Reference
version: 1
Router and infrastructure security
Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Authentication, Network_Traffic
- Last Updated: 2017-09-12
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect ARP Poisoning |
Hardware Additions, Network Denial of Service, ARP Cache Poisoning, Man-in-the-Middle, TFTP Boot, Traffic Duplication |
Initial Access, Impact, Credential Access, Collection, Credential Access, Collection, Defense Evasion, Persistence, Exfiltration |
TTP | |
Detect IPv6 Network Infrastructure Threats |
Hardware Additions, Network Denial of Service, ARP Cache Poisoning |
Initial Access, Impact, Credential Access, Collection |
TTP | |
Detect New Login Attempts to Routers | TTP | |||
Detect Port Security Violation |
Hardware Additions, Network Denial of Service, ARP Cache Poisoning |
Initial Access, Impact, Credential Access, Collection |
TTP | |
Detect Rogue DHCP Server |
Hardware Additions, Network Denial of Service, Man-in-the-Middle |
Initial Access, Impact, Credential Access, Collection |
TTP | |
Detect Software Download To Network Device |
TFTP Boot |
Defense Evasion, Persistence |
TTP | |
Detect Traffic Mirroring |
Hardware Additions, Network Denial of Service, Traffic Duplication |
Initial Access, Impact, Exfiltration |
TTP |
Kill Chain Phase
- Actions on Objectives
- Delivery
- Exploitation
- Reconnaissance
Reference
version: 1
Use of cleartext protocols
Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Network_Traffic
- Last Updated: 2017-09-15
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Protocols passing authentication in cleartext | TTP |
Kill Chain Phase
- Actions on Objectives
- Reconnaissance
Reference
version: 1
Cloud Security
Aws cross account activity
Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2018-06-04
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
aws detect attach to role policy |
Valid Accounts, Use Alternate Authentication Material |
Defense Evasion, Persistence, Privilege Escalation, Initial Access, Defense Evasion, Lateral Movement |
Hunting | |
aws detect permanent key creation |
Valid Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Hunting | |
aws detect role creation |
Valid Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Hunting | |
aws detect sts assume role abuse |
Valid Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Hunting | |
aws detect sts get session token abuse |
Use Alternate Authentication Material |
Defense Evasion, Lateral Movement |
Hunting |
Kill Chain Phase
- Lateral Movement
Reference
version: 1
Aws iam privilege escalation
This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2021-03-08
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
AWS Create Policy Version to allow all resources |
Cloud Accounts, Cloud Account, Cloud Infrastructure Discovery, Brute Force, Account Manipulation, Cloud Groups |
Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Discovery, Credential Access, Persistence, Discovery |
TTP | |
AWS CreateAccessKey |
Cloud Account |
Persistence |
Hunting | |
AWS CreateLoginProfile |
Cloud Account |
Persistence |
TTP | |
AWS IAM Assume Role Policy Brute Force |
Cloud Infrastructure Discovery, Brute Force |
Discovery, Credential Access |
TTP | |
AWS IAM Delete Policy |
Account Manipulation |
Persistence |
Hunting | |
AWS IAM Failure Group Deletion |
Account Manipulation |
Persistence |
Anomaly | |
AWS IAM Successful Group Deletion |
Cloud Groups, Account Manipulation |
Discovery, Persistence |
Hunting | |
AWS SetDefaultPolicyVersion |
Cloud Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
TTP | |
AWS UpdateLoginProfile |
Cloud Account |
Persistence |
TTP |
Kill Chain Phase
- Actions on Objectives
- Reconnaissance
Reference
version: 1
Aws network acl activity
Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2018-05-21
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
AWS Network Access Control List Created with All Open Ports |
Disable or Modify Cloud Firewall |
Defense Evasion |
TTP | |
AWS Network Access Control List Deleted |
Disable or Modify Cloud Firewall |
Defense Evasion |
Anomaly | |
Detect Spike in blocked Outbound Traffic from your AWS | Anomaly |
Kill Chain Phase
- Actions on Objectives
- Command and Control
Reference
version: 2
Aws security hub alerts
This story is focused around detecting Security Hub alerts generated from AWS
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-08-04
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Spike in AWS Security Hub Alerts for EC2 Instance | Anomaly | |||
Detect Spike in AWS Security Hub Alerts for User | Anomaly |
Kill Chain Phase
Reference
version: 1
Aws user monitoring
Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2018-03-12
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
AWS Excessive Security Scanning |
Cloud Service Discovery |
Discovery |
TTP |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Cloud cryptomining
Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Change
- Last Updated: 2019-10-02
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Abnormally High Number Of Cloud Instances Launched |
Cloud Accounts, Unused/Unsupported Cloud Regions |
Defense Evasion, Persistence, Privilege Escalation, Initial Access, Defense Evasion |
Anomaly | |
Cloud Compute Instance Created By Previously Unseen User |
Cloud Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly | |
Cloud Compute Instance Created In Previously Unused Region |
Unused/Unsupported Cloud Regions |
Defense Evasion |
Anomaly | |
Cloud Compute Instance Created With Previously Unseen Image | Anomaly | |||
Cloud Compute Instance Created With Previously Unseen Instance Type | Anomaly |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Cloud federated credential abuse
This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-01-26
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
AWS SAML Access by Provider User and Principal |
Valid Accounts, LSASS Memory, Cloud Account, Modify Authentication Process, Image File Execution Options Injection |
Defense Evasion, Persistence, Privilege Escalation, Initial Access, Credential Access, Persistence, Credential Access, Defense Evasion, Persistence, Privilege Escalation, Persistence |
Anomaly | |
AWS SAML Update identity provider |
Valid Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
TTP | |
Certutil exe certificate extraction | TTP | |||
Detect Mimikatz Using Loaded Images |
LSASS Memory |
Credential Access |
TTP | |
Detect Rare Executables | Anomaly | |||
O365 Add App Role Assignment Grant User |
Cloud Account |
Persistence |
TTP | |
O365 Added Service Principal |
Cloud Account |
Persistence |
TTP | |
O365 Excessive SSO logon errors |
Modify Authentication Process |
Credential Access, Defense Evasion, Persistence |
Anomaly | |
O365 New Federated Domain Added |
Cloud Account |
Persistence |
TTP | |
Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection |
Privilege Escalation, Persistence |
TTP |
Kill Chain Phase
- Actions on Objective
- Actions on Objectives
- Command and Control
- Installation
Reference
version: 1
Container implantation monitoring and investigation
Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-02-20
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
New container uploaded to AWS ECR |
Implant Internal Image |
Persistence |
Hunting |
Kill Chain Phase
Reference
version: 1
Dev sec ops
This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
- Datamodel:
- Last Updated: 2021-08-18
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
AWS ECR Container Scanning Findings High |
Malicious Image, Compromise Client Software Binary, Compromise Software Dependencies and Development Tools, Exploitation for Credential Access, Cloud Service Discovery |
Execution, Persistence, Initial Access, Credential Access, Discovery |
TTP | |
AWS ECR Container Scanning Findings Low Informational Unknown |
Malicious Image |
Execution |
Hunting | |
AWS ECR Container Scanning Findings Medium |
Malicious Image |
Execution |
Anomaly | |
AWS ECR Container Upload Outside Business Hours |
Malicious Image |
Execution |
Anomaly | |
AWS ECR Container Upload Unknown User |
Malicious Image |
Execution |
Anomaly | |
Circle CI Disable Security Job |
Compromise Client Software Binary |
Persistence |
Anomaly | |
Circle CI Disable Security Step |
Compromise Client Software Binary |
Persistence |
Anomaly | |
Correlation by Repository and Risk |
Malicious Image |
Execution |
Correlation | |
Correlation by User and Risk |
Malicious Image |
Execution |
Correlation | |
GitHub Dependabot Alert |
Compromise Software Dependencies and Development Tools |
Initial Access |
Anomaly | |
GitHub Pull Request from Unknown User |
Compromise Software Dependencies and Development Tools |
Initial Access |
Anomaly | |
Kubernetes Nginx Ingress LFI |
Exploitation for Credential Access |
Credential Access |
TTP | |
Kubernetes Nginx Ingress RFI |
Exploitation for Credential Access |
Credential Access |
TTP | |
Kubernetes Scanner Image Pulling |
Cloud Service Discovery |
Discovery |
TTP |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Gcp cross account activity
Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-09-01
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
GCP Detect gcploit framework |
Valid Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
TTP |
Kill Chain Phase
- Lateral Movement
Reference
version: 1
Kubernetes scanning activity
This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-04-15
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Amazon EKS Kubernetes Pod scan detection |
Cloud Service Discovery |
Discovery |
Hunting | |
Amazon EKS Kubernetes cluster scan detection |
Cloud Service Discovery |
Discovery |
Hunting | |
GCP Kubernetes cluster pod scan detection |
Cloud Service Discovery |
Discovery |
Hunting |
Kill Chain Phase
- Reconnaissance
Reference
version: 1
Kubernetes sensitive object access activity
This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-05-20
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Kubernetes AWS detect suspicious kubectl calls | Hunting |
Kill Chain Phase
- Lateral Movement
Reference
version: 1
Office 365 detections
This story is focused around detecting Office 365 Attacks.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-12-16
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
High Number of Login Failures from a single source |
T1110.001, T1136.003, T1562.007, T1556, T1110, T1114, T1114.003, T1114.002 |
Password Guessing, Cloud Account, Disable or Modify Cloud Firewall, Modify Authentication Process, Brute Force, Email Collection, Email Forwarding Rule, Remote Email Collection |
Credential Access, Persistence, Defense Evasion, Credential Access, Defense Evasion, Persistence, Credential Access, Collection, Collection, Collection |
Anomaly |
O365 Add App Role Assignment Grant User |
Cloud Account |
Persistence |
TTP | |
O365 Added Service Principal |
Cloud Account |
Persistence |
TTP | |
O365 Bypass MFA via Trusted IP |
Disable or Modify Cloud Firewall |
Defense Evasion |
TTP | |
O365 Disable MFA |
Modify Authentication Process |
Credential Access, Defense Evasion, Persistence |
TTP | |
O365 Excessive Authentication Failures Alert |
Brute Force |
Credential Access |
Anomaly | |
O365 Excessive SSO logon errors |
Modify Authentication Process |
Credential Access, Defense Evasion, Persistence |
Anomaly | |
O365 New Federated Domain Added |
Cloud Account |
Persistence |
TTP | |
O365 PST export alert |
Email Collection |
Collection |
TTP | |
O365 Suspicious Admin Email Forwarding |
Email Forwarding Rule |
Collection |
Anomaly | |
O365 Suspicious Rights Delegation |
Remote Email Collection |
Collection |
TTP | |
O365 Suspicious User Email Forwarding |
Email Forwarding Rule |
Collection |
Anomaly |
Kill Chain Phase
- Actions on Objective
- Actions on Objectives
- Not Applicable
Reference
version: 1
Suspicious aws login activities
Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Authentication
- Last Updated: 2019-05-01
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect AWS Console Login by User from New City |
Unused/Unsupported Cloud Regions |
Defense Evasion |
Hunting | |
Detect AWS Console Login by User from New Country |
Unused/Unsupported Cloud Regions |
Defense Evasion |
Hunting | |
Detect AWS Console Login by User from New Region |
Unused/Unsupported Cloud Regions |
Defense Evasion |
Hunting |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Suspicious aws s3 activities
Use the searches in this Analytic Story to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2018-07-24
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect New Open S3 Buckets over AWS CLI |
Data from Cloud Storage Object |
Collection |
TTP | |
Detect New Open S3 buckets |
Data from Cloud Storage Object |
Collection |
TTP | |
Detect S3 access from a new IP |
Data from Cloud Storage Object |
Collection |
Anomaly | |
Detect Spike in S3 Bucket deletion |
Data from Cloud Storage Object |
Collection |
Anomaly |
Kill Chain Phase
- Actions on Objectives
Reference
version: 2
Suspicious aws traffic
Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2018-05-07
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Spike in blocked Outbound Traffic from your AWS | Anomaly |
Kill Chain Phase
- Actions on Objectives
- Command and Control
Reference
version: 1
Suspicious cloud authentication activities
Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Authentication
- Last Updated: 2020-06-04
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
AWS Cross Account Activity From Previously Unseen Account | Anomaly | |||
Detect AWS Console Login by New User | Hunting | |||
Detect AWS Console Login by User from New City |
Unused/Unsupported Cloud Regions |
Defense Evasion |
Hunting | |
Detect AWS Console Login by User from New Country |
Unused/Unsupported Cloud Regions |
Defense Evasion |
Hunting | |
Detect AWS Console Login by User from New Region |
Unused/Unsupported Cloud Regions |
Defense Evasion |
Hunting |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Suspicious cloud instance activities
Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Change
- Last Updated: 2020-08-25
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Abnormally High Number Of Cloud Instances Destroyed |
Cloud Accounts, Transfer Data to Cloud Account |
Defense Evasion, Persistence, Privilege Escalation, Initial Access, Exfiltration |
Anomaly | |
Abnormally High Number Of Cloud Instances Launched |
Cloud Accounts, Unused/Unsupported Cloud Regions |
Defense Evasion, Persistence, Privilege Escalation, Initial Access, Defense Evasion |
Anomaly | |
Cloud Instance Modified By Previously Unseen User |
Cloud Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly | |
Detect shared ec2 snapshot |
Transfer Data to Cloud Account |
Exfiltration |
TTP |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Suspicious cloud provisioning activities
Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Change
- Last Updated: 2018-08-20
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Cloud Provisioning Activity From Previously Unseen City |
Valid Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly | |
Cloud Provisioning Activity From Previously Unseen Country |
Valid Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly | |
Cloud Provisioning Activity From Previously Unseen IP Address |
Valid Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly | |
Cloud Provisioning Activity From Previously Unseen Region |
Valid Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly |
Kill Chain Phase
Reference
version: 1
Suspicious cloud user activities
Detect and investigate suspicious activities by users and roles in your cloud environments.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Change
- Last Updated: 2020-09-04
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
AWS IAM AccessDenied Discovery Events |
Cloud Infrastructure Discovery, Cloud Accounts, Valid Accounts |
Discovery, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly | |
Abnormally High Number Of Cloud Infrastructure API Calls |
Cloud Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly | |
Abnormally High Number Of Cloud Security Group API Calls |
Cloud Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly | |
Cloud API Calls From Previously Unseen User Roles |
Valid Accounts |
Defense Evasion, Persistence, Privilege Escalation, Initial Access |
Anomaly |
Kill Chain Phase
- Actions on Objectives
- Reconnaissance
Reference
version: 1
Suspicious gcp storage activities
Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-08-05
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect GCP Storage access from a new IP |
Data from Cloud Storage Object |
Collection |
Anomaly | |
Detect New Open GCP Storage Buckets |
Data from Cloud Storage Object |
Collection |
TTP |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Lateral Movement
Printnightmare cve-2021-34527
The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-07-01
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Print Spooler Adding A Printer Driver |
Print Processors, Rundll32, Exploitation for Privilege Escalation |
Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation |
TTP | |
Print Spooler Failed to Load a Plug-in |
Print Processors |
Persistence, Privilege Escalation |
TTP | |
Rundll32 with no Command Line Arguments with Network |
Rundll32 |
Defense Evasion |
TTP | |
Spoolsv Spawning Rundll32 |
Print Processors |
Persistence, Privilege Escalation |
TTP | |
Spoolsv Suspicious Loaded Modules |
Print Processors |
Persistence, Privilege Escalation |
TTP | |
Spoolsv Suspicious Process Access |
Exploitation for Privilege Escalation |
Privilege Escalation |
TTP | |
Spoolsv Writing a DLL |
Print Processors |
Persistence, Privilege Escalation |
TTP | |
Spoolsv Writing a DLL - Sysmon |
Print Processors |
Persistence, Privilege Escalation |
TTP | |
Suspicious Rundll32 no Command Line Arguments |
Rundll32 |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
Reference
version: 1
Malware
Blackmatter ransomware
Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-09-06
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Add DefaultUser And Password In Registry |
Credentials in Registry, Inhibit System Recovery, Defacement, Data Encrypted for Impact |
Credential Access, Impact, Impact, Impact |
Anomaly | |
Auto Admin Logon Registry Entry |
Credentials in Registry |
Credential Access |
TTP | |
Bcdedit Command Back To Normal Mode Boot |
Inhibit System Recovery |
Impact |
TTP | |
Change To Safe Mode With Network Config |
Inhibit System Recovery |
Impact |
TTP | |
Known Services Killed by Ransomware |
Inhibit System Recovery |
Impact |
TTP | |
Modification Of Wallpaper |
Defacement |
Impact |
TTP | |
Ransomware Notes bulk creation |
Data Encrypted for Impact |
Impact |
Anomaly |
Kill Chain Phase
- Exploitation
- Obfuscation
Reference
- https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
version: 1
Clop ransomware
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-03-17
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Clop Common Exec Parameter |
T1204, T1543, T1485, T1569.002, T1490, T1486, T1070, T1489, T1070.001 |
User Execution, Create or Modify System Process, Data Destruction, Service Execution, Inhibit System Recovery, Data Encrypted for Impact, Indicator Removal on Host, Service Stop, Clear Windows Event Logs |
Execution, Persistence, Privilege Escalation, Impact, Execution, Impact, Impact, Defense Evasion, Impact, Defense Evasion |
TTP |
Clop Ransomware Known Service Name |
Create or Modify System Process |
Persistence, Privilege Escalation |
TTP | |
Common Ransomware Extensions |
Data Destruction |
Impact |
Hunting | |
Common Ransomware Notes |
Data Destruction |
Impact |
Hunting | |
Create Service In Suspicious File Path |
Service Execution |
Execution |
TTP | |
Deleting Shadow Copies |
Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs |
Impact, Defense Evasion, Defense Evasion |
TTP | |
High File Deletion Frequency |
Data Destruction |
Impact |
Anomaly | |
High Process Termination Frequency |
Data Encrypted for Impact |
Impact |
Anomaly | |
Process Deleting Its Process File Path |
Indicator Removal on Host |
Defense Evasion |
TTP | |
Ransomware Notes bulk creation |
Data Encrypted for Impact |
Impact |
Anomaly | |
Resize ShadowStorage volume |
Inhibit System Recovery |
Impact |
TTP | |
Resize Shadowstorage Volume |
Service Stop |
Impact |
TTP | |
Suspicious Event Log Service Behavior |
Clear Windows Event Logs |
Defense Evasion |
TTP | |
Suspicious wevtutil Usage |
Clear Windows Event Logs |
Defense Evasion |
TTP | |
WevtUtil Usage To Clear Logs |
Clear Windows Event Logs |
Defense Evasion |
TTP | |
Windows Event Log Cleared |
Clear Windows Event Logs |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
- Obfuscation
- Privilege Escalation
Reference
version: 1
Coldroot macos rat
Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2019-01-09
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Processes Tapping Keyboard Events | TTP |
Kill Chain Phase
- Command and Control
Reference
version: 1
Dhs report ta18-074a
Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Traffic
- Last Updated: 2020-01-22
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Create local admin accounts using net exe |
T1136.001, T1071.002, T1021.002, T1569.002, T1059.001, T1562.004, T1547.001, T1543.003, T1053.005, T1204.002, T1112 |
Local Account, File Transfer Protocols, SMB/Windows Admin Shares, Service Execution, PowerShell, Disable or Modify System Firewall, Registry Run Keys / Startup Folder, Windows Service, Scheduled Task, Malicious File, Modify Registry |
Persistence, Command And Control, Lateral Movement, Execution, Execution, Defense Evasion, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Execution, Persistence, Privilege Escalation, Execution, Defense Evasion |
TTP |
Detect New Local Admin account |
Local Account |
Persistence |
TTP | |
Detect Outbound SMB Traffic |
File Transfer Protocols |
Command And Control |
TTP | |
Detect PsExec With accepteula Flag |
SMB/Windows Admin Shares |
Lateral Movement |
TTP | |
Detect Renamed PSExec |
Service Execution |
Execution |
Hunting | |
Malicious PowerShell Process - Execution Policy Bypass |
PowerShell |
Execution |
TTP | |
Processes launching netsh |
Disable or Modify System Firewall |
Defense Evasion |
TTP | |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder |
Persistence, Privilege Escalation |
TTP | |
SMB Traffic Spike |
SMB/Windows Admin Shares |
Lateral Movement |
Anomaly | |
SMB Traffic Spike - MLTK |
SMB/Windows Admin Shares |
Lateral Movement |
Anomaly | |
Sc exe Manipulating Windows Services |
Windows Service |
Persistence, Privilege Escalation |
TTP | |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP | |
Single Letter Process On Endpoint |
Malicious File |
Execution |
TTP | |
Suspicious Reg exe Process |
Modify Registry |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
- Command and Control
- Execution
- Exploitation
- Installation
- Lateral Movement
Reference
version: 2
Darkside ransomware
Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-05-12
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Attempted Credential Dump From Registry via Reg exe |
T1003.002, T1197, T1105, T1218.003, T1055, T1490, T1003.001, T1021.002, T1020, T1569.002, T1486, T1548.002 |
Security Account Manager, BITS Jobs, Ingress Tool Transfer, CMSTP, Process Injection, Inhibit System Recovery, LSASS Memory, SMB/Windows Admin Shares, Automated Exfiltration, Service Execution, Data Encrypted for Impact, Bypass User Account Control |
Credential Access, Defense Evasion, Persistence, Command And Control, Defense Evasion, Defense Evasion, Privilege Escalation, Impact, Credential Access, Lateral Movement, Exfiltration, Execution, Impact, Privilege Escalation, Defense Evasion |
TTP |
BITSAdmin Download File |
BITS Jobs, Ingress Tool Transfer |
Defense Evasion, Persistence, Command And Control |
TTP | |
CMLUA Or CMSTPLUA UAC Bypass |
CMSTP |
Defense Evasion |
TTP | |
CertUtil Download With URLCache and Split Arguments |
Ingress Tool Transfer |
Command And Control |
TTP | |
CertUtil Download With VerifyCtl and Split Arguments |
Ingress Tool Transfer |
Command And Control |
TTP | |
Cobalt Strike Named Pipes |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Delete ShadowCopy With PowerShell |
Inhibit System Recovery |
Impact |
TTP | |
Detect Mimikatz Using Loaded Images |
LSASS Memory |
Credential Access |
TTP | |
Detect PsExec With accepteula Flag |
SMB/Windows Admin Shares |
Lateral Movement |
TTP | |
Detect RClone Command-Line Usage |
Automated Exfiltration |
Exfiltration |
TTP | |
Detect Renamed PSExec |
Service Execution |
Execution |
Hunting | |
Detect Renamed RClone |
Automated Exfiltration |
Exfiltration |
Hunting | |
Extraction of Registry Hives |
Security Account Manager |
Credential Access |
TTP | |
Ransomware Notes bulk creation |
Data Encrypted for Impact |
Impact |
Anomaly | |
SLUI RunAs Elevated |
Bypass User Account Control |
Privilege Escalation, Defense Evasion |
TTP | |
SLUI Spawning a Process |
Bypass User Account Control |
Privilege Escalation, Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
- Execution
- Exfiltration
- Exploitation
- Lateral Movement
- Obfuscation
Reference
version: 1
Dynamic dns
Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Resolution
- Last Updated: 2018-09-06
- Use Case: Security Monitoring
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
DNS Exfiltration Using Nslookup App |
T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001 |
Exfiltration Over Alternative Protocol, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Drive-by Compromise, Transfer Data to Cloud Account, Local Email Collection, Email Collection, Email Forwarding Rule, Web Protocols |
Exfiltration, Command And Control, Exfiltration, Command And Control, Exfiltration, Initial Access, Exfiltration, Collection, Collection, Collection, Command And Control |
TTP |
Detect hosts connecting to dynamic domain providers |
Drive-by Compromise |
Initial Access |
TTP | |
Excessive Usage of NSLOOKUP App |
Exfiltration Over Alternative Protocol |
Exfiltration |
Anomaly |
Kill Chain Phase
- Actions on Objectives
- Command and Control
- Exploitation
Reference
version: 2
Emotet malware dhs report ta18-201a
Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Email, Endpoint, Network_Traffic
- Last Updated: 2020-01-27
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect Rare Executables | Anomaly | |||
Detect Use of cmd exe to Launch Script Interpreters |
Windows Command Shell, Software Deployment Tools, Registry Run Keys / Startup Folder, SMB/Windows Admin Shares, Spearphishing Attachment |
Execution, Execution, Lateral Movement, Persistence, Privilege Escalation, Lateral Movement, Initial Access |
TTP | |
Detection of tools built by NirSoft |
Software Deployment Tools |
Execution, Lateral Movement |
TTP | |
Email Attachments With Lots Of Spaces | Anomaly | |||
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder |
Persistence, Privilege Escalation |
TTP | |
SMB Traffic Spike |
SMB/Windows Admin Shares |
Lateral Movement |
Anomaly | |
SMB Traffic Spike - MLTK |
SMB/Windows Admin Shares |
Lateral Movement |
Anomaly | |
Suspicious Email Attachment Extensions |
Spearphishing Attachment |
Initial Access |
Anomaly |
Kill Chain Phase
- Actions on Objectives
- Command and Control
- Delivery
- Exploitation
- Installation
Reference
version: 1
Fin7
Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-09-14
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Check Elevated CMD using whoami |
System Owner/User Discovery, JavaScript, Credentials from Web Browsers, Spearphishing Attachment, XSL Script Processing |
Discovery, Execution, Credential Access, Initial Access, Defense Evasion |
TTP | |
Cmdline Tool Not Executed In CMD Shell |
JavaScript |
Execution |
TTP | |
Jscript Execution Using Cscript App |
JavaScript |
Execution |
TTP | |
MS Scripting Process Loading Ldap Module |
JavaScript |
Execution |
Anomaly | |
MS Scripting Process Loading WMI Module |
JavaScript |
Execution |
Anomaly | |
Non Chrome Process Accessing Chrome Default Dir |
Credentials from Web Browsers |
Credential Access |
Anomaly | |
Non Firefox Process Access Firefox Profile Dir |
Credentials from Web Browsers |
Credential Access |
Anomaly | |
Office Application Drop Executable |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Product Spawning Wmic |
Spearphishing Attachment |
Initial Access |
TTP | |
XSL Script Execution With WMIC |
XSL Script Processing |
Defense Evasion |
TTP |
Kill Chain Phase
- Exploitation
Reference
version: 1
Hidden cobra malware
Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Resolution, Network_Traffic
- Last Updated: 2020-01-22
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Create or delete windows shares using net exe |
T1070.005, T1071.004, T1048.003, T1071.002, T1021.001, T1021.002 |
Network Share Connection Removal, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, File Transfer Protocols, Remote Desktop Protocol, SMB/Windows Admin Shares |
Defense Evasion, Command And Control, Exfiltration, Command And Control, Lateral Movement, Lateral Movement |
TTP |
DNS Query Length Outliers - MLTK |
DNS |
Command And Control |
Anomaly | |
DNS Query Length With High Standard Deviation |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
Exfiltration |
Anomaly | |
Detect Outbound SMB Traffic |
File Transfer Protocols |
Command And Control |
TTP | |
Remote Desktop Network Traffic |
Remote Desktop Protocol |
Lateral Movement |
Anomaly | |
Remote Desktop Process Running On System |
Remote Desktop Protocol |
Lateral Movement |
Hunting | |
SMB Traffic Spike |
SMB/Windows Admin Shares |
Lateral Movement |
Anomaly | |
SMB Traffic Spike - MLTK |
SMB/Windows Admin Shares |
Lateral Movement |
Anomaly |
Kill Chain Phase
- Actions on Objectives
- Command and Control
Reference
version: 2
Icedid
Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-07-29
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Account Discovery With Net App |
T1087.002, T1562.001, T1059, T1055, T1204.002, T1548.002, T1112, T1560.001, T1218.005, T1482, T1566.001, T1547.001, T1218.011, T1053, T1005, T1218.010, T1590.005, T1027, T1053.005, T1021.002 |
Domain Account, Disable or Modify Tools, Command and Scripting Interpreter, Process Injection, Malicious File, Bypass User Account Control, Modify Registry, Archive via Utility, Mshta, Domain Trust Discovery, Spearphishing Attachment, Registry Run Keys / Startup Folder, Rundll32, Scheduled Task/Job, Data from Local System, Regsvr32, IP Addresses, Obfuscated Files or Information, Scheduled Task, SMB/Windows Admin Shares |
Discovery, Defense Evasion, Execution, Defense Evasion, Privilege Escalation, Execution, Privilege Escalation, Defense Evasion, Defense Evasion, Collection, Defense Evasion, Discovery, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Execution, Persistence, Privilege Escalation, Collection, Defense Evasion, Reconnaissance, Defense Evasion, Execution, Persistence, Privilege Escalation, Lateral Movement |
TTP |
CHCP Command Execution |
Command and Scripting Interpreter |
Execution |
TTP | |
Create Remote Thread In Shell Application |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Drop IcedID License dat |
Malicious File |
Execution |
Hunting | |
Eventvwr UAC Bypass |
Bypass User Account Control |
Privilege Escalation, Defense Evasion |
TTP | |
FodHelper UAC Bypass |
Modify Registry, Bypass User Account Control |
Defense Evasion, Privilege Escalation, Defense Evasion |
TTP | |
IcedID Exfiltrated Archived File Creation |
Archive via Utility |
Collection |
Hunting | |
Mshta spawning Rundll32 OR Regsvr32 Process |
Mshta |
Defense Evasion |
TTP | |
NLTest Domain Trust Discovery |
Domain Trust Discovery |
Discovery |
TTP | |
Office Application Spawn Regsvr32 process |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Application Spawn rundll32 process |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Document Executing Macro Code |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Product Spawning MSHTA |
Spearphishing Attachment |
Initial Access |
TTP | |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder |
Persistence, Privilege Escalation |
TTP | |
Rundll32 Create Remote Thread To A Process |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Rundll32 CreateRemoteThread In Browser |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Rundll32 DNSQuery |
Rundll32 |
Defense Evasion |
TTP | |
Rundll32 Process Creating Exe Dll Files |
Rundll32 |
Defense Evasion |
TTP | |
Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
Execution, Persistence, Privilege Escalation |
TTP | |
Sqlite Module In Temp Folder |
Data from Local System |
Collection |
TTP | |
Suspicious IcedID Regsvr32 Cmdline |
Regsvr32 |
Defense Evasion |
TTP | |
Suspicious IcedID Rundll32 Cmdline |
Rundll32 |
Defense Evasion |
TTP | |
Suspicious Rundll32 PluginInit |
Rundll32 |
Defense Evasion |
TTP | |
WinEvent Scheduled Task Created Within Public Path |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
- Privilege Escalation
- Reconnaissance
Reference
version: 1
Orangeworm attack group
Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2020-01-22
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
First Time Seen Running Windows Service |
Service Execution, Process Injection, Native API, System Services, Services Registry Permissions Weakness, Windows Service |
Execution, Defense Evasion, Privilege Escalation, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation |
Anomaly | |
Sc exe Manipulating Windows Services |
Windows Service |
Persistence, Privilege Escalation |
TTP |
Kill Chain Phase
- Actions on Objectives
- Installation
Reference
version: 2
Ransomware
Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Traffic
- Last Updated: 2020-02-04
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
7zip CommandLine To SMB Share Path |
T1560.001, T1562.007, T1548, T1489, T1490, T1218.003, T1070.004, T1485, T1204, T1020, T1087.002, T1087.001, T1482, T1069.002, T1069.001, T1562.001, T1070.001, T1531, T1569.002, T1059.005, T1070, T1222, T1491, T1574.002, T1027.005, T1546.015, T1048, T1592, T1547.001, T1047, T1112, T1021.002, T1053.005, T1036.003, T1071.001, T1218.007 |
Archive via Utility, Disable or Modify Cloud Firewall, Abuse Elevation Control Mechanism, Service Stop, Inhibit System Recovery, CMSTP, File Deletion, Data Destruction, User Execution, Automated Exfiltration, Domain Account, Local Account, Domain Trust Discovery, Domain Groups, Local Groups, Disable or Modify Tools, Clear Windows Event Logs, Account Access Removal, Service Execution, Visual Basic, Indicator Removal on Host, File and Directory Permissions Modification, Defacement, DLL Side-Loading, Indicator Removal from Tools, Component Object Model Hijacking, Exfiltration Over Alternative Protocol, Gather Victim Host Information, Registry Run Keys / Startup Folder, Windows Management Instrumentation, Modify Registry, SMB/Windows Admin Shares, Scheduled Task, Rename System Utilities, Web Protocols, Msiexec |
Collection, Defense Evasion, Privilege Escalation, Defense Evasion, Impact, Impact, Defense Evasion, Defense Evasion, Impact, Execution, Exfiltration, Discovery, Discovery, Discovery, Discovery, Discovery, Defense Evasion, Defense Evasion, Impact, Execution, Execution, Defense Evasion, Defense Evasion, Impact, Persistence, Privilege Escalation, Defense Evasion, Defense Evasion, Privilege Escalation, Persistence, Exfiltration, Reconnaissance, Persistence, Privilege Escalation, Execution, Defense Evasion, Lateral Movement, Execution, Persistence, Privilege Escalation, Defense Evasion, Command And Control, Defense Evasion |
Hunting |
Allow File And Printing Sharing In Firewall |
Disable or Modify Cloud Firewall |
Defense Evasion |
TTP | |
Allow Network Discovery In Firewall |
T1562.007, T1490, T1562.001, T1491, T1574.002, T1204, T1112, T1218.003 |
Disable or Modify Cloud Firewall, Inhibit System Recovery, Disable or Modify Tools, Defacement, DLL Side-Loading, User Execution, Modify Registry, CMSTP |
Defense Evasion, Impact, Defense Evasion, Impact, Persistence, Privilege Escalation, Defense Evasion, Execution, Defense Evasion, Defense Evasion |
TTP |
Allow Operation with Consent Admin |
Abuse Elevation Control Mechanism |
Privilege Escalation, Defense Evasion |
TTP | |
Attempt To Disable Services |
Service Stop |
Impact |
TTP | |
Attempt To delete Services |
Service Stop |
Impact |
TTP | |
BCDEdit Failure Recovery Modification |
T1490, T1485, T1482, T1021.001, T1486, T1059.003, T1053.005, T1562.001, T1489 |
Inhibit System Recovery, Data Destruction, Domain Trust Discovery, Remote Desktop Protocol, Data Encrypted for Impact, Windows Command Shell, Scheduled Task, Disable or Modify Tools, Service Stop |
Impact, Impact, Discovery, Lateral Movement, Impact, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact |
TTP |
CMLUA Or CMSTPLUA UAC Bypass |
CMSTP |
Defense Evasion |
TTP | |
Clear Unallocated Sector Using Cipher App |
File Deletion |
Defense Evasion |
TTP | |
Common Ransomware Extensions |
Data Destruction |
Impact |
Hunting | |
Common Ransomware Notes |
Data Destruction |
Impact |
Hunting | |
Conti Common Exec parameter |
User Execution |
Execution |
TTP | |
Delete A Net User |
Service Stop |
Impact |
Anomaly | |
Delete ShadowCopy With PowerShell |
Inhibit System Recovery |
Impact |
TTP | |
Deleting Shadow Copies |
Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs |
Impact, Defense Evasion, Defense Evasion |
TTP | |
Detect RClone Command-Line Usage |
Automated Exfiltration |
Exfiltration |
TTP | |
Detect Renamed RClone |
Automated Exfiltration |
Exfiltration |
Hunting | |
Detect SharpHound Command-Line Arguments |
Domain Account, Local Account, Domain Trust Discovery, Domain Groups, Local Groups |
Discovery, Discovery, Discovery, Discovery, Discovery |
TTP | |
Detect SharpHound File Modifications |
Domain Account, Local Account, Domain Trust Discovery, Domain Groups, Local Groups |
Discovery, Discovery, Discovery, Discovery, Discovery |
TTP | |
Detect SharpHound Usage |
Domain Account, Local Account, Domain Trust Discovery, Domain Groups, Local Groups |
Discovery, Discovery, Discovery, Discovery, Discovery |
TTP | |
Disable AMSI Through Registry |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Disable ETW Through Registry |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Disable Logs Using WevtUtil |
Clear Windows Event Logs |
Defense Evasion |
TTP | |
Disable Net User Account |
Service Stop |
Impact |
TTP | |
Disable Windows Behavior Monitoring |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Excessive Service Stop Attempt |
Service Stop |
Impact |
Anomaly | |
Excessive Usage Of Net App |
Account Access Removal |
Impact |
Anomaly | |
Excessive Usage Of SC Service Utility |
Service Execution |
Execution |
Anomaly | |
Execute Javascript With Jscript COM CLSID |
Visual Basic |
Execution |
TTP | |
Fsutil Zeroing File |
Indicator Removal on Host |
Defense Evasion |
TTP | |
ICACLS Grant Command |
File and Directory Permissions Modification |
Defense Evasion |
TTP | |
Known Services Killed by Ransomware |
Inhibit System Recovery |
Impact |
TTP | |
Modification Of Wallpaper |
Defacement |
Impact |
TTP | |
Msmpeng Application DLL Side Loading |
DLL Side-Loading |
Persistence, Privilege Escalation, Defense Evasion |
TTP | |
Permission Modification using Takeown App |
File and Directory Permissions Modification |
Defense Evasion |
TTP | |
Powershell Disable Security Monitoring |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Powershell Enable SMB1Protocol Feature |
Indicator Removal from Tools |
Defense Evasion |
TTP | |
Powershell Execute COM Object |
Component Object Model Hijacking |
Privilege Escalation, Persistence |
TTP | |
Prevent Automatic Repair Mode using Bcdedit |
Inhibit System Recovery |
Impact |
TTP | |
Prohibited Network Traffic Allowed |
Exfiltration Over Alternative Protocol |
Exfiltration |
TTP | |
Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
Reconnaissance |
TTP | |
Recursive Delete of Directory In Batch CMD |
File Deletion |
Defense Evasion |
TTP | |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder |
Persistence, Privilege Escalation |
TTP | |
Remote Process Instantiation via WMI |
Windows Management Instrumentation |
Execution |
TTP | |
Resize Shadowstorage Volume |
Service Stop |
Impact |
TTP | |
Revil Common Exec Parameter |
User Execution |
Execution |
TTP | |
Revil Registry Entry |
Modify Registry |
Defense Evasion |
TTP | |
SMB Traffic Spike |
SMB/Windows Admin Shares |
Lateral Movement |
Anomaly | |
SMB Traffic Spike - MLTK |
SMB/Windows Admin Shares |
Lateral Movement |
Anomaly | |
Schtasks used for forcing a reboot |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP | |
Spike in File Writes | Anomaly | |||
Start Up During Safe Mode Boot |
Registry Run Keys / Startup Folder |
Persistence, Privilege Escalation |
TTP | |
Suspicious Event Log Service Behavior |
Clear Windows Event Logs |
Defense Evasion |
TTP | |
Suspicious Scheduled Task from Public Directory |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
Anomaly | |
Suspicious wevtutil Usage |
Clear Windows Event Logs |
Defense Evasion |
TTP | |
System Processes Run From Unexpected Locations |
Rename System Utilities |
Defense Evasion |
TTP | |
TOR Traffic |
Web Protocols |
Command And Control |
TTP | |
UAC Bypass With Colorui COM Object |
CMSTP |
Defense Evasion |
TTP | |
USN Journal Deletion |
Indicator Removal on Host |
Defense Evasion |
TTP | |
Uninstall App Using MsiExec |
Msiexec |
Defense Evasion |
TTP | |
Unusually Long Command Line | Anomaly | |||
Unusually Long Command Line - MLTK | Anomaly | |||
WBAdmin Delete System Backups |
Inhibit System Recovery |
Impact |
TTP | |
Wbemprox COM Object Execution |
CMSTP |
Defense Evasion |
TTP | |
WevtUtil Usage To Clear Logs |
Clear Windows Event Logs |
Defense Evasion |
TTP | |
Wevtutil Usage To Disable Logs |
Clear Windows Event Logs |
Defense Evasion |
TTP | |
WinEvent Scheduled Task Created Within Public Path |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP | |
WinEvent Scheduled Task Created to Spawn Shell |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP | |
Windows Event Log Cleared |
Clear Windows Event Logs |
Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
- Command and Control
- Delivery
- Exfiltration
- Exploitation
- Privilege Escalation
- Reconnaissance
Reference
version: 1
Ransomware cloud
Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.
- Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:
- Last Updated: 2020-10-27
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
AWS Detect Users creating keys with encrypt policy without MFA |
Data Encrypted for Impact |
Impact |
TTP | |
AWS Detect Users with KMS keys performing encryption S3 |
Data Encrypted for Impact |
Impact |
Anomaly |
Kill Chain Phase
Reference
version: 1
Remcos
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-09-23
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Disabling Remote User Account Control |
T1548.002, T1036, T1547.010, T1070, T1547.001, T1546.012, T1546.011, T1113, T1543 |
Bypass User Account Control, Masquerading, Port Monitors, Indicator Removal on Host, Registry Run Keys / Startup Folder, Image File Execution Options Injection, Application Shimming, Screen Capture, Create or Modify System Process |
Privilege Escalation, Defense Evasion, Defense Evasion, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Collection, Persistence, Privilege Escalation |
TTP |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Defense Evasion |
TTP | |
Process Deleting Its Process File Path |
Indicator Removal on Host |
Defense Evasion |
TTP | |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder |
Persistence, Privilege Escalation |
TTP | |
Remcos RAT File Creation in Remcos Folder |
Screen Capture |
Collection |
TTP | |
Suspicious Image Creation In Appdata Folder |
Screen Capture |
Collection |
TTP | |
Suspicious Process File Path |
Create or Modify System Process |
Persistence, Privilege Escalation |
TTP | |
Suspicious WAV file in Appdata Folder |
Screen Capture |
Collection |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
Reference
version: 1
Revil ransomware
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-06-04
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Allow Network Discovery In Firewall |
T1562.007, T1490, T1562.001, T1491, T1574.002, T1204, T1112, T1218.003 |
Disable or Modify Cloud Firewall, Inhibit System Recovery, Disable or Modify Tools, Defacement, DLL Side-Loading, User Execution, Modify Registry, CMSTP |
Defense Evasion, Impact, Defense Evasion, Impact, Persistence, Privilege Escalation, Defense Evasion, Execution, Defense Evasion, Defense Evasion |
TTP |
Delete ShadowCopy With PowerShell |
Inhibit System Recovery |
Impact |
TTP | |
Disable Windows Behavior Monitoring |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Modification Of Wallpaper |
Defacement |
Impact |
TTP | |
Msmpeng Application DLL Side Loading |
DLL Side-Loading |
Persistence, Privilege Escalation, Defense Evasion |
TTP | |
Powershell Disable Security Monitoring |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Revil Common Exec Parameter |
User Execution |
Execution |
TTP | |
Revil Registry Entry |
Modify Registry |
Defense Evasion |
TTP | |
Wbemprox COM Object Execution |
CMSTP |
Defense Evasion |
TTP |
Kill Chain Phase
- Exploitation
Reference
version: 1
Ryuk ransomware
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Traffic
- Last Updated: 2020-11-06
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
BCDEdit Failure Recovery Modification |
T1490, T1485, T1482, T1021.001, T1486, T1059.003, T1053.005, T1562.001, T1489 |
Inhibit System Recovery, Data Destruction, Domain Trust Discovery, Remote Desktop Protocol, Data Encrypted for Impact, Windows Command Shell, Scheduled Task, Disable or Modify Tools, Service Stop |
Impact, Impact, Discovery, Lateral Movement, Impact, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact |
TTP |
Common Ransomware Extensions |
Data Destruction |
Impact |
Hunting | |
Common Ransomware Notes |
Data Destruction |
Impact |
Hunting | |
NLTest Domain Trust Discovery |
Domain Trust Discovery |
Discovery |
TTP | |
Remote Desktop Network Bruteforce |
Remote Desktop Protocol |
Lateral Movement |
TTP | |
Remote Desktop Network Traffic |
Remote Desktop Protocol |
Lateral Movement |
Anomaly | |
Ryuk Test Files Detected |
Data Encrypted for Impact |
Impact |
TTP | |
Ryuk Wake on LAN Command |
Windows Command Shell |
Execution |
TTP | |
Spike in File Writes | Anomaly | |||
Suspicious Scheduled Task from Public Directory |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
Anomaly | |
WBAdmin Delete System Backups |
Inhibit System Recovery |
Impact |
TTP | |
WinEvent Scheduled Task Created Within Public Path |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP | |
WinEvent Scheduled Task Created to Spawn Shell |
Scheduled Task |
Execution, Persistence, Privilege Escalation |
TTP | |
Windows DisableAntiSpyware Registry |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Windows Security Account Manager Stopped |
Service Stop |
Impact |
TTP |
Kill Chain Phase
- Actions on Objectives
- Delivery
- Exploitation
- Lateral Movement
- Privilege Escalation
- Reconnaissance
Reference
version: 1
Samsam ransomware
Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint, Network_Traffic, Web
- Last Updated: 2018-12-13
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Attacker Tools On Endpoint |
T1036.005, T1595, T1003, T1489, T1204.002, T1485, T1531, T1490, T1222, T1021.002, T1569.002, T1082, T1016, T1562.001, T1105, T1087, T1036, T1059, T1117, T1202, T1053, T1203, T1072, T1021.001, T1218.011, T1486, T1543.003, T1543, T1036.003, T1190 |
Match Legitimate Name or Location, Active Scanning, OS Credential Dumping, Service Stop, Malicious File, Data Destruction, Account Access Removal, Inhibit System Recovery, File and Directory Permissions Modification, SMB/Windows Admin Shares, Service Execution, System Information Discovery, System Network Configuration Discovery, Disable or Modify Tools, Ingress Tool Transfer, Account Discovery, Masquerading, Command and Scripting Interpreter, Regsvr32, Indirect Command Execution, Scheduled Task/Job, Exploitation for Client Execution, Software Deployment Tools, Remote Desktop Protocol, Rundll32, Data Encrypted for Impact, Windows Service, Create or Modify System Process, Rename System Utilities, Exploit Public-Facing Application |
Defense Evasion, Reconnaissance, Credential Access, Impact, Execution, Impact, Impact, Impact, Defense Evasion, Lateral Movement, Execution, Discovery, Discovery, Defense Evasion, Command And Control, Discovery, Defense Evasion, Execution, , Defense Evasion, Execution, Persistence, Privilege Escalation, Execution, Execution, Lateral Movement, Lateral Movement, Defense Evasion, Impact, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Initial Access |
TTP |
Batch File Write to System32 |
Malicious File |
Execution |
TTP | |
Common Ransomware Extensions |
Data Destruction |
Impact |
Hunting | |
Common Ransomware Notes |
Data Destruction |
Impact |
Hunting | |
Deleting Shadow Copies |
Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs |
Impact, Defense Evasion, Defense Evasion |
TTP | |
Detect PsExec With accepteula Flag |
SMB/Windows Admin Shares |
Lateral Movement |
TTP | |
Detect Renamed PSExec |
Service Execution |
Execution |
Hunting | |
Detect attackers scanning for vulnerable JBoss servers |
System Information Discovery |
Discovery |
TTP | |
Detect malicious requests to exploit JBoss servers | TTP | |||
File with Samsam Extension | TTP | |||
Remote Desktop Network Bruteforce |
Remote Desktop Protocol |
Lateral Movement |
TTP | |
Remote Desktop Network Traffic |
Remote Desktop Protocol |
Lateral Movement |
Anomaly | |
Samsam Test File Write |
Data Encrypted for Impact |
Impact |
TTP | |
Spike in File Writes | Anomaly |
Kill Chain Phase
- Actions on Objectives
- Command and Control
- Delivery
- Execution
- Exploitation
- Installation
- Lateral Movement
- Reconnaissance
Reference
version: 1
Trickbot
Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-04-20
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Account Discovery With Net App |
T1087.002, T1562.001, T1059, T1055, T1204.002, T1548.002, T1112, T1560.001, T1218.005, T1482, T1566.001, T1547.001, T1218.011, T1053, T1005, T1218.010, T1590.005, T1027, T1053.005, T1021.002 |
Domain Account, Disable or Modify Tools, Command and Scripting Interpreter, Process Injection, Malicious File, Bypass User Account Control, Modify Registry, Archive via Utility, Mshta, Domain Trust Discovery, Spearphishing Attachment, Registry Run Keys / Startup Folder, Rundll32, Scheduled Task/Job, Data from Local System, Regsvr32, IP Addresses, Obfuscated Files or Information, Scheduled Task, SMB/Windows Admin Shares |
Discovery, Defense Evasion, Execution, Defense Evasion, Privilege Escalation, Execution, Privilege Escalation, Defense Evasion, Defense Evasion, Collection, Defense Evasion, Discovery, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Execution, Persistence, Privilege Escalation, Collection, Defense Evasion, Reconnaissance, Defense Evasion, Execution, Persistence, Privilege Escalation, Lateral Movement |
TTP |
Attempt To Stop Security Service |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Cobalt Strike Named Pipes |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Mshta spawning Rundll32 OR Regsvr32 Process |
Mshta |
Defense Evasion |
TTP | |
Office Application Spawn rundll32 process |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Document Executing Macro Code |
Spearphishing Attachment |
Initial Access |
TTP | |
Office Product Spawn CMD Process |
Mshta |
Defense Evasion |
TTP | |
Powershell Remote Thread To Known Windows Process |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
Execution, Persistence, Privilege Escalation |
TTP | |
Suspicious Rundll32 StartW |
Rundll32 |
Defense Evasion |
TTP | |
Trickbot Named Pipe |
Process Injection |
Defense Evasion, Privilege Escalation |
TTP | |
Wermgr Process Connecting To IP Check Web Services |
IP Addresses |
Reconnaissance |
TTP | |
Wermgr Process Create Executable File |
Obfuscated Files or Information |
Defense Evasion |
TTP | |
Wermgr Process Spawned CMD Or Powershell Process |
Command and Scripting Interpreter |
Execution |
TTP | |
Write Executable in SMB Share |
SMB/Windows Admin Shares |
Lateral Movement |
TTP |
Kill Chain Phase
- Actions on Objectives
- Exploitation
- Installation
- Lateral Movement
- Reconnaissance
Reference
version: 1
Unusual processes
Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2020-02-04
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Attacker Tools On Endpoint |
T1036.005, T1595, T1003, T1489, T1204.002, T1485, T1531, T1490, T1222, T1021.002, T1569.002, T1082, T1016, T1562.001, T1105, T1087, T1036, T1059, T1117, T1202, T1053, T1203, T1072, T1021.001, T1218.011, T1486, T1543.003, T1543, T1036.003, T1190 |
Match Legitimate Name or Location, Active Scanning, OS Credential Dumping, Service Stop, Malicious File, Data Destruction, Account Access Removal, Inhibit System Recovery, File and Directory Permissions Modification, SMB/Windows Admin Shares, Service Execution, System Information Discovery, System Network Configuration Discovery, Disable or Modify Tools, Ingress Tool Transfer, Account Discovery, Masquerading, Command and Scripting Interpreter, Regsvr32, Indirect Command Execution, Scheduled Task/Job, Exploitation for Client Execution, Software Deployment Tools, Remote Desktop Protocol, Rundll32, Data Encrypted for Impact, Windows Service, Create or Modify System Process, Rename System Utilities, Exploit Public-Facing Application |
Defense Evasion, Reconnaissance, Credential Access, Impact, Execution, Impact, Impact, Impact, Defense Evasion, Lateral Movement, Execution, Discovery, Discovery, Defense Evasion, Command And Control, Discovery, Defense Evasion, Execution, , Defense Evasion, Execution, Persistence, Privilege Escalation, Execution, Execution, Lateral Movement, Lateral Movement, Defense Evasion, Impact, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Initial Access |
TTP |
Credential Extraction indicative of FGDump and CacheDump with s option |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction indicative of FGDump and CacheDump with v option |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction indicative of use of Mimikatz modules |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction native Microsoft debuggers peek into the kernel |
OS Credential Dumping |
Credential Access |
TTP | |
Credential Extraction native Microsoft debuggers via z command line option |
OS Credential Dumping |
Credential Access |
TTP | |
Detect Rare Executables | Anomaly | |||
Detect processes used for System Network Configuration Discovery |
System Network Configuration Discovery |
Discovery |
TTP | |
First time seen command line argument |
Command and Scripting Interpreter, Regsvr32, Indirect Command Execution |
Execution, , Defense Evasion |
Anomaly | |
More than usual number of LOLBAS applications in short time period |
Command and Scripting Interpreter, Scheduled Task/Job |
Execution, Execution, Persistence, Privilege Escalation |
Anomaly | |
Rare Parent-Child Process Relationship |
Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools |
Execution, Execution, Execution, Persistence, Privilege Escalation, Execution, Lateral Movement |
Anomaly | |
RunDLL Loading DLL By Ordinal |
Rundll32 |
Defense Evasion |
TTP | |
System Processes Run From Unexpected Locations |
Rename System Utilities |
Defense Evasion |
TTP | |
Unusually Long Command Line | Anomaly | |||
Unusually Long Command Line | Anomaly | |||
Unusually Long Command Line - MLTK | Anomaly | |||
WinRM Spawning a Process |
Exploit Public-Facing Application |
Initial Access |
TTP |
Kill Chain Phase
- Actions on Objectives
- Command and Control
- Denial of Service
- Exploitation
- Installation
- Privilege Escalation
Reference
version: 2
Windows file extension and association abuse
Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2018-01-26
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Execution of File with Multiple Extensions |
Rename System Utilities, MSBuild, Rundll32, Trusted Developer Utilities Proxy Execution, Masquerading |
Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion |
TTP |
Kill Chain Phase
- Actions on Objectives
Reference
version: 1
Windows service abuse
Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2017-11-02
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
First Time Seen Running Windows Service |
Service Execution, Process Injection, Native API, System Services, Services Registry Permissions Weakness, Windows Service |
Execution, Defense Evasion, Privilege Escalation, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation |
Anomaly | |
Illegal Service and Process Control via Mimikatz modules |
Process Injection, Native API, System Services |
Defense Evasion, Privilege Escalation, Execution, Execution |
TTP | |
Illegal Service and Process Control via PowerSploit modules |
Process Injection, Native API, System Services |
Defense Evasion, Privilege Escalation, Execution, Execution |
TTP | |
Reg exe Manipulating Windows Services Registry Keys |
Services Registry Permissions Weakness |
Persistence, Privilege Escalation, Defense Evasion |
TTP | |
Sc exe Manipulating Windows Services |
Windows Service |
Persistence, Privilege Escalation |
TTP |
Kill Chain Phase
- Actions on Objectives
- Installation
Reference
version: 3
Xmrig
Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of command and control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2021-05-07
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Attacker Tools On Endpoint |
T1036.005, T1595, T1003, T1489, T1204.002, T1485, T1531, T1490, T1222, T1021.002, T1569.002, T1082, T1016, T1562.001, T1105, T1087, T1036, T1059, T1117, T1202, T1053, T1203, T1072, T1021.001, T1218.011, T1486, T1543.003, T1543, T1036.003, T1190 |
Match Legitimate Name or Location, Active Scanning, OS Credential Dumping, Service Stop, Malicious File, Data Destruction, Account Access Removal, Inhibit System Recovery, File and Directory Permissions Modification, SMB/Windows Admin Shares, Service Execution, System Information Discovery, System Network Configuration Discovery, Disable or Modify Tools, Ingress Tool Transfer, Account Discovery, Masquerading, Command and Scripting Interpreter, Regsvr32, Indirect Command Execution, Scheduled Task/Job, Exploitation for Client Execution, Software Deployment Tools, Remote Desktop Protocol, Rundll32, Data Encrypted for Impact, Windows Service, Create or Modify System Process, Rename System Utilities, Exploit Public-Facing Application |
Defense Evasion, Reconnaissance, Credential Access, Impact, Execution, Impact, Impact, Impact, Defense Evasion, Lateral Movement, Execution, Discovery, Discovery, Defense Evasion, Command And Control, Discovery, Defense Evasion, Execution, , Defense Evasion, Execution, Persistence, Privilege Escalation, Execution, Execution, Lateral Movement, Lateral Movement, Defense Evasion, Impact, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Initial Access |
TTP |
Attempt To Disable Services |
Service Stop |
Impact |
TTP | |
Attempt To delete Services |
Service Stop |
Impact |
TTP | |
Delete A Net User |
Service Stop |
Impact |
Anomaly | |
Deleting Of Net Users |
Account Access Removal |
Impact |
TTP | |
Deny Permission using Cacls Utility |
File and Directory Permissions Modification |
Defense Evasion |
TTP | |
Disable Net User Account |
Service Stop |
Impact |
TTP | |
Disable Windows App Hotkeys |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Disabling Net User Account |
Account Access Removal |
Impact |
TTP | |
Download Files Using Telegram |
Ingress Tool Transfer |
Command And Control |
TTP | |
Enumerate Users Local Group Using Telegram |
Account Discovery |
Discovery |
TTP | |
Excessive Attempt To Disable Services |
Service Stop |
Impact |
Anomaly | |
Excessive Service Stop Attempt |
Service Stop |
Impact |
Anomaly | |
Excessive Usage Of Cacls App |
File and Directory Permissions Modification |
Defense Evasion |
Anomaly | |
Excessive Usage Of Net App |
Account Access Removal |
Impact |
Anomaly | |
Excessive Usage Of Taskkill |
Disable or Modify Tools |
Defense Evasion |
Anomaly | |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Defense Evasion |
TTP | |
Grant Permission Using Cacls Utility |
File and Directory Permissions Modification |
Defense Evasion |
TTP | |
Hide User Account From Sign-In Screen |
Disable or Modify Tools |
Defense Evasion |
TTP | |
ICACLS Grant Command |
File and Directory Permissions Modification |
Defense Evasion |
TTP | |
Icacls Deny Command |
File and Directory Permissions Modification |
Defense Evasion |
TTP | |
Modify ACL permission To Files Or Folder |
File and Directory Permissions Modification |
Defense Evasion |
TTP | |
Modify ACLs Permission Of Files Or Folders |
File and Directory Permissions Modification |
Defense Evasion |
Anomaly | |
Process Kill Base On File Path |
Disable or Modify Tools |
Defense Evasion |
TTP | |
Schtasks Run Task On Demand |
Scheduled Task/Job |
Execution, Persistence, Privilege Escalation |
TTP | |
Suspicious Driver Loaded Path |
Windows Service |
Persistence, Privilege Escalation |
TTP | |
Suspicious Process File Path |
Create or Modify System Process |
Persistence, Privilege Escalation |
TTP | |
XMRIG Driver Loaded |
Windows Service |
Persistence, Privilege Escalation |
TTP |
Kill Chain Phase
- Actions on Objectives
- Command and Control
- Exploitation
- Installation
Reference
version: 1
Vulnerability
Apache struts vulnerability
Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Endpoint
- Last Updated: 2018-12-06
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Suspicious Java Classes | Anomaly | |||
Unusually Long Content-Type Length | Anomaly | |||
Web Servers Executing Suspicious Processes |
System Information Discovery |
Discovery |
TTP |
Kill Chain Phase
- Actions on Objectives
- Delivery
- Exploitation
Reference
version: 1
Jboss vulnerability
In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel:Web
- Last Updated: 2017-09-14
- Use Case: Advanced Threat Detection
Detection Profile
name | ID | Technique | Tactic | Type |
---|---|---|---|---|
Detect attackers scanning for vulnerable JBoss servers |
System Information Discovery |
Discovery |
TTP | |
Detect malicious requests to exploit JBoss servers | TTP |
Kill Chain Phase
- Delivery
- Reconnaissance
Reference
version: 1
############# # Automatically generated by doc_gen.py in https://github.com/splunk/security_content # On Date: 2021-09-27 18:37:39.621200 UTC # Author: Splunk Security Research # Contact: research@splunk.com #############
This documentation applies to the following versions of Splunk® Security Content: 3.29.0
Feedback submitted, thanks!