Splunk Security Content Analytic Story

All the Analytic Stories shipped to different Splunk products. Below is a breakdown by Category.

Abuse

Brand monitoring

Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Email, Web
Last Updated: 2017-12-19
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Monitor Email For Brand Abuse				TTP
Monitor Web Traffic For Brand Abuse				TTP

Kill Chain Phase

Delivery

Reference

https://www.zerofox.com/blog/what-is-digital-risk-monitoring/

https://securingtomorrow.mcafee.com/consumer/family-safety/what-is-typosquatting/

https://blog.malwarebytes.com/cybercrime/2016/06/explained-typosquatting/

version: 1

Dns amplification attacks

DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Network_Resolution
Last Updated: 2016-09-13
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Large Volume of DNS ANY Queries	T1498.002	Reflection Amplification	Impact	Anomaly

Kill Chain Phase

Actions on Objectives

Reference

https://www.us-cert.gov/ncas/alerts/TA13-088A

https://www.imperva.com/learn/application-security/dns-amplification/

version: 1

Data protection

Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Network_Resolution
Last Updated: 2017-09-14
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Detect hosts connecting to dynamic domain providers	T1189	Drive-by Compromise	Initial Access	TTP

Kill Chain Phase

Actions on Objectives

Command and Control

Reference

https://www.cisecurity.org/controls/data-protection/

https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37022

https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/

version: 1

Netsh abuse

Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2017-01-05
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Processes launching netsh	T1562.004	Disable or Modify System Firewall	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Reference

https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb490939(v=technet.10)

https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html

http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html

version: 1

Adversary Tactics

Active directory discovery

Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-08-20
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
AdsiSearcher Account Discovery	T1087.002, T1482, T1018, T1069.002, T1201, T1069.001, T1033, T1087.001, T1049	Domain Account, Domain Trust Discovery, Remote System Discovery, Domain Groups, Password Policy Discovery, Local Groups, System Owner/User Discovery, Local Account, System Network Connections Discovery	Discovery, Discovery, Discovery, Discovery, Discovery, Discovery, Discovery, Discovery, Discovery	TTP
DSQuery Domain Discovery	T1482, T1018	Domain Trust Discovery, Remote System Discovery	Discovery, Discovery	TTP
Domain Account Discovery With Net App	T1087.002	Domain Account	Discovery	TTP
Domain Account Discovery with Dsquery	T1087.002	Domain Account	Discovery	Hunting
Domain Account Discovery with Wmic	T1087.002	Domain Account	Discovery	TTP
Domain Controller Discovery with Nltest	T1018	Remote System Discovery	Discovery	TTP
Domain Controller Discovery with Wmic	T1018	Remote System Discovery	Discovery	Hunting
Domain Group Discovery With Dsquery	T1069.002	Domain Groups	Discovery	Hunting
Domain Group Discovery With Net	T1069.002	Domain Groups	Discovery	Hunting
Domain Group Discovery With Wmic	T1069.002	Domain Groups	Discovery	Hunting
Domain Group Discovery with Adsisearcher	T1069.002	Domain Groups	Discovery	TTP
Elevated Group Discovery With Net	T1069.002	Domain Groups	Discovery	TTP
Elevated Group Discovery With Wmic	T1069.002	Domain Groups	Discovery	TTP
Elevated Group Discovery with PowerView	T1069.002	Domain Groups	Discovery	Hunting
Get ADDefaultDomainPasswordPolicy with Powershell	T1201	Password Policy Discovery	Discovery	Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Script Block	T1201	Password Policy Discovery	Discovery	Hunting
Get ADUser with PowerShell	T1087.002	Domain Account	Discovery	Hunting
Get ADUser with PowerShell Script Block	T1087.002	Domain Account	Discovery	Hunting
Get ADUserResultantPasswordPolicy with Powershell	T1201	Password Policy Discovery	Discovery	TTP
Get ADUserResultantPasswordPolicy with Powershell Script Block	T1201	Password Policy Discovery	Discovery	TTP
Get DomainPolicy with Powershell	T1201	Password Policy Discovery	Discovery	TTP
Get DomainPolicy with Powershell Script Block	T1201	Password Policy Discovery	Discovery	TTP
Get DomainUser with PowerShell	T1087.002	Domain Account	Discovery	TTP
Get DomainUser with PowerShell Script Block	T1087.002	Domain Account	Discovery	TTP
Get WMIObject Group Discovery	T1069.001	Local Groups	Discovery	Hunting
Get WMIObject Group Discovery with Script Block Logging	T1069.001	Local Groups	Discovery	Hunting
Get-DomainTrust with PowerShell	T1482	Domain Trust Discovery	Discovery	TTP
Get-DomainTrust with PowerShell Script Block	T1482	Domain Trust Discovery	Discovery	TTP
Get-ForestTrust with PowerShell	T1482	Domain Trust Discovery	Discovery	TTP
Get-ForestTrust with PowerShell Script Block	T1482	Domain Trust Discovery	Discovery	TTP
GetAdComputer with PowerShell	T1018	Remote System Discovery	Discovery	Hunting
GetAdComputer with PowerShell Script Block	T1018	Remote System Discovery	Discovery	Hunting
GetAdGroup with PowerShell	T1069.002	Domain Groups	Discovery	Hunting
GetAdGroup with PowerShell Script Block	T1069.002	Domain Groups	Discovery	Hunting
GetCurrent User with PowerShell	T1033	System Owner/User Discovery	Discovery	Hunting
GetCurrent User with PowerShell Script Block	T1033	System Owner/User Discovery	Discovery	Hunting
GetDomainComputer with PowerShell	T1018	Remote System Discovery	Discovery	TTP
GetDomainComputer with PowerShell Script Block	T1018	Remote System Discovery	Discovery	TTP
GetDomainController with PowerShell	T1018	Remote System Discovery	Discovery	Hunting
GetDomainController with PowerShell Script Block	T1018	Remote System Discovery	Discovery	TTP
GetDomainGroup with PowerShell	T1069.002	Domain Groups	Discovery	TTP
GetDomainGroup with PowerShell Script Block	T1069.002	Domain Groups	Discovery	TTP
GetLocalUser with PowerShell	T1087.001	Local Account	Discovery	Hunting
GetLocalUser with PowerShell Script Block	T1087.001	Local Account	Discovery	Hunting
GetNetTcpconnection with PowerShell	T1049	System Network Connections Discovery	Discovery	Hunting
GetNetTcpconnection with PowerShell Script Block	T1049	System Network Connections Discovery	Discovery	Hunting
GetWmiObject DS User with PowerShell	T1087.002	Domain Account	Discovery	TTP
GetWmiObject DS User with PowerShell Script Block	T1087.002	Domain Account	Discovery	TTP
GetWmiObject Ds Computer with PowerShell	T1018	Remote System Discovery	Discovery	TTP
GetWmiObject Ds Computer with PowerShell Script Block	T1018	Remote System Discovery	Discovery	TTP
GetWmiObject Ds Group with PowerShell	T1069.002	Domain Groups	Discovery	TTP
GetWmiObject Ds Group with PowerShell Script Block	T1069.002	Domain Groups	Discovery	TTP
GetWmiObject User Account with PowerShell	T1087.001	Local Account	Discovery	Hunting
GetWmiObject User Account with PowerShell Script Block	T1087.001	Local Account	Discovery	Hunting
Local Account Discovery With Wmic	T1087.001	Local Account	Discovery	Hunting
Local Account Discovery with Net	T1087.001	Local Account	Discovery	Hunting
NLTest Domain Trust Discovery	T1482	Domain Trust Discovery	Discovery	TTP
Net Localgroup Discovery	T1069.001	Local Groups	Discovery	Hunting
Network Connection Discovery With Arp	T1049	System Network Connections Discovery	Discovery	Hunting
Network Connection Discovery With Net	T1049	System Network Connections Discovery	Discovery	Hunting
Network Connection Discovery With Netstat	T1049	System Network Connections Discovery	Discovery	Hunting
Password Policy Discovery with Net	T1201	Password Policy Discovery	Discovery	Hunting
PowerShell Get LocalGroup Discovery	T1069.001	Local Groups	Discovery	Hunting
Powershell Get LocalGroup Discovery with Script Block Logging	T1069.001	Local Groups	Discovery	Hunting
Remote System Discovery with Adsisearcher	T1018	Remote System Discovery	Discovery	TTP
Remote System Discovery with Dsquery	T1018	Remote System Discovery	Discovery	Hunting
Remote System Discovery with Net	T1018	Remote System Discovery	Discovery	Hunting
Remote System Discovery with Wmic	T1018	Remote System Discovery	Discovery	TTP
System User Discovery With Query	T1033	System Owner/User Discovery	Discovery	Hunting
System User Discovery With Whoami	T1033	System Owner/User Discovery	Discovery	Hunting
User Discovery With Env Vars PowerShell	T1033	System Owner/User Discovery	Discovery	Hunting
User Discovery With Env Vars PowerShell Script Block	T1033	System Owner/User Discovery	Discovery	Hunting
Wmic Group Discovery	T1069.001	Local Groups	Discovery	Hunting

Kill Chain Phase

Exploitation

Reconnaissance

Reference

https://attack.mitre.org/tactics/TA0007/

https://adsecurity.org/?p=2535

https://attack.mitre.org/techniques/T1087/001/

https://attack.mitre.org/techniques/T1087/002/

https://attack.mitre.org/techniques/T1087/003/

https://attack.mitre.org/techniques/T1482/

https://attack.mitre.org/techniques/T1201/

https://attack.mitre.org/techniques/T1069/001/

https://attack.mitre.org/techniques/T1069/002/

https://attack.mitre.org/techniques/T1018/

https://attack.mitre.org/techniques/T1049/

https://attack.mitre.org/techniques/T1033/

version: 1

Active directory password spraying

Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-04-07
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Multiple Disabled Users Failing To Authenticate From Host Using Kerberos	T1110.003	Password Spraying	Credential Access	Anomaly
Multiple Invalid Users Failing To Authenticate From Host Using Kerberos	T1110.003	Password Spraying	Credential Access	Anomaly
Multiple Invalid Users Failing To Authenticate From Host Using NTLM	T1110.003	Password Spraying	Credential Access	Anomaly
Multiple Users Attempting To Authenticate Using Explicit Credentials	T1110.003	Password Spraying	Credential Access	Anomaly
Multiple Users Failing To Authenticate From Host Using Kerberos	T1110.003	Password Spraying	Credential Access	Anomaly
Multiple Users Failing To Authenticate From Host Using NTLM	T1110.003	Password Spraying	Credential Access	Anomaly
Multiple Users Failing To Authenticate From Process	T1110.003	Password Spraying	Credential Access	Anomaly
Multiple Users Remotely Failing To Authenticate From Host	T1110.003	Password Spraying	Credential Access	Anomaly

Kill Chain Phase

Exploitation

Reference

https://attack.mitre.org/techniques/T1110/003/

https://www.microsoft.com/security/blog/2020/04/23/protecting-organization-password-spray-attacks/

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn452415(v=ws.11)

version: 1

Bits jobs

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-03-26
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
BITS Job Persistence	T1197, T1105	BITS Jobs, Ingress Tool Transfer	Defense Evasion, Persistence, Command And Control	TTP
BITSAdmin Download File	T1197, T1105	BITS Jobs, Ingress Tool Transfer	Defense Evasion, Persistence, Command And Control	TTP
PowerShell Start-BitsTransfer	T1197	BITS Jobs	Defense Evasion, Persistence	TTP

Kill Chain Phase

Exploitation

Reference

https://attack.mitre.org/techniques/T1197/

https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool

version: 1

Baron samedit cve-2021-3156

Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2021-01-27
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect Baron Samedit CVE-2021-3156	T1068	Exploitation for Privilege Escalation	Privilege Escalation	TTP
Detect Baron Samedit CVE-2021-3156 Segfault	T1068	Exploitation for Privilege Escalation	Privilege Escalation	TTP
Detect Baron Samedit CVE-2021-3156 via OSQuery	T1068	Exploitation for Privilege Escalation	Privilege Escalation	TTP

Kill Chain Phase

Exploitation

Reference

https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit

version: 1

Cobalt strike

Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-02-16
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Anomalous usage of 7zip	T1560.001, T1059.003, T1543.003, T1055, T1071.002, T1218.010, T1218.005, T1569.002, T1027, T1218.011, T1053.005, T1548, T1203, T1505.003, T1127.001, T1036.003, T1127, T1071.001, T1018	Archive via Utility, Windows Command Shell, Windows Service, Process Injection, File Transfer Protocols, Regsvr32, Mshta, Service Execution, Obfuscated Files or Information, Rundll32, Scheduled Task, Abuse Elevation Control Mechanism, Exploitation for Client Execution, Web Shell, MSBuild, Rename System Utilities, Trusted Developer Utilities Proxy Execution, Web Protocols, Remote System Discovery	Collection, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Command And Control, Defense Evasion, Defense Evasion, Execution, Defense Evasion, Defense Evasion, Execution, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Execution, Persistence, Defense Evasion, Defense Evasion, Defense Evasion, Command And Control, Discovery	Anomaly
CMD Echo Pipe - Escalation	T1059.003, T1543.003	Windows Command Shell, Windows Service	Execution, Persistence, Privilege Escalation	TTP
Cobalt Strike Named Pipes	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
DLLHost with no Command Line Arguments with Network	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Detect Regsvr32 Application Control Bypass	T1218.010	Regsvr32	Defense Evasion	TTP
GPUpdate with no Command Line Arguments with Network	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Rundll32 with no Command Line Arguments with Network	T1218.011	Rundll32	Defense Evasion	TTP
SearchProtocolHost with no Command Line with Network	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Services Escalate Exe	T1548	Abuse Elevation Control Mechanism	Privilege Escalation, Defense Evasion	TTP
Suspicious DLLHost no Command Line Arguments	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Suspicious GPUpdate no Command Line Arguments	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Suspicious MSBuild Rename	T1127.001, T1036.003	MSBuild, Rename System Utilities	Defense Evasion, Defense Evasion	TTP
Suspicious Rundll32 StartW	T1218.011	Rundll32	Defense Evasion	TTP
Suspicious Rundll32 no Command Line Arguments	T1218.011	Rundll32	Defense Evasion	TTP
Suspicious SearchProtocolHost no Command Line Arguments	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Suspicious microsoft workflow compiler rename	T1127, T1036.003	Trusted Developer Utilities Proxy Execution, Rename System Utilities	Defense Evasion, Defense Evasion	Hunting
Suspicious msbuild path	T1127.001, T1036.003	MSBuild, Rename System Utilities	Defense Evasion, Defense Evasion	TTP

Kill Chain Phase

Actions on Objective

Actions on Objectives

Exploitation

Privilege Escalation

Reference

https://www.cobaltstrike.com/

https://www.infocyte.com/blog/2020/09/02/cobalt-strike-the-new-favorite-among-thieves/

https://bluescreenofjeff.com/2017-01-24-how-to-write-malleable-c2-profiles-for-cobalt-strike/

https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html

https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html

https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence

https://github.com/zer0yu/Awesome-CobaltStrike

version: 1

Collection and staging

Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Traffic
Last Updated: 2020-02-03
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Detect Renamed 7-Zip	T1560.001, T1114.001, T1114.002, T1036	Archive via Utility, Local Email Collection, Remote Email Collection, Masquerading	Collection, Collection, Collection, Defense Evasion	Hunting
Detect Renamed WinRAR	T1560.001	Archive via Utility	Collection	Hunting
Email files written outside of the Outlook directory	T1114.001	Local Email Collection	Collection	TTP
Email servers sending high volume traffic to hosts	T1114.002	Remote Email Collection	Collection	Anomaly
Hosts receiving high volume of network traffic from email server	T1114.002	Remote Email Collection	Collection	Anomaly
Suspicious writes to windows Recycle Bin	T1036	Masquerading	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Exfiltration

Exploitation

Reference

https://attack.mitre.org/wiki/Collection

https://attack.mitre.org/wiki/Technique/T1074

version: 1

Command and control

Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate command and control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Resolution, Network_Traffic
Last Updated: 2018-06-01
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
DNS Exfiltration Using Nslookup App	T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001	Exfiltration Over Alternative Protocol, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Drive-by Compromise, Transfer Data to Cloud Account, Local Email Collection, Email Collection, Email Forwarding Rule, Web Protocols	Exfiltration, Command And Control, Exfiltration, Command And Control, Exfiltration, Initial Access, Exfiltration, Collection, Collection, Collection, Command And Control	TTP
DNS Query Length Outliers - MLTK	T1071.004	DNS	Command And Control	Anomaly
DNS Query Length With High Standard Deviation	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Exfiltration	Anomaly
Detect Large Outbound ICMP Packets	T1095	Non-Application Layer Protocol	Command And Control	TTP
Detect Spike in blocked Outbound Traffic from your AWS				Anomaly
Detect hosts connecting to dynamic domain providers	T1189	Drive-by Compromise	Initial Access	TTP
Excessive DNS Failures	T1071.004	DNS	Command And Control	Anomaly
Excessive Usage of NSLOOKUP App	T1048	Exfiltration Over Alternative Protocol	Exfiltration	Anomaly
Multiple Archive Files Http Post Traffic	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Exfiltration	TTP
Plain HTTP POST Exfiltrated Data	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Exfiltration	TTP
Prohibited Network Traffic Allowed	T1048	Exfiltration Over Alternative Protocol	Exfiltration	TTP
Protocol or Port Mismatch	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Exfiltration	Anomaly
TOR Traffic	T1071.001	Web Protocols	Command And Control	TTP

Kill Chain Phase

Actions on Objectives

Command and Control

Delivery

Exfiltration

Exploitation

Reference

https://attack.mitre.org/wiki/Command_and_Control

https://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware

version: 1

Credential dumping

Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2020-02-04
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Access LSASS Memory for Dump Creation	T1003.001, T1055, T1068, T1078, T1098, T1134, T1543, T1547, T1548, T1554, T1556, T1558, T1555, T1087, T1201, T1552, T1003, T1003.002, T1003.003, T1558.003, T1059.001	LSASS Memory, Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Modify Authentication Process, Steal or Forge Kerberos Tickets, Credentials from Password Stores, Account Discovery, Password Policy Discovery, Unsecured Credentials, OS Credential Dumping, Security Account Manager, NTDS, Kerberoasting, PowerShell	Credential Access, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Defense Evasion, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Credential Access, Defense Evasion, Persistence, Credential Access, Credential Access, Discovery, Discovery, Credential Access, Credential Access, Credential Access, Credential Access, Credential Access, Execution	TTP
Applying Stolen Credentials via Mimikatz modules	T1055, T1068, T1078, T1098, T1134, T1543, T1547, T1548, T1554, T1556, T1558	Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Modify Authentication Process, Steal or Forge Kerberos Tickets	Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Defense Evasion, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Credential Access, Defense Evasion, Persistence, Credential Access	TTP
Applying Stolen Credentials via PowerSploit modules	T1055, T1068, T1078, T1098, T1134, T1543, T1547, T1548, T1554, T1555, T1558	Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Credentials from Password Stores, Steal or Forge Kerberos Tickets	Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Defense Evasion, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Credential Access, Credential Access	TTP
Assessment of Credential Strength via DSInternals modules	T1078, T1098, T1087, T1201, T1552, T1555	Valid Accounts, Account Manipulation, Account Discovery, Password Policy Discovery, Unsecured Credentials, Credentials from Password Stores	Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Discovery, Discovery, Credential Access, Credential Access	TTP
Attempted Credential Dump From Registry via Reg exe	T1003	OS Credential Dumping	Credential Access	TTP
Attempted Credential Dump From Registry via Reg exe	T1003.002, T1197, T1105, T1218.003, T1055, T1490, T1003.001, T1021.002, T1020, T1569.002, T1486, T1548.002	Security Account Manager, BITS Jobs, Ingress Tool Transfer, CMSTP, Process Injection, Inhibit System Recovery, LSASS Memory, SMB/Windows Admin Shares, Automated Exfiltration, Service Execution, Data Encrypted for Impact, Bypass User Account Control	Credential Access, Defense Evasion, Persistence, Command And Control, Defense Evasion, Defense Evasion, Privilege Escalation, Impact, Credential Access, Lateral Movement, Exfiltration, Execution, Impact, Privilege Escalation, Defense Evasion	TTP
Create Remote Thread into LSASS	T1003.001	LSASS Memory	Credential Access	TTP
Creation of Shadow Copy	T1003.003	NTDS	Credential Access	TTP
Creation of Shadow Copy with wmic and powershell	T1003.003	NTDS	Credential Access	TTP
Creation of lsass Dump with Taskmgr	T1003.001	LSASS Memory	Credential Access	TTP
Credential Dumping via Copy Command from Shadow Copy	T1003.003	NTDS	Credential Access	TTP
Credential Dumping via Symlink to Shadow Copy	T1003.003	NTDS	Credential Access	TTP
Credential Extraction indicative of FGDump and CacheDump with s option	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction indicative of FGDump and CacheDump with v option	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction indicative of Lazagne command line options	T1003, T1555	OS Credential Dumping, Credentials from Password Stores	Credential Access, Credential Access	TTP
Credential Extraction indicative of use of DSInternals credential conversion modules	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction indicative of use of DSInternals modules	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction indicative of use of Mimikatz modules	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction indicative of use of PowerSploit modules	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction native Microsoft debuggers peek into the kernel	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction native Microsoft debuggers via z command line option	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction via Get-ADDBAccount module present in PowerSploit and DSInternals	T1003	OS Credential Dumping	Credential Access	TTP
Detect Copy of ShadowCopy with Script Block Logging	T1003.002	Security Account Manager	Credential Access	TTP
Detect Credential Dumping through LSASS access	T1003.001	LSASS Memory	Credential Access	TTP
Detect Dump LSASS Memory using comsvcs	T1003.003	NTDS	Credential Access	TTP
Detect Kerberoasting	T1558.003	Kerberoasting	Credential Access	TTP
Detect Mimikatz Using Loaded Images	T1003.001	LSASS Memory	Credential Access	TTP
Dump LSASS via comsvcs DLL	T1003.001	LSASS Memory	Credential Access	TTP
Dump LSASS via procdump	T1003.001	LSASS Memory	Credential Access	TTP
Esentutl SAM Copy	T1003.002	Security Account Manager	Credential Access	Hunting
Extraction of Registry Hives	T1003.002	Security Account Manager	Credential Access	TTP
Ntdsutil Export NTDS	T1003.003	NTDS	Credential Access	TTP
SAM Database File Access Attempt	T1003.002	Security Account Manager	Credential Access	Hunting
SecretDumps Offline NTDS Dumping Tool	T1003.003	NTDS	Credential Access	TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass	T1059.001	PowerShell	Execution	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Installation

Lateral Movement

Privilege Escalation

Reference

https://attack.mitre.org/wiki/Technique/T1003

https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for.html

version: 3

Dns hijacking

Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Network_Resolution
Last Updated: 2020-02-04
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect hosts connecting to dynamic domain providers	T1189	Drive-by Compromise	Initial Access	TTP

Kill Chain Phase

Actions on Objectives

Command and Control

Reference

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/

http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/

https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html

version: 1

Data exfiltration

The stealing of data by an adversary.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Traffic
Last Updated: 2020-10-21
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
DNS Exfiltration Using Nslookup App	T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001	Exfiltration Over Alternative Protocol, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Drive-by Compromise, Transfer Data to Cloud Account, Local Email Collection, Email Collection, Email Forwarding Rule, Web Protocols	Exfiltration, Command And Control, Exfiltration, Command And Control, Exfiltration, Initial Access, Exfiltration, Collection, Collection, Collection, Command And Control	TTP
Detect SNICat SNI Exfiltration	T1041	Exfiltration Over C2 Channel	Exfiltration	TTP
Detect shared ec2 snapshot	T1537	Transfer Data to Cloud Account	Exfiltration	TTP
Excessive Usage of NSLOOKUP App	T1048	Exfiltration Over Alternative Protocol	Exfiltration	Anomaly
Mailsniper Invoke functions	T1114.001	Local Email Collection	Collection	TTP
Multiple Archive Files Http Post Traffic	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Exfiltration	TTP
O365 PST export alert	T1114	Email Collection	Collection	TTP
O365 Suspicious Admin Email Forwarding	T1114.003	Email Forwarding Rule	Collection	Anomaly
O365 Suspicious User Email Forwarding	T1114.003	Email Forwarding Rule	Collection	Anomaly
Plain HTTP POST Exfiltrated Data	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Exfiltration	TTP

Kill Chain Phase

Actions on Objective

Actions on Objectives

Exfiltration

Exploitation

Reference

https://attack.mitre.org/tactics/TA0010/

version: 1

Deobfuscate-decode files or information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-03-24
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
CertUtil With Decode Argument	T1140	Deobfuscate/Decode Files or Information	Defense Evasion	TTP

Kill Chain Phase

Exploitation

Reference

https://attack.mitre.org/techniques/T1140/

version: 1

Detect zerologon attack

Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2020-09-18
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect Computer Changed with Anonymous Account	T1210, T1003.001, T1190	Exploitation of Remote Services, LSASS Memory, Exploit Public-Facing Application	Lateral Movement, Credential Access, Initial Access	Hunting
Detect Credential Dumping through LSASS access	T1003.001	LSASS Memory	Credential Access	TTP
Detect Mimikatz Using Loaded Images	T1003.001	LSASS Memory	Credential Access	TTP
Detect Zerologon via Zeek	T1190	Exploit Public-Facing Application	Initial Access	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Reference

https://attack.mitre.org/wiki/Technique/T1003

https://github.com/SecuraBV/CVE-2020-1472

https://www.secura.com/blog/zero-logon

https://nvd.nist.gov/vuln/detail/CVE-2020-1472

version: 1

Disabling security tools

Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2020-02-04
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Attempt To Add Certificate To Untrusted Store	T1553.004, T1562.001, T1562.004, T1543.003, T1112	Install Root Certificate, Disable or Modify Tools, Disable or Modify System Firewall, Windows Service, Modify Registry	Defense Evasion, Defense Evasion, Defense Evasion, Persistence, Privilege Escalation, Defense Evasion	TTP
Attempt To Stop Security Service	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Processes launching netsh	T1562.004	Disable or Modify System Firewall	Defense Evasion	TTP
Sc exe Manipulating Windows Services	T1543.003	Windows Service	Persistence, Privilege Escalation	TTP
Suspicious Reg exe Process	T1112	Modify Registry	Defense Evasion	TTP
Unload Sysmon Filter Driver	T1562.001	Disable or Modify Tools	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Installation

Reference

https://attack.mitre.org/wiki/Technique/T1089

https://blog.malwarebytes.com/cybercrime/2015/11/vonteera-adware-uses-certificates-to-disable-anti-malware/

https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf

version: 2

Domain trust discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-03-25
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
DSQuery Domain Discovery	T1482, T1018	Domain Trust Discovery, Remote System Discovery	Discovery, Discovery	TTP
NLTest Domain Trust Discovery	T1482	Domain Trust Discovery	Discovery	TTP
Windows AdFind Exe	T1018	Remote System Discovery	Discovery	TTP

Kill Chain Phase

Exploitation

Reference

https://attack.mitre.org/techniques/T1482/

version: 1

F5 tmui rce cve-2020-5902

Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2020-08-02
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect F5 TMUI RCE CVE-2020-5902	T1190	Exploit Public-Facing Application	Initial Access	TTP

Kill Chain Phase

Exploitation

Reference

https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/

https://support.f5.com/csp/article/K52145254

https://blog.cloudflare.com/cve-2020-5902-helping-to-protect-against-the-f5-tmui-rce-vulnerability/

version: 1

Hafnium group

HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Traffic
Last Updated: 2021-03-03
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Any Powershell DownloadString	T1059.001, T1505.003, T1136.001, T1021.002, T1569.002, T1003.001, T1114.002, T1003.003, T1190	PowerShell, Web Shell, Local Account, SMB/Windows Admin Shares, Service Execution, LSASS Memory, Remote Email Collection, NTDS, Exploit Public-Facing Application	Execution, Persistence, Persistence, Lateral Movement, Execution, Credential Access, Collection, Credential Access, Initial Access	TTP
Detect Exchange Web Shell	T1505.003, T1190, T1059.001	Web Shell, Exploit Public-Facing Application, PowerShell	Persistence, Initial Access, Execution	TTP
Detect New Local Admin account	T1136.001	Local Account	Persistence	TTP
Detect PsExec With accepteula Flag	T1021.002	SMB/Windows Admin Shares	Lateral Movement	TTP
Detect Renamed PSExec	T1569.002	Service Execution	Execution	Hunting
Dump LSASS via comsvcs DLL	T1003.001	LSASS Memory	Credential Access	TTP
Dump LSASS via procdump	T1003.001	LSASS Memory	Credential Access	TTP
Email servers sending high volume traffic to hosts	T1114.002	Remote Email Collection	Collection	Anomaly
Malicious PowerShell Process - Connect To Internet With Hidden Window	T1059.001, T1547.001	PowerShell, Registry Run Keys / Startup Folder	Execution, Persistence, Privilege Escalation	TTP
Malicious PowerShell Process - Execution Policy Bypass	T1059.001	PowerShell	Execution	TTP
Nishang PowershellTCPOneLine	T1059.001	PowerShell	Execution	TTP
Ntdsutil Export NTDS	T1003.003	NTDS	Credential Access	TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass	T1059.001	PowerShell	Execution	TTP
Unified Messaging Service Spawning a Process	T1190	Exploit Public-Facing Application	Initial Access	TTP
W3WP Spawning Shell	T1505.003	Web Shell	Persistence	TTP

Kill Chain Phase

Actions on Objectives

Command and Control

Execution

Exploitation

Installation

Lateral Movement

Reference

https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/

version: 1

Ingress tool transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-03-24
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Any Powershell DownloadFile	T1059.001, T1197, T1105, T1003, T1021, T1113, T1123, T1563, T1053, T1134, T1548, T1055, T1106, T1569, T1027, T1027.005, T1546.015, T1140, T1592, T1562	PowerShell, BITS Jobs, Ingress Tool Transfer, OS Credential Dumping, Remote Services, Screen Capture, Audio Capture, Remote Service Session Hijacking, Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism, Process Injection, Native API, System Services, Obfuscated Files or Information, Indicator Removal from Tools, Component Object Model Hijacking, Deobfuscate/Decode Files or Information, Gather Victim Host Information, Impair Defenses	Execution, Defense Evasion, Persistence, Command And Control, Credential Access, Lateral Movement, Collection, Collection, Lateral Movement, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Defense Evasion, Privilege Escalation, Execution, Execution, Defense Evasion, Defense Evasion, Privilege Escalation, Persistence, Defense Evasion, Reconnaissance, Defense Evasion	TTP
Any Powershell DownloadString	T1059.001, T1505.003, T1136.001, T1021.002, T1569.002, T1003.001, T1114.002, T1003.003, T1190	PowerShell, Web Shell, Local Account, SMB/Windows Admin Shares, Service Execution, LSASS Memory, Remote Email Collection, NTDS, Exploit Public-Facing Application	Execution, Persistence, Persistence, Lateral Movement, Execution, Credential Access, Collection, Credential Access, Initial Access	TTP
BITSAdmin Download File	T1197, T1105	BITS Jobs, Ingress Tool Transfer	Defense Evasion, Persistence, Command And Control	TTP
CertUtil Download With URLCache and Split Arguments	T1105	Ingress Tool Transfer	Command And Control	TTP
CertUtil Download With VerifyCtl and Split Arguments	T1105	Ingress Tool Transfer	Command And Control	TTP
Suspicious Curl Network Connection	T1105, T1543.001, T1074	Ingress Tool Transfer, Launch Agent, Data Staged	Command And Control, Persistence, Privilege Escalation, Collection	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Reference

https://attack.mitre.org/techniques/T1105/

version: 1

Lateral movement

Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Traffic
Last Updated: 2020-02-04
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect Activity Related to Pass the Hash Attacks	T1550.002, T1021.002, T1569.002, T1558.003, T1021.001, T1053.005	Pass the Hash, SMB/Windows Admin Shares, Service Execution, Kerberoasting, Remote Desktop Protocol, Scheduled Task	Defense Evasion, Lateral Movement, Lateral Movement, Execution, Credential Access, Lateral Movement, Execution, Persistence, Privilege Escalation	TTP
Detect Pass the Hash	T1550.002	Pass the Hash	Defense Evasion, Lateral Movement	TTP
Detect PsExec With accepteula Flag	T1021.002	SMB/Windows Admin Shares	Lateral Movement	TTP
Detect Renamed PSExec	T1569.002	Service Execution	Execution	Hunting
Kerberoasting spn request with RC4 encryption	T1558.003	Kerberoasting	Credential Access	TTP
Potential Pass the Token or Hash Observed at the Destination Device	T1550.002	Pass the Hash	Defense Evasion, Lateral Movement	TTP
Potential Pass the Token or Hash Observed by an Event Collecting Device	T1550.002	Pass the Hash	Defense Evasion, Lateral Movement	TTP
Remote Desktop Network Traffic	T1021.001	Remote Desktop Protocol	Lateral Movement	Anomaly
Remote Desktop Process Running On System	T1021.001	Remote Desktop Protocol	Lateral Movement	Hunting
Schtasks scheduling job on remote system	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP

Kill Chain Phase

Actions on Objectives

Execution

Exploitation

Lateral Movement

Reference

https://www.fireeye.com/blog/executive-perspective/2015/08/malware_lateral_move.html

version: 2

Malicious powershell

Attackers are finding stealthy ways "live off the land," leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2017-08-23
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Any Powershell DownloadFile	T1059.001, T1197, T1105, T1003, T1021, T1113, T1123, T1563, T1053, T1134, T1548, T1055, T1106, T1569, T1027, T1027.005, T1546.015, T1140, T1592, T1562	PowerShell, BITS Jobs, Ingress Tool Transfer, OS Credential Dumping, Remote Services, Screen Capture, Audio Capture, Remote Service Session Hijacking, Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism, Process Injection, Native API, System Services, Obfuscated Files or Information, Indicator Removal from Tools, Component Object Model Hijacking, Deobfuscate/Decode Files or Information, Gather Victim Host Information, Impair Defenses	Execution, Defense Evasion, Persistence, Command And Control, Credential Access, Lateral Movement, Collection, Collection, Lateral Movement, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Defense Evasion, Privilege Escalation, Execution, Execution, Defense Evasion, Defense Evasion, Privilege Escalation, Persistence, Defense Evasion, Reconnaissance, Defense Evasion	TTP
Any Powershell DownloadString	T1059.001, T1505.003, T1136.001, T1021.002, T1569.002, T1003.001, T1114.002, T1003.003, T1190	PowerShell, Web Shell, Local Account, SMB/Windows Admin Shares, Service Execution, LSASS Memory, Remote Email Collection, NTDS, Exploit Public-Facing Application	Execution, Persistence, Persistence, Lateral Movement, Execution, Credential Access, Collection, Credential Access, Initial Access	TTP
Credential Extraction indicative of use of DSInternals credential conversion modules	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction indicative of use of DSInternals modules	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction indicative of use of PowerSploit modules	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction via Get-ADDBAccount module present in PowerSploit and DSInternals	T1003	OS Credential Dumping	Credential Access	TTP
Detect Empire with PowerShell Script Block Logging	T1059.001	PowerShell	Execution	TTP
Detect Mimikatz With PowerShell Script Block Logging	T1003	OS Credential Dumping	Credential Access	TTP
Illegal Access To User Content via PowerSploit modules	T1021, T1113, T1123, T1563	Remote Services, Screen Capture, Audio Capture, Remote Service Session Hijacking	Lateral Movement, Collection, Collection, Lateral Movement	TTP
Illegal Privilege Elevation and Persistence via PowerSploit modules	T1053, T1134, T1548	Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism	Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion	TTP
Illegal Service and Process Control via PowerSploit modules	T1055, T1106, T1569	Process Injection, Native API, System Services	Defense Evasion, Privilege Escalation, Execution, Execution	TTP
Malicious PowerShell Process - Connect To Internet With Hidden Window	T1059.001, T1547.001	PowerShell, Registry Run Keys / Startup Folder	Execution, Persistence, Privilege Escalation	TTP
Malicious PowerShell Process - Encoded Command	T1027	Obfuscated Files or Information	Defense Evasion	Hunting
Malicious PowerShell Process With Obfuscation Techniques	T1059.001	PowerShell	Execution	TTP
PowerShell 4104 Hunting	T1059.001	PowerShell	Execution	Hunting
PowerShell Domain Enumeration	T1059.001	PowerShell	Execution	TTP
PowerShell Loading DotNET into Memory via System Reflection Assembly	T1059.001	PowerShell	Execution	TTP
Powershell Creating Thread Mutex	T1027.005	Indicator Removal from Tools	Defense Evasion	TTP
Powershell Enable SMB1Protocol Feature	T1027.005	Indicator Removal from Tools	Defense Evasion	TTP
Powershell Execute COM Object	T1546.015	Component Object Model Hijacking	Privilege Escalation, Persistence	TTP
Powershell Fileless Process Injection via GetProcAddress	T1055, T1059.001	Process Injection, PowerShell	Defense Evasion, Privilege Escalation, Execution	TTP
Powershell Fileless Script Contains Base64 Encoded Content	T1027, T1059.001	Obfuscated Files or Information, PowerShell	Defense Evasion, Execution	TTP
Powershell Processing Stream Of Data	T1059.001	PowerShell	Execution	TTP
Powershell Using memory As Backing Store	T1140	Deobfuscate/Decode Files or Information	Defense Evasion	TTP
Recon AVProduct Through Pwh or WMI	T1592	Gather Victim Host Information	Reconnaissance	TTP
Recon Using WMI Class	T1592	Gather Victim Host Information	Reconnaissance	TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass	T1059.001	PowerShell	Execution	TTP
Unloading AMSI via Reflection	T1562	Impair Defenses	Defense Evasion	TTP
WMI Recon Running Process Or Services	T1592	Gather Victim Host Information	Reconnaissance	TTP

Kill Chain Phase

Actions on Objectives

Command and Control

Exploitation

Installation

Privilege Escalation

Reconnaissance

Reference

https://blogs.mcafee.com/mcafee-labs/malware-employs-powershell-to-infect-systems/

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

version: 5

Masquerading - rename system utilities

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-04-26
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Execution of File with Multiple Extensions	T1036.003, T1127.001, T1218.011, T1127, T1036	Rename System Utilities, MSBuild, Rundll32, Trusted Developer Utilities Proxy Execution, Masquerading	Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion	TTP
Suspicious MSBuild Rename	T1127.001, T1036.003	MSBuild, Rename System Utilities	Defense Evasion, Defense Evasion	TTP
Suspicious Rundll32 Rename	T1218.011, T1036.003	Rundll32, Rename System Utilities	Defense Evasion, Defense Evasion	Hunting
Suspicious microsoft workflow compiler rename	T1127, T1036.003	Trusted Developer Utilities Proxy Execution, Rename System Utilities	Defense Evasion, Defense Evasion	Hunting
Suspicious msbuild path	T1127.001, T1036.003	MSBuild, Rename System Utilities	Defense Evasion, Defense Evasion	TTP
System Process Running from Unexpected Location	T1036	Masquerading	Defense Evasion	Anomaly
System Processes Run From Unexpected Locations	T1036.003	Rename System Utilities	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Reference

https://attack.mitre.org/techniques/T1036/003/

version: 1

Meterpreter

Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-06-08
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Excessive number of taskhost processes	T1033	System Owner/User Discovery	Discovery	Anomaly

Kill Chain Phase

Exploitation

Reference

https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/

https://doubleoctopus.com/security-wiki/threats-and-tools/meterpreter/

https://www.rapid7.com/products/metasploit/

version: 1

Microsoft mshtml remote code execution cve-2021-40444

CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-09-08
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Control Loading from World Writable Directory	T1218.002, T1566.001, T1218.011	Control Panel, Spearphishing Attachment, Rundll32	Defense Evasion, Initial Access, Defense Evasion	TTP
MSHTML Module Load in Office Product	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Product Writing cab or inf	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Spawning Control	T1566.001	Spearphishing Attachment	Initial Access	TTP
Rundll32 Control RunDLL Hunt	T1218.011	Rundll32	Defense Evasion	Hunting
Rundll32 Control RunDLL World Writable Directory	T1218.011	Rundll32	Defense Evasion	TTP

Kill Chain Phase

Exploitation

Reference

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/09/windows-mshtml-zero-day-actively-exploited-mitigations-required/

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

https://www.echotrail.io/insights/search/control.exe

version: 1

Nobelium group

Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Traffic, Web
Last Updated: 2020-12-14
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Anomalous usage of 7zip	T1560.001, T1059.003, T1543.003, T1055, T1071.002, T1218.010, T1218.005, T1569.002, T1027, T1218.011, T1053.005, T1548, T1203, T1505.003, T1127.001, T1036.003, T1127, T1071.001, T1018	Archive via Utility, Windows Command Shell, Windows Service, Process Injection, File Transfer Protocols, Regsvr32, Mshta, Service Execution, Obfuscated Files or Information, Rundll32, Scheduled Task, Abuse Elevation Control Mechanism, Exploitation for Client Execution, Web Shell, MSBuild, Rename System Utilities, Trusted Developer Utilities Proxy Execution, Web Protocols, Remote System Discovery	Collection, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Command And Control, Defense Evasion, Defense Evasion, Execution, Defense Evasion, Defense Evasion, Execution, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Execution, Persistence, Defense Evasion, Defense Evasion, Defense Evasion, Command And Control, Discovery	Anomaly
Detect Outbound SMB Traffic	T1071.002	File Transfer Protocols	Command And Control	TTP
Detect Prohibited Applications Spawning cmd exe	T1059.003, T1059, T1068, T1036.003	Windows Command Shell, Command and Scripting Interpreter, Exploitation for Privilege Escalation, Rename System Utilities	Execution, Execution, Privilege Escalation, Defense Evasion	Hunting
Detect Rundll32 Inline HTA Execution	T1218.005	Mshta	Defense Evasion	TTP
First Time Seen Running Windows Service	T1569.002, T1055, T1106, T1569, T1574.011, T1543.003	Service Execution, Process Injection, Native API, System Services, Services Registry Permissions Weakness, Windows Service	Execution, Defense Evasion, Privilege Escalation, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation	Anomaly
Malicious PowerShell Process - Encoded Command	T1027	Obfuscated Files or Information	Defense Evasion	Hunting
Sc exe Manipulating Windows Services	T1543.003	Windows Service	Persistence, Privilege Escalation	TTP
Scheduled Task Deleted Or Created via CMD	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP
Schtasks scheduling job on remote system	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP
Sunburst Correlation DLL and Network Event	T1203	Exploitation for Client Execution	Execution	TTP
Supernova Webshell	T1505.003	Web Shell	Persistence	TTP
TOR Traffic	T1071.001	Web Protocols	Command And Control	TTP
Windows AdFind Exe	T1018	Remote System Discovery	Discovery	TTP

Kill Chain Phase

Actions on Objective

Actions on Objectives

Command and Control

Exfiltration

Exploitation

Installation

Reference

https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

version: 2

Petitpotam ntlm relay on active directory certificate services

PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2021-08-31
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
PetitPotam Network Share Access Request	T1187, T1003	Forced Authentication, OS Credential Dumping	Credential Access, Credential Access	TTP
PetitPotam Suspicious Kerberos TGT Request	T1003	OS Credential Dumping	Credential Access	TTP

Kill Chain Phase

Exploitation

Lateral Movement

Reference

https://us-cert.cisa.gov/ncas/current-activity/2021/07/27/microsoft-releases-guidance-mitigating-petitpotam-ntlm-relay

https://support.microsoft.com/en-us/topic/kb5005413-mitigating-ntlm-relay-attacks-on-active-directory-certificate-services-ad-cs-3612b773-4043-4aa9-b23d-b87910cd3429

https://www.specterops.io/assets/resources/Certified_Pre-Owned.pdf

https://github.com/topotam/PetitPotam/

https://github.com/gentilkiwi/mimikatz/releases/tag/2.2.0-20210723

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942

https://attack.mitre.org/techniques/T1187/

version: 1

Possible backdoor activity associated with mudcarp espionage campaigns

Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2020-01-22
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Malicious PowerShell Process - Connect To Internet With Hidden Window	T1059.001, T1547.001	PowerShell, Registry Run Keys / Startup Folder	Execution, Persistence, Privilege Escalation	TTP
Registry Keys Used For Persistence	T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation	TTP
Unusually Long Command Line				Anomaly
Unusually Long Command Line - MLTK				Anomaly

Kill Chain Phase

Actions on Objectives

Command and Control

Reference

https://www.infosecurity-magazine.com/news/scope-of-mudcarp-attacks-highlight-1/

http://blog.amossys.fr/badflick-is-not-so-bad.html

version: 1

Proxyshell

ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-08-24
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect Exchange Web Shell	T1505.003, T1190, T1059.001	Web Shell, Exploit Public-Facing Application, PowerShell	Persistence, Initial Access, Execution	TTP
Exchange PowerShell Abuse via SSRF	T1190	Exploit Public-Facing Application	Initial Access	TTP
Exchange PowerShell Module Usage	T1059.001	PowerShell	Execution	TTP
W3WP Spawning Shell	T1505.003	Web Shell	Persistence	TTP

Kill Chain Phase

Exploitation

Reconnaissance

Reference

https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/

https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell

https://www.youtube.com/watch?v=FC6iHw258RI

https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do

https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf

version: 1

Sql injection

Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Web
Last Updated: 2017-09-19
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
SQL Injection with Long URLs	T1190	Exploit Public-Facing Application	Initial Access	TTP

Kill Chain Phase

Delivery

Reference

https://capec.mitre.org/data/definitions/66.html

https://www.incapsula.com/web-application-security/sql-injection.html

version: 1

Silver sparrow

Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-02-24
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Suspicious Curl Network Connection	T1105, T1543.001, T1074	Ingress Tool Transfer, Launch Agent, Data Staged	Command And Control, Persistence, Privilege Escalation, Collection	TTP
Suspicious PlistBuddy Usage	T1543.001	Launch Agent	Persistence, Privilege Escalation	TTP
Suspicious PlistBuddy Usage via OSquery	T1543.001	Launch Agent	Persistence, Privilege Escalation	TTP
Suspicious SQLite3 LSQuarantine Behavior	T1074	Data Staged	Collection	TTP

Kill Chain Phase

Actions on Objectives

Reference

https://redcanary.com/blog/clipping-silver-sparrows-wings/

https://www.sentinelone.com/blog/5-things-you-need-to-know-about-silver-sparrow/

version: 1

Spearphishing attachments

Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2019-04-29
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect Outlook exe writing a zip file	T1566.001, T1003.002, T1566.002	Spearphishing Attachment, Security Account Manager, Spearphishing Link	Initial Access, Credential Access, Initial Access	TTP
Excel Spawning PowerShell	T1003.002	Security Account Manager	Credential Access	TTP
Excel Spawning Windows Script Host	T1003.002	Security Account Manager	Credential Access	TTP
MSHTML Module Load in Office Product	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Application Spawn rundll32 process	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Document Creating Schedule Task	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Document Executing Macro Code	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Document Spawned Child Process To Download	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Product Spawning BITSAdmin	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Product Spawning CertUtil	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Product Spawning MSHTA	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Product Spawning Rundll32 with no DLL	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Product Spawning Wmic	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Product Writing cab or inf	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Spawning Control	T1566.001	Spearphishing Attachment	Initial Access	TTP
Process Creating LNK file in Suspicious Location	T1566.002	Spearphishing Link	Initial Access	TTP
Winword Spawning Cmd	T1566.001	Spearphishing Attachment	Initial Access	TTP
Winword Spawning PowerShell	T1566.001	Spearphishing Attachment	Initial Access	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Installation

Reference

https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html

version: 1

Suspicious command-line executions

Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2020-02-03
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect Prohibited Applications Spawning cmd exe	T1059.003, T1059, T1068, T1036.003	Windows Command Shell, Command and Scripting Interpreter, Exploitation for Privilege Escalation, Rename System Utilities	Execution, Execution, Privilege Escalation, Defense Evasion	Hunting
Detect Prohibited Applications Spawning cmd exe	T1059	Command and Scripting Interpreter	Execution	TTP
Detect Use of cmd exe to Launch Script Interpreters	T1059.003, T1072, T1547.001, T1021.002, T1566.001	Windows Command Shell, Software Deployment Tools, Registry Run Keys / Startup Folder, SMB/Windows Admin Shares, Spearphishing Attachment	Execution, Execution, Lateral Movement, Persistence, Privilege Escalation, Lateral Movement, Initial Access	TTP
System Processes Run From Unexpected Locations	T1036.003	Rename System Utilities	Defense Evasion	TTP
Unusually Long Command Line				Anomaly
Unusually Long Command Line - MLTK				Anomaly

Kill Chain Phase

Actions on Objectives

Exploitation

Reference

https://attack.mitre.org/wiki/Technique/T1059

https://www.microsoft.com/en-us/wdsi/threats/macro-malware

https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

version: 2

Suspicious compiled html activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-02-11
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect HTML Help Renamed	T1218.001	Compiled HTML File	Defense Evasion	Hunting
Detect HTML Help Spawn Child Process	T1218.001	Compiled HTML File	Defense Evasion	TTP
Detect HTML Help URL in Command Line	T1218.001	Compiled HTML File	Defense Evasion	TTP
Detect HTML Help Using InfoTech Storage Handlers	T1218.001	Compiled HTML File	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Reference

https://redcanary.com/blog/introducing-atomictestharnesses/

https://attack.mitre.org/techniques/T1218/001/

https://docs.microsoft.com/en-us/windows/win32/api/htmlhelp/nf-htmlhelp-htmlhelpa

version: 1

Suspicious dns traffic

Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Resolution
Last Updated: 2017-09-18
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
DNS Exfiltration Using Nslookup App	T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001	Exfiltration Over Alternative Protocol, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Drive-by Compromise, Transfer Data to Cloud Account, Local Email Collection, Email Collection, Email Forwarding Rule, Web Protocols	Exfiltration, Command And Control, Exfiltration, Command And Control, Exfiltration, Initial Access, Exfiltration, Collection, Collection, Collection, Command And Control	TTP
DNS Query Length Outliers - MLTK	T1071.004	DNS	Command And Control	Anomaly
DNS Query Length With High Standard Deviation	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Exfiltration	Anomaly
Detect hosts connecting to dynamic domain providers	T1189	Drive-by Compromise	Initial Access	TTP
Excessive DNS Failures	T1071.004	DNS	Command And Control	Anomaly
Excessive Usage of NSLOOKUP App	T1048	Exfiltration Over Alternative Protocol	Exfiltration	Anomaly

Kill Chain Phase

Actions on Objectives

Command and Control

Exploitation

Reference

http://blogs.splunk.com/2015/10/01/random-words-on-entropy-and-dns/

http://www.darkreading.com/analytics/security-monitoring/got-malware-three-signs-revealed-in-dns-traffic/d/d-id/1139680

https://live.paloaltonetworks.com/t5/Threat-Vulnerability-Articles/What-are-suspicious-DNS-queries/ta-p/71454

version: 1

Suspicious emails

Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Email
Last Updated: 2020-01-27
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Email Attachments With Lots Of Spaces				Anomaly
Monitor Email For Brand Abuse				TTP
Suspicious Email Attachment Extensions	T1566.001	Spearphishing Attachment	Initial Access	Anomaly

Kill Chain Phase

Delivery

Reference

https://www.splunk.com/blog/2015/06/26/phishing-hits-a-new-level-of-quality/

version: 1

Suspicious mshta activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-01-20
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect MSHTA Url in Command Line	T1218.005, T1059.003, T1059, T1547.001	Mshta, Windows Command Shell, Command and Scripting Interpreter, Registry Run Keys / Startup Folder	Defense Evasion, Execution, Execution, Persistence, Privilege Escalation	TTP
Detect Prohibited Applications Spawning cmd exe	T1059.003, T1059, T1068, T1036.003	Windows Command Shell, Command and Scripting Interpreter, Exploitation for Privilege Escalation, Rename System Utilities	Execution, Execution, Privilege Escalation, Defense Evasion	Hunting
Detect Prohibited Applications Spawning cmd exe	T1059	Command and Scripting Interpreter	Execution	TTP
Detect Rundll32 Inline HTA Execution	T1218.005	Mshta	Defense Evasion	TTP
Detect mshta inline hta execution	T1218.005	Mshta	Defense Evasion	TTP
Detect mshta renamed	T1218.005	Mshta	Defense Evasion	Hunting
Registry Keys Used For Persistence	T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation	TTP
Suspicious mshta child process	T1218.005	Mshta	Defense Evasion	TTP
Suspicious mshta spawn	T1218.005	Mshta	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Reference

https://redcanary.com/blog/introducing-atomictestharnesses/

https://redcanary.com/blog/windows-registry-attacks-threat-detection/

https://attack.mitre.org/techniques/T1218/005/

https://medium.com/@mbromileyDFIR/malware-monday-aebb456356c5

version: 2

Suspicious okta activity

Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2020-04-02
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Multiple Okta Users With Invalid Credentials From The Same IP	T1078.001	Default Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	TTP
Okta Account Lockout Events	T1078.001	Default Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly
Okta Failed SSO Attempts	T1078.001	Default Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly
Okta User Logins From Multiple Cities	T1078.001	Default Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly

Kill Chain Phase

Reference

https://attack.mitre.org/wiki/Technique/T1078

https://owasp.org/www-community/attacks/Credential_stuffing

https://searchsecurity.techtarget.com/answer/What-is-a-password-spraying-attack-and-how-does-it-work

version: 1

Suspicious regsvcs regasm activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-02-11
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect Regasm Spawning a Process	T1218.009	Regsvcs/Regasm	Defense Evasion	TTP
Detect Regasm with Network Connection	T1218.009	Regsvcs/Regasm	Defense Evasion	TTP
Detect Regasm with no Command Line Arguments	T1218.009	Regsvcs/Regasm	Defense Evasion	TTP
Detect Regsvcs Spawning a Process	T1218.009	Regsvcs/Regasm	Defense Evasion	TTP
Detect Regsvcs with Network Connection	T1218.009	Regsvcs/Regasm	Defense Evasion	TTP
Detect Regsvcs with No Command Line Arguments	T1218.009	Regsvcs/Regasm	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Reference

https://attack.mitre.org/techniques/T1218/009/

https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/evasion/windows/applocker_evasion_regasm_regsvcs.md

https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/

version: 1

Suspicious regsvr32 activity

Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-01-29
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect Regsvr32 Application Control Bypass	T1218.010	Regsvr32	Defense Evasion	TTP
Suspicious Regsvr32 Register Suspicious Path	T1218.010	Regsvr32	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Reference

https://attack.mitre.org/techniques/T1218/010/

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md

https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/

version: 1

Suspicious rundll32 activity

Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-02-03
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect Rundll32 Application Control Bypass - advpack	T1218.011, T1003.001, T1036.003	Rundll32, LSASS Memory, Rename System Utilities	Defense Evasion, Credential Access, Defense Evasion	TTP
Detect Rundll32 Application Control Bypass - setupapi	T1218.011	Rundll32	Defense Evasion	TTP
Detect Rundll32 Application Control Bypass - syssetup	T1218.011	Rundll32	Defense Evasion	TTP
Dump LSASS via comsvcs DLL	T1003.001	LSASS Memory	Credential Access	TTP
Rundll32 Control RunDLL Hunt	T1218.011	Rundll32	Defense Evasion	Hunting
Rundll32 Control RunDLL World Writable Directory	T1218.011	Rundll32	Defense Evasion	TTP
Rundll32 with no Command Line Arguments with Network	T1218.011	Rundll32	Defense Evasion	TTP
Suspicious Rundll32 Rename	T1218.011, T1036.003	Rundll32, Rename System Utilities	Defense Evasion, Defense Evasion	Hunting
Suspicious Rundll32 StartW	T1218.011	Rundll32	Defense Evasion	TTP
Suspicious Rundll32 dllregisterserver	T1218.011	Rundll32	Defense Evasion	TTP
Suspicious Rundll32 no Command Line Arguments	T1218.011	Rundll32	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Reference

https://attack.mitre.org/techniques/T1218/011/

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md

https://lolbas-project.github.io/lolbas/Binaries/Rundll32

version: 1

Suspicious wmi use

Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2018-10-23
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect WMI Event Subscription Persistence	T1546.003, T1047	Windows Management Instrumentation Event Subscription, Windows Management Instrumentation	Privilege Escalation, Persistence, Execution	TTP
Process Execution via WMI	T1047	Windows Management Instrumentation	Execution	TTP
Remote Process Instantiation via WMI	T1047	Windows Management Instrumentation	Execution	TTP
Remote WMI Command Attempt	T1047	Windows Management Instrumentation	Execution	TTP
Script Execution via WMI	T1047	Windows Management Instrumentation	Execution	TTP
WMI Permanent Event Subscription	T1047	Windows Management Instrumentation	Execution	TTP
WMI Permanent Event Subscription - Sysmon	T1546.003	Windows Management Instrumentation Event Subscription	Privilege Escalation, Persistence	TTP
WMI Temporary Event Subscription	T1047	Windows Management Instrumentation	Execution	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Reference

https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html

version: 2

Suspicious windows registry activities

Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2018-05-31
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Disabling Remote User Account Control	T1548.002, T1036, T1547.010, T1070, T1547.001, T1546.012, T1546.011, T1113, T1543	Bypass User Account Control, Masquerading, Port Monitors, Indicator Removal on Host, Registry Run Keys / Startup Folder, Image File Execution Options Injection, Application Shimming, Screen Capture, Create or Modify System Process	Privilege Escalation, Defense Evasion, Defense Evasion, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Collection, Persistence, Privilege Escalation	TTP
Monitor Registry Keys for Print Monitors	T1547.010	Port Monitors	Persistence, Privilege Escalation	TTP
Registry Keys Used For Persistence	T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation	TTP
Registry Keys Used For Privilege Escalation	T1546.012	Image File Execution Options Injection	Privilege Escalation, Persistence	TTP
Registry Keys for Creating SHIM Databases	T1546.011	Application Shimming	Privilege Escalation, Persistence	TTP

Kill Chain Phase

Actions on Objectives

Reference

https://redcanary.com/blog/windows-registry-attacks-threat-detection/

https://attack.mitre.org/wiki/Technique/T1112

version: 1

Suspicious zoom child processes

Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2020-04-13
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect Prohibited Applications Spawning cmd exe	T1059.003, T1059, T1068, T1036.003	Windows Command Shell, Command and Scripting Interpreter, Exploitation for Privilege Escalation, Rename System Utilities	Execution, Execution, Privilege Escalation, Defense Evasion	Hunting
Detect Prohibited Applications Spawning cmd exe	T1059	Command and Scripting Interpreter	Execution	TTP
First Time Seen Child Process of Zoom	T1068	Exploitation for Privilege Escalation	Privilege Escalation	Anomaly

Kill Chain Phase

Actions on Objectives

Exploitation

Reference

https://blog.rapid7.com/2020/04/02/dispelling-zoom-bugbears-what-you-need-to-know-about-the-latest-zoom-vulnerabilities/

https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/

version: 1

Trusted developer utilities proxy execution

Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-01-12
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Suspicious microsoft workflow compiler rename	T1127, T1036.003	Trusted Developer Utilities Proxy Execution, Rename System Utilities	Defense Evasion, Defense Evasion	Hunting
Suspicious microsoft workflow compiler usage	T1127	Trusted Developer Utilities Proxy Execution	Defense Evasion	TTP

Kill Chain Phase

Exploitation

Reference

https://attack.mitre.org/techniques/T1127/

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md

https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/

version: 1

Trusted developer utilities proxy execution msbuild

Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-01-21
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Suspicious MSBuild Rename	T1127.001, T1036.003	MSBuild, Rename System Utilities	Defense Evasion, Defense Evasion	TTP
Suspicious MSBuild Spawn	T1127.001	MSBuild	Defense Evasion	TTP
Suspicious msbuild path	T1127.001, T1036.003	MSBuild, Rename System Utilities	Defense Evasion, Defense Evasion	TTP

Kill Chain Phase

Exploitation

Reference

https://attack.mitre.org/techniques/T1127/001/

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md

https://github.com/infosecn1nja/MaliciousMacroMSBuild

https://github.com/xorrior/RandomPS-Scripts/blob/master/Invoke-ExecuteMSBuild.ps1

https://lolbas-project.github.io/lolbas/Binaries/Msbuild/

https://github.com/MHaggis/CBR-Queries/blob/master/msbuild.md

version: 1

Windows dns sigred cve-2020-1350

Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Network_Resolution
Last Updated: 2020-07-28
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect Windows DNS SIGRed via Splunk Stream	T1203	Exploitation for Client Execution	Execution	TTP
Detect Windows DNS SIGRed via Zeek	T1203	Exploitation for Client Execution	Execution	TTP

Kill Chain Phase

Exploitation

Reference

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

https://support.microsoft.com/en-au/help/4569509/windows-dns-server-remote-code-execution-vulnerability

version: 1

Windows defense evasion tactics

Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2018-05-31
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Disable Registry Tool	T1562.001, T1564.001, T1548.002, T1112, T1222.001, T1036	Disable or Modify Tools, Hidden Files and Directories, Bypass User Account Control, Modify Registry, Windows File and Directory Permissions Modification, Masquerading	Defense Evasion, Defense Evasion, Privilege Escalation, Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion	TTP
Disable Show Hidden Files	T1564.001, T1562.001	Hidden Files and Directories, Disable or Modify Tools	Defense Evasion, Defense Evasion	TTP
Disable Windows Behavior Monitoring	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Disable Windows SmartScreen Protection	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Disabling CMD Application	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Disabling ControlPanel	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Disabling Firewall with Netsh	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Disabling FolderOptions Windows Feature	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Disabling NoRun Windows App	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Disabling Remote User Account Control	T1548.002, T1036, T1547.010, T1070, T1547.001, T1546.012, T1546.011, T1113, T1543	Bypass User Account Control, Masquerading, Port Monitors, Indicator Removal on Host, Registry Run Keys / Startup Folder, Image File Execution Options Injection, Application Shimming, Screen Capture, Create or Modify System Process	Privilege Escalation, Defense Evasion, Defense Evasion, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Collection, Persistence, Privilege Escalation	TTP
Disabling SystemRestore In Registry	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Disabling Task Manager	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Eventvwr UAC Bypass	T1548.002	Bypass User Account Control	Privilege Escalation, Defense Evasion	TTP
Excessive number of service control start as disabled	T1562.001	Disable or Modify Tools	Defense Evasion	Anomaly
FodHelper UAC Bypass	T1112, T1548.002	Modify Registry, Bypass User Account Control	Defense Evasion, Privilege Escalation, Defense Evasion	TTP
Hiding Files And Directories With Attrib exe	T1222.001	Windows File and Directory Permissions Modification	Defense Evasion	TTP
NET Profiler UAC bypass	T1548.002	Bypass User Account Control	Privilege Escalation, Defense Evasion	TTP
SLUI RunAs Elevated	T1548.002	Bypass User Account Control	Privilege Escalation, Defense Evasion	TTP
SLUI Spawning a Process	T1548.002	Bypass User Account Control	Privilege Escalation, Defense Evasion	TTP
Sdclt UAC Bypass	T1548.002	Bypass User Account Control	Privilege Escalation, Defense Evasion	TTP
SilentCleanup UAC Bypass	T1548.002	Bypass User Account Control	Privilege Escalation, Defense Evasion	TTP
Suspicious Reg exe Process	T1112	Modify Registry	Defense Evasion	TTP
System Process Running from Unexpected Location	T1036	Masquerading	Defense Evasion	Anomaly
UAC Bypass MMC Load Unsigned Dll	T1548.002	Bypass User Account Control	Privilege Escalation, Defense Evasion	TTP
WSReset UAC Bypass	T1548.002	Bypass User Account Control	Privilege Escalation, Defense Evasion	TTP
Windows DisableAntiSpyware Registry	T1562.001	Disable or Modify Tools	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Delivery

Exploitation

Privilege Escalation

Reference

https://attack.mitre.org/wiki/Defense_Evasion

version: 1

Windows discovery techniques

Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.

Product: Splunk Behavioral Analytics, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2021-03-04
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Reconnaissance and Access to Accounts Groups and Policies via PowerSploit modules	T1078, T1087, T1484, T1199, T1482, T1590, T1591, T1595, T1592, T1007, T1012, T1046, T1047, T1057, T1083, T1518, T1592.002, T1021.002, T1135, T1039, T1053, T1068, T1543, T1547, T1574, T1589.001, T1590.001, T1590.003, T1098, T1595.002, T1055	Valid Accounts, Account Discovery, Domain Policy Modification, Trusted Relationship, Domain Trust Discovery, Gather Victim Network Information, Gather Victim Org Information, Active Scanning, Gather Victim Host Information, System Service Discovery, Query Registry, Network Service Scanning, Windows Management Instrumentation, Process Discovery, File and Directory Discovery, Software Discovery, Software, SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive, Scheduled Task/Job, Exploitation for Privilege Escalation, Create or Modify System Process, Boot or Logon Autostart Execution, Hijack Execution Flow, Credentials, Domain Properties, Network Trust Dependencies, Account Manipulation, Vulnerability Scanning, Process Injection	Defense Evasion, Persistence, Privilege Escalation, Initial Access, Discovery, Defense Evasion, Privilege Escalation, Initial Access, Discovery, Reconnaissance, Reconnaissance, Reconnaissance, Reconnaissance, Discovery, Discovery, Discovery, Execution, Discovery, Discovery, Discovery, Reconnaissance, Lateral Movement, Discovery, Collection, Execution, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Reconnaissance, Reconnaissance, Reconnaissance, Persistence, Reconnaissance, Defense Evasion, Privilege Escalation	TTP
Reconnaissance and Access to Accounts and Groups via Mimikatz modules	T1078, T1087, T1484	Valid Accounts, Account Discovery, Domain Policy Modification	Defense Evasion, Persistence, Privilege Escalation, Initial Access, Discovery, Defense Evasion, Privilege Escalation	TTP
Reconnaissance and Access to Active Directoty Infrastructure via PowerSploit modules	T1199, T1482, T1590, T1591, T1595	Trusted Relationship, Domain Trust Discovery, Gather Victim Network Information, Gather Victim Org Information, Active Scanning	Initial Access, Discovery, Reconnaissance, Reconnaissance, Reconnaissance	TTP
Reconnaissance and Access to Computers and Domains via PowerSploit modules	T1592, T1590, T1087	Gather Victim Host Information, Gather Victim Network Information, Account Discovery	Reconnaissance, Reconnaissance, Discovery	TTP
Reconnaissance and Access to Computers via Mimikatz modules	T1592	Gather Victim Host Information	Reconnaissance	TTP
Reconnaissance and Access to Operating System Elements via PowerSploit modules	T1007, T1012, T1046, T1047, T1057, T1083, T1518, T1592.002	System Service Discovery, Query Registry, Network Service Scanning, Windows Management Instrumentation, Process Discovery, File and Directory Discovery, Software Discovery, Software	Discovery, Discovery, Discovery, Execution, Discovery, Discovery, Discovery, Reconnaissance	TTP
Reconnaissance and Access to Processes and Services via Mimikatz modules	T1007, T1046, T1057	System Service Discovery, Network Service Scanning, Process Discovery	Discovery, Discovery, Discovery	TTP
Reconnaissance and Access to Shared Resources via Mimikatz modules	T1021.002, T1135, T1039	SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive	Lateral Movement, Discovery, Collection	TTP
Reconnaissance and Access to Shared Resources via PowerSploit modules	T1021.002, T1135, T1039	SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive	Lateral Movement, Discovery, Collection	TTP
Reconnaissance of Access and Persistence Opportunities via PowerSploit modules	T1053, T1068, T1078, T1543, T1547, T1574	Scheduled Task/Job, Exploitation for Privilege Escalation, Valid Accounts, Create or Modify System Process, Boot or Logon Autostart Execution, Hijack Execution Flow	Execution, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion	TTP
Reconnaissance of Connectivity via PowerSploit modules	T1021.002, T1135, T1039	SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive	Lateral Movement, Discovery, Collection	TTP
Reconnaissance of Credential Stores and Services via Mimikatz modules	T1589.001, T1590.001, T1590.003, T1068, T1078, T1098	Credentials, Domain Properties, Network Trust Dependencies, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation	Reconnaissance, Reconnaissance, Reconnaissance, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence	TTP
Reconnaissance of Defensive Tools via PowerSploit modules	T1595.002, T1592.002	Vulnerability Scanning, Software	Reconnaissance, Reconnaissance	TTP
Reconnaissance of Privilege Escalation Opportunities via PowerSploit modules	T1068, T1078, T1098	Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation	Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence	TTP
Reconnaissance of Process or Service Hijacking Opportunities via Mimikatz modules	T1543, T1055, T1574	Create or Modify System Process, Process Injection, Hijack Execution Flow	Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Reference

https://attack.mitre.org/tactics/TA0007/

https://cyberd.us/penetration-testing

https://attack.mitre.org/software/S0521/

version: 1

Windows log manipulation

Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2017-09-12
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Deleting Shadow Copies	T1490, T1070, T1070.001	Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs	Impact, Defense Evasion, Defense Evasion	TTP
Illegal Deletion of Logs via Mimikatz modules	T1070	Indicator Removal on Host	Defense Evasion	TTP
Suspicious Event Log Service Behavior	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP
Suspicious wevtutil Usage	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP
USN Journal Deletion	T1070	Indicator Removal on Host	Defense Evasion	TTP
WevtUtil Usage To Clear Logs	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP
Wevtutil Usage To Disable Logs	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP
Windows Event Log Cleared	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Reference

https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

https://zeltser.com/security-incident-log-review-checklist/

http://journeyintoir.blogspot.com/2013/01/re-introducing-usnjrnl.html

version: 2

Windows persistence techniques

Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2018-05-31
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Certutil exe certificate extraction				TTP
Detect Path Interception By Creation Of program exe	T1574.009, T1222.001, T1585, T1078, T1098, T1207, T1484, T1053, T1134, T1548, T1547.010, T1574.011, T1547.001, T1546.011, T1543.003, T1053.005, T1068	Path Interception by Unquoted Path, Windows File and Directory Permissions Modification, Establish Accounts, Valid Accounts, Account Manipulation, Rogue Domain Controller, Domain Policy Modification, Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism, Port Monitors, Services Registry Permissions Weakness, Registry Run Keys / Startup Folder, Application Shimming, Windows Service, Scheduled Task, Exploitation for Privilege Escalation	Persistence, Privilege Escalation, Defense Evasion, Defense Evasion, Resource Development, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Defense Evasion, Defense Evasion, Privilege Escalation, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Persistence, Privilege Escalation, Execution, Persistence, Privilege Escalation, Privilege Escalation	TTP
Hiding Files And Directories With Attrib exe	T1222.001	Windows File and Directory Permissions Modification	Defense Evasion	TTP
Illegal Account Creation via PowerSploit modules	T1585	Establish Accounts	Resource Development	TTP
Illegal Enabling or Disabling of Accounts via DSInternals modules	T1078, T1098	Valid Accounts, Account Manipulation	Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence	TTP
Illegal Management of Active Directory Elements and Policies via DSInternals modules	T1098, T1207, T1484	Account Manipulation, Rogue Domain Controller, Domain Policy Modification	Persistence, Defense Evasion, Defense Evasion, Privilege Escalation	TTP
Illegal Management of Computers and Active Directory Elements via PowerSploit modules	T1098, T1207, T1484	Account Manipulation, Rogue Domain Controller, Domain Policy Modification	Persistence, Defense Evasion, Defense Evasion, Privilege Escalation	TTP
Illegal Privilege Elevation and Persistence via PowerSploit modules	T1053, T1134, T1548	Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism	Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion	TTP
Monitor Registry Keys for Print Monitors	T1547.010	Port Monitors	Persistence, Privilege Escalation	TTP
Reg exe Manipulating Windows Services Registry Keys	T1574.011	Services Registry Permissions Weakness	Persistence, Privilege Escalation, Defense Evasion	TTP
Registry Keys Used For Persistence	T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation	TTP
Registry Keys for Creating SHIM Databases	T1546.011	Application Shimming	Privilege Escalation, Persistence	TTP
Sc exe Manipulating Windows Services	T1543.003	Windows Service	Persistence, Privilege Escalation	TTP
Schedule Task with HTTP Command Arguments	T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation	TTP
Schedule Task with Rundll32 Command Trigger	T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation	TTP
Schtasks used for forcing a reboot	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP
Setting Credentials via DSInternals modules	T1068, T1078, T1098	Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation	Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence	TTP
Setting Credentials via Mimikatz modules	T1068, T1078, T1098	Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation	Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence	TTP
Setting Credentials via PowerSploit modules	T1068, T1078, T1098	Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation	Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence	TTP
Shim Database File Creation	T1546.011	Application Shimming	Privilege Escalation, Persistence	TTP
Shim Database Installation With Suspicious Parameters	T1546.011	Application Shimming	Privilege Escalation, Persistence	TTP
Suspicious Scheduled Task from Public Directory	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	Anomaly
WinEvent Scheduled Task Created Within Public Path	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP
WinEvent Scheduled Task Created to Spawn Shell	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Installation

Privilege Escalation

Reference

http://www.fuzzysecurity.com/tutorials/19.html

https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html

http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/

https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html

https://www.youtube.com/watch?v=dq2Hv7J9fvk

version: 2

Windows privilege escalation

Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2020-02-04
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Child Processes of Spoolsv exe	T1068, T1134, T1548, T1546.008, T1078, T1098, T1546.012	Exploitation for Privilege Escalation, Access Token Manipulation, Abuse Elevation Control Mechanism, Accessibility Features, Valid Accounts, Account Manipulation, Image File Execution Options Injection	Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Privilege Escalation, Persistence, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Privilege Escalation, Persistence	TTP
Illegal Privilege Elevation via Mimikatz modules	T1134, T1548	Access Token Manipulation, Abuse Elevation Control Mechanism	Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion	TTP
Overwriting Accessibility Binaries	T1546.008	Accessibility Features	Privilege Escalation, Persistence	TTP
Probing Access with Stolen Credentials via PowerSploit modules	T1078, T1098	Valid Accounts, Account Manipulation	Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence	TTP
Registry Keys Used For Privilege Escalation	T1546.012	Image File Execution Options Injection	Privilege Escalation, Persistence	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Reference

https://attack.mitre.org/tactics/TA0004/

version: 2

Best Practices

Asset tracking

Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Network_Sessions
Last Updated: 2017-09-13
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Detect Unauthorized Assets by MAC address				TTP

Kill Chain Phase

Actions on Objectives

Delivery

Reconnaissance

Reference

https://www.cisecurity.org/controls/inventory-of-authorized-and-unauthorized-devices/

version: 1

Monitor for updates

Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Updates
Last Updated: 2017-09-15
Use Case: Compliance

Detection Profile

name	ID	Technique	Tactic	Type
No Windows Updates in a time frame				Hunting

Kill Chain Phase

Reference

https://learn.cisecurity.org/20-controls-download

version: 1

Prohibited traffic allowed or protocol mismatch

Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Resolution, Network_Traffic
Last Updated: 2017-09-11
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Allow Inbound Traffic By Firewall Rule Registry	T1021.001, T1189, T1021, T1048, T1048.003, T1071.001	Remote Desktop Protocol, Drive-by Compromise, Remote Services, Exfiltration Over Alternative Protocol, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Web Protocols	Lateral Movement, Initial Access, Lateral Movement, Exfiltration, Exfiltration, Command And Control	TTP
Allow Inbound Traffic In Firewall Rule	T1021.001	Remote Desktop Protocol	Lateral Movement	TTP
Detect hosts connecting to dynamic domain providers	T1189	Drive-by Compromise	Initial Access	TTP
Enable RDP In Other Port Number	T1021	Remote Services	Lateral Movement	TTP
Prohibited Network Traffic Allowed	T1048	Exfiltration Over Alternative Protocol	Exfiltration	TTP
Protocol or Port Mismatch	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Exfiltration	Anomaly
TOR Traffic	T1071.001	Web Protocols	Command And Control	TTP

Kill Chain Phase

Actions on Objectives

Command and Control

Delivery

Exploitation

Reference

http://www.novetta.com/2015/02/advanced-methods-to-detect-advanced-cyber-attacks-protocol-abuse/

version: 1

Router and infrastructure security

Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Authentication, Network_Traffic
Last Updated: 2017-09-12
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Detect ARP Poisoning	T1200, T1498, T1557.002, T1557, T1542.005, T1020.001	Hardware Additions, Network Denial of Service, ARP Cache Poisoning, Man-in-the-Middle, TFTP Boot, Traffic Duplication	Initial Access, Impact, Credential Access, Collection, Credential Access, Collection, Defense Evasion, Persistence, Exfiltration	TTP
Detect IPv6 Network Infrastructure Threats	T1200, T1498, T1557.002	Hardware Additions, Network Denial of Service, ARP Cache Poisoning	Initial Access, Impact, Credential Access, Collection	TTP
Detect New Login Attempts to Routers				TTP
Detect Port Security Violation	T1200, T1498, T1557.002	Hardware Additions, Network Denial of Service, ARP Cache Poisoning	Initial Access, Impact, Credential Access, Collection	TTP
Detect Rogue DHCP Server	T1200, T1498, T1557	Hardware Additions, Network Denial of Service, Man-in-the-Middle	Initial Access, Impact, Credential Access, Collection	TTP
Detect Software Download To Network Device	T1542.005	TFTP Boot	Defense Evasion, Persistence	TTP
Detect Traffic Mirroring	T1200, T1498, T1020.001	Hardware Additions, Network Denial of Service, Traffic Duplication	Initial Access, Impact, Exfiltration	TTP

Kill Chain Phase

Actions on Objectives

Delivery

Exploitation

Reconnaissance

Reference

https://www.fireeye.com/blog/executive-perspective/2015/09/the_new_route_toper.html

https://www.cisco.com/c/en/us/about/security-center/event-response/synful-knock.html

version: 1

Use of cleartext protocols

Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Network_Traffic
Last Updated: 2017-09-15
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Protocols passing authentication in cleartext				TTP

Kill Chain Phase

Actions on Objectives

Reconnaissance

Reference

https://www.monkey.org/~dugsong/dsniff/

version: 1

Cloud Security

Aws cross account activity

Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2018-06-04
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
aws detect attach to role policy	T1078, T1550	Valid Accounts, Use Alternate Authentication Material	Defense Evasion, Persistence, Privilege Escalation, Initial Access, Defense Evasion, Lateral Movement	Hunting
aws detect permanent key creation	T1078	Valid Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Hunting
aws detect role creation	T1078	Valid Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Hunting
aws detect sts assume role abuse	T1078	Valid Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Hunting
aws detect sts get session token abuse	T1550	Use Alternate Authentication Material	Defense Evasion, Lateral Movement	Hunting

Kill Chain Phase

Lateral Movement

Reference

https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/

version: 1

Aws iam privilege escalation

This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2021-03-08
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
AWS Create Policy Version to allow all resources	T1078.004, T1136.003, T1580, T1110, T1098, T1069.003	Cloud Accounts, Cloud Account, Cloud Infrastructure Discovery, Brute Force, Account Manipulation, Cloud Groups	Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Discovery, Credential Access, Persistence, Discovery	TTP
AWS CreateAccessKey	T1136.003	Cloud Account	Persistence	Hunting
AWS CreateLoginProfile	T1136.003	Cloud Account	Persistence	TTP
AWS IAM Assume Role Policy Brute Force	T1580, T1110	Cloud Infrastructure Discovery, Brute Force	Discovery, Credential Access	TTP
AWS IAM Delete Policy	T1098	Account Manipulation	Persistence	Hunting
AWS IAM Failure Group Deletion	T1098	Account Manipulation	Persistence	Anomaly
AWS IAM Successful Group Deletion	T1069.003, T1098	Cloud Groups, Account Manipulation	Discovery, Persistence	Hunting
AWS SetDefaultPolicyVersion	T1078.004	Cloud Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	TTP
AWS UpdateLoginProfile	T1136.003	Cloud Account	Persistence	TTP

Kill Chain Phase

Actions on Objectives

Reconnaissance

Reference

https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/

https://www.cyberark.com/resources/threat-research-blog/the-cloud-shadow-admin-threat-10-permissions-to-protect

https://labs.bishopfox.com/tech-blog/privilege-escalation-in-aws

version: 1

Aws network acl activity

Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2018-05-21
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
AWS Network Access Control List Created with All Open Ports	T1562.007	Disable or Modify Cloud Firewall	Defense Evasion	TTP
AWS Network Access Control List Deleted	T1562.007	Disable or Modify Cloud Firewall	Defense Evasion	Anomaly
Detect Spike in blocked Outbound Traffic from your AWS				Anomaly

Kill Chain Phase

Actions on Objectives

Command and Control

Reference

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html

https://aws.amazon.com/blogs/security/how-to-help-prepare-for-ddos-attacks-by-reducing-your-attack-surface/

version: 2

Aws security hub alerts

This story is focused around detecting Security Hub alerts generated from AWS

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2020-08-04
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Detect Spike in AWS Security Hub Alerts for EC2 Instance				Anomaly
Detect Spike in AWS Security Hub Alerts for User				Anomaly

Kill Chain Phase

Reference

https://aws.amazon.com/security-hub/features/

version: 1

Aws user monitoring

Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2018-03-12
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
AWS Excessive Security Scanning	T1526	Cloud Service Discovery	Discovery	TTP

Kill Chain Phase

Actions on Objectives

Reference

https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

https://redlock.io/blog/cryptojacking-tesla

version: 1

Cloud cryptomining

Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Change
Last Updated: 2019-10-02
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Abnormally High Number Of Cloud Instances Launched	T1078.004, T1535	Cloud Accounts, Unused/Unsupported Cloud Regions	Defense Evasion, Persistence, Privilege Escalation, Initial Access, Defense Evasion	Anomaly
Cloud Compute Instance Created By Previously Unseen User	T1078.004	Cloud Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly
Cloud Compute Instance Created In Previously Unused Region	T1535	Unused/Unsupported Cloud Regions	Defense Evasion	Anomaly
Cloud Compute Instance Created With Previously Unseen Image				Anomaly
Cloud Compute Instance Created With Previously Unseen Instance Type				Anomaly

Kill Chain Phase

Actions on Objectives

Reference

https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

version: 1

Cloud federated credential abuse

This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-01-26
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
AWS SAML Access by Provider User and Principal	T1078, T1003.001, T1136.003, T1556, T1546.012	Valid Accounts, LSASS Memory, Cloud Account, Modify Authentication Process, Image File Execution Options Injection	Defense Evasion, Persistence, Privilege Escalation, Initial Access, Credential Access, Persistence, Credential Access, Defense Evasion, Persistence, Privilege Escalation, Persistence	Anomaly
AWS SAML Update identity provider	T1078	Valid Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	TTP
Certutil exe certificate extraction				TTP
Detect Mimikatz Using Loaded Images	T1003.001	LSASS Memory	Credential Access	TTP
Detect Rare Executables				Anomaly
O365 Add App Role Assignment Grant User	T1136.003	Cloud Account	Persistence	TTP
O365 Added Service Principal	T1136.003	Cloud Account	Persistence	TTP
O365 Excessive SSO logon errors	T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence	Anomaly
O365 New Federated Domain Added	T1136.003	Cloud Account	Persistence	TTP
Registry Keys Used For Privilege Escalation	T1546.012	Image File Execution Options Injection	Privilege Escalation, Persistence	TTP

Kill Chain Phase

Actions on Objective

Actions on Objectives

Command and Control

Installation

Reference

https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps

https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf

https://us-cert.cisa.gov/ncas/alerts/aa21-008a

version: 1

Container implantation monitoring and investigation

Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2020-02-20
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
New container uploaded to AWS ECR	T1525	Implant Internal Image	Persistence	Hunting

Kill Chain Phase

Reference

https://github.com/splunk/cloud-datamodel-security-research

version: 1

Dev sec ops

This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
Datamodel:
Last Updated: 2021-08-18
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
AWS ECR Container Scanning Findings High	T1204.003, T1554, T1195.001, T1212, T1526	Malicious Image, Compromise Client Software Binary, Compromise Software Dependencies and Development Tools, Exploitation for Credential Access, Cloud Service Discovery	Execution, Persistence, Initial Access, Credential Access, Discovery	TTP
AWS ECR Container Scanning Findings Low Informational Unknown	T1204.003	Malicious Image	Execution	Hunting
AWS ECR Container Scanning Findings Medium	T1204.003	Malicious Image	Execution	Anomaly
AWS ECR Container Upload Outside Business Hours	T1204.003	Malicious Image	Execution	Anomaly
AWS ECR Container Upload Unknown User	T1204.003	Malicious Image	Execution	Anomaly
Circle CI Disable Security Job	T1554	Compromise Client Software Binary	Persistence	Anomaly
Circle CI Disable Security Step	T1554	Compromise Client Software Binary	Persistence	Anomaly
Correlation by Repository and Risk	T1204.003	Malicious Image	Execution	Correlation
Correlation by User and Risk	T1204.003	Malicious Image	Execution	Correlation
GitHub Dependabot Alert	T1195.001	Compromise Software Dependencies and Development Tools	Initial Access	Anomaly
GitHub Pull Request from Unknown User	T1195.001	Compromise Software Dependencies and Development Tools	Initial Access	Anomaly
Kubernetes Nginx Ingress LFI	T1212	Exploitation for Credential Access	Credential Access	TTP
Kubernetes Nginx Ingress RFI	T1212	Exploitation for Credential Access	Credential Access	TTP
Kubernetes Scanner Image Pulling	T1526	Cloud Service Discovery	Discovery	TTP

Kill Chain Phase

Actions on Objectives

Reference

https://www.redhat.com/en/topics/devops/what-is-devsecops

version: 1

Gcp cross account activity

Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2020-09-01
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
GCP Detect gcploit framework	T1078	Valid Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	TTP

Kill Chain Phase

Lateral Movement

Reference

https://cloud.google.com/iam/docs/understanding-service-accounts

version: 1

Kubernetes scanning activity

This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2020-04-15
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Amazon EKS Kubernetes Pod scan detection	T1526	Cloud Service Discovery	Discovery	Hunting
Amazon EKS Kubernetes cluster scan detection	T1526	Cloud Service Discovery	Discovery	Hunting
GCP Kubernetes cluster pod scan detection	T1526	Cloud Service Discovery	Discovery	Hunting

Kill Chain Phase

Reconnaissance

Reference

https://github.com/splunk/cloud-datamodel-security-research

version: 1

Kubernetes sensitive object access activity

This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2020-05-20
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Kubernetes AWS detect suspicious kubectl calls				Hunting

Kill Chain Phase

Lateral Movement

Reference

https://www.splunk.com/en_us/blog/security/approaching-kubernetes-security-detecting-kubernetes-scan-with-splunk.html

version: 1

Office 365 detections

This story is focused around detecting Office 365 Attacks.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2020-12-16
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
High Number of Login Failures from a single source	T1110.001, T1136.003, T1562.007, T1556, T1110, T1114, T1114.003, T1114.002	Password Guessing, Cloud Account, Disable or Modify Cloud Firewall, Modify Authentication Process, Brute Force, Email Collection, Email Forwarding Rule, Remote Email Collection	Credential Access, Persistence, Defense Evasion, Credential Access, Defense Evasion, Persistence, Credential Access, Collection, Collection, Collection	Anomaly
O365 Add App Role Assignment Grant User	T1136.003	Cloud Account	Persistence	TTP
O365 Added Service Principal	T1136.003	Cloud Account	Persistence	TTP
O365 Bypass MFA via Trusted IP	T1562.007	Disable or Modify Cloud Firewall	Defense Evasion	TTP
O365 Disable MFA	T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence	TTP
O365 Excessive Authentication Failures Alert	T1110	Brute Force	Credential Access	Anomaly
O365 Excessive SSO logon errors	T1556	Modify Authentication Process	Credential Access, Defense Evasion, Persistence	Anomaly
O365 New Federated Domain Added	T1136.003	Cloud Account	Persistence	TTP
O365 PST export alert	T1114	Email Collection	Collection	TTP
O365 Suspicious Admin Email Forwarding	T1114.003	Email Forwarding Rule	Collection	Anomaly
O365 Suspicious Rights Delegation	T1114.002	Remote Email Collection	Collection	TTP
O365 Suspicious User Email Forwarding	T1114.003	Email Forwarding Rule	Collection	Anomaly

Kill Chain Phase

Actions on Objective

Actions on Objectives

Not Applicable

Reference

https://i.blackhat.com/USA-20/Thursday/us-20-Bienstock-My-Cloud-Is-APTs-Cloud-Investigating-And-Defending-Office-365.pdf

version: 1

Suspicious aws login activities

Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Authentication
Last Updated: 2019-05-01
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Detect AWS Console Login by User from New City	T1535	Unused/Unsupported Cloud Regions	Defense Evasion	Hunting
Detect AWS Console Login by User from New Country	T1535	Unused/Unsupported Cloud Regions	Defense Evasion	Hunting
Detect AWS Console Login by User from New Region	T1535	Unused/Unsupported Cloud Regions	Defense Evasion	Hunting

Kill Chain Phase

Actions on Objectives

Reference

https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html

version: 1

Suspicious aws s3 activities

Use the searches in this Analytic Story to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2018-07-24
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Detect New Open S3 Buckets over AWS CLI	T1530	Data from Cloud Storage Object	Collection	TTP
Detect New Open S3 buckets	T1530	Data from Cloud Storage Object	Collection	TTP
Detect S3 access from a new IP	T1530	Data from Cloud Storage Object	Collection	Anomaly
Detect Spike in S3 Bucket deletion	T1530	Data from Cloud Storage Object	Collection	Anomaly

Kill Chain Phase

Actions on Objectives

Reference

https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

https://www.tripwire.com/state-of-security/security-data-protection/cloud/public-aws-s3-buckets-writable/

version: 2

Suspicious aws traffic

Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2018-05-07
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Detect Spike in blocked Outbound Traffic from your AWS				Anomaly

Kill Chain Phase

Actions on Objectives

Command and Control

Reference

https://rhinosecuritylabs.com/aws/hiding-cloudcobalt-strike-beacon-c2-using-amazon-apis/

version: 1

Suspicious cloud authentication activities

Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Authentication
Last Updated: 2020-06-04
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
AWS Cross Account Activity From Previously Unseen Account				Anomaly
Detect AWS Console Login by New User				Hunting
Detect AWS Console Login by User from New City	T1535	Unused/Unsupported Cloud Regions	Defense Evasion	Hunting
Detect AWS Console Login by User from New Country	T1535	Unused/Unsupported Cloud Regions	Defense Evasion	Hunting
Detect AWS Console Login by User from New Region	T1535	Unused/Unsupported Cloud Regions	Defense Evasion	Hunting

Kill Chain Phase

Actions on Objectives

Reference

https://aws.amazon.com/blogs/security/aws-cloudtrail-now-tracks-cross-account-activity-to-its-origin/

https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html

version: 1

Suspicious cloud instance activities

Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Change
Last Updated: 2020-08-25
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Abnormally High Number Of Cloud Instances Destroyed	T1078.004, T1537	Cloud Accounts, Transfer Data to Cloud Account	Defense Evasion, Persistence, Privilege Escalation, Initial Access, Exfiltration	Anomaly
Abnormally High Number Of Cloud Instances Launched	T1078.004, T1535	Cloud Accounts, Unused/Unsupported Cloud Regions	Defense Evasion, Persistence, Privilege Escalation, Initial Access, Defense Evasion	Anomaly
Cloud Instance Modified By Previously Unseen User	T1078.004	Cloud Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly
Detect shared ec2 snapshot	T1537	Transfer Data to Cloud Account	Exfiltration	TTP

Kill Chain Phase

Actions on Objectives

Reference

https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

version: 1

Suspicious cloud provisioning activities

Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Change
Last Updated: 2018-08-20
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Cloud Provisioning Activity From Previously Unseen City	T1078	Valid Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly
Cloud Provisioning Activity From Previously Unseen Country	T1078	Valid Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly
Cloud Provisioning Activity From Previously Unseen IP Address	T1078	Valid Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly
Cloud Provisioning Activity From Previously Unseen Region	T1078	Valid Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly

Kill Chain Phase

Reference

https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

version: 1

Suspicious cloud user activities

Detect and investigate suspicious activities by users and roles in your cloud environments.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Change
Last Updated: 2020-09-04
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
AWS IAM AccessDenied Discovery Events	T1580, T1078.004, T1078	Cloud Infrastructure Discovery, Cloud Accounts, Valid Accounts	Discovery, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly
Abnormally High Number Of Cloud Infrastructure API Calls	T1078.004	Cloud Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly
Abnormally High Number Of Cloud Security Group API Calls	T1078.004	Cloud Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly
Cloud API Calls From Previously Unseen User Roles	T1078	Valid Accounts	Defense Evasion, Persistence, Privilege Escalation, Initial Access	Anomaly

Kill Chain Phase

Actions on Objectives

Reconnaissance

Reference

https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

https://redlock.io/blog/cryptojacking-tesla

version: 1

Suspicious gcp storage activities

Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2020-08-05
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
Detect GCP Storage access from a new IP	T1530	Data from Cloud Storage Object	Collection	Anomaly
Detect New Open GCP Storage Buckets	T1530	Data from Cloud Storage Object	Collection	TTP

Kill Chain Phase

Actions on Objectives

Reference

https://cloud.google.com/blog/product/gcp/4-steps-for-hardening-your-cloud-storage-buckets-taking-charge-of-your-security

https://rhinosecuritylabs.com/gcp/google-cloud-platform-gcp-bucket-enumeration/

version: 1

Lateral Movement

Printnightmare cve-2021-34527

The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-07-01
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Print Spooler Adding A Printer Driver	T1547.012, T1218.011, T1068	Print Processors, Rundll32, Exploitation for Privilege Escalation	Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation	TTP
Print Spooler Failed to Load a Plug-in	T1547.012	Print Processors	Persistence, Privilege Escalation	TTP
Rundll32 with no Command Line Arguments with Network	T1218.011	Rundll32	Defense Evasion	TTP
Spoolsv Spawning Rundll32	T1547.012	Print Processors	Persistence, Privilege Escalation	TTP
Spoolsv Suspicious Loaded Modules	T1547.012	Print Processors	Persistence, Privilege Escalation	TTP
Spoolsv Suspicious Process Access	T1068	Exploitation for Privilege Escalation	Privilege Escalation	TTP
Spoolsv Writing a DLL	T1547.012	Print Processors	Persistence, Privilege Escalation	TTP
Spoolsv Writing a DLL - Sysmon	T1547.012	Print Processors	Persistence, Privilege Escalation	TTP
Suspicious Rundll32 no Command Line Arguments	T1218.011	Rundll32	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Reference

https://github.com/cube0x0/CVE-2021-1675/

https://blog.truesec.com/2021/06/30/fix-for-printnightmare-cve-2021-1675-exploit-to-keep-your-print-servers-running-while-a-patch-is-not-available/

https://blog.truesec.com/2021/06/30/exploitable-critical-rce-vulnerability-allows-regular-users-to-fully-compromise-active-directory-printnightmare-cve-2021-1675/

https://www.reddit.com/r/msp/comments/ob6y02/critical_vulnerability_printnightmare_exposes

version: 1

Malware

Blackmatter ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-09-06
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Add DefaultUser And Password In Registry	T1552.002, T1490, T1491, T1486	Credentials in Registry, Inhibit System Recovery, Defacement, Data Encrypted for Impact	Credential Access, Impact, Impact, Impact	Anomaly
Auto Admin Logon Registry Entry	T1552.002	Credentials in Registry	Credential Access	TTP
Bcdedit Command Back To Normal Mode Boot	T1490	Inhibit System Recovery	Impact	TTP
Change To Safe Mode With Network Config	T1490	Inhibit System Recovery	Impact	TTP
Known Services Killed by Ransomware	T1490	Inhibit System Recovery	Impact	TTP
Modification Of Wallpaper	T1491	Defacement	Impact	TTP
Ransomware Notes bulk creation	T1486	Data Encrypted for Impact	Impact	Anomaly

Kill Chain Phase

Exploitation

Obfuscation

Reference

https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/

https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/

https://blog.malwarebytes.com/ransomware/2021/07/blackmatter-a-new-ransomware-group-claims-link-to-darkside-revil/

version: 1

Clop ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-03-17
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Clop Common Exec Parameter	T1204, T1543, T1485, T1569.002, T1490, T1486, T1070, T1489, T1070.001	User Execution, Create or Modify System Process, Data Destruction, Service Execution, Inhibit System Recovery, Data Encrypted for Impact, Indicator Removal on Host, Service Stop, Clear Windows Event Logs	Execution, Persistence, Privilege Escalation, Impact, Execution, Impact, Impact, Defense Evasion, Impact, Defense Evasion	TTP
Clop Ransomware Known Service Name	T1543	Create or Modify System Process	Persistence, Privilege Escalation	TTP
Common Ransomware Extensions	T1485	Data Destruction	Impact	Hunting
Common Ransomware Notes	T1485	Data Destruction	Impact	Hunting
Create Service In Suspicious File Path	T1569.002	Service Execution	Execution	TTP
Deleting Shadow Copies	T1490, T1070, T1070.001	Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs	Impact, Defense Evasion, Defense Evasion	TTP
High File Deletion Frequency	T1485	Data Destruction	Impact	Anomaly
High Process Termination Frequency	T1486	Data Encrypted for Impact	Impact	Anomaly
Process Deleting Its Process File Path	T1070	Indicator Removal on Host	Defense Evasion	TTP
Ransomware Notes bulk creation	T1486	Data Encrypted for Impact	Impact	Anomaly
Resize ShadowStorage volume	T1490	Inhibit System Recovery	Impact	TTP
Resize Shadowstorage Volume	T1489	Service Stop	Impact	TTP
Suspicious Event Log Service Behavior	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP
Suspicious wevtutil Usage	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP
WevtUtil Usage To Clear Logs	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP
Windows Event Log Cleared	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Obfuscation

Privilege Escalation

Reference

https://www.hhs.gov/sites/default/files/analyst-note-cl0p-tlp-white.pdf

https://securityaffairs.co/wordpress/115250/data-breach/qualys-clop-ransomware.html

https://www.darkreading.com/attacks-breaches/qualys-is-the-latest-victim-of-accellion-data-breach/d/d-id/1340323

version: 1

Coldroot macos rat

Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2019-01-09
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Processes Tapping Keyboard Events				TTP

Kill Chain Phase

Command and Control

Reference

https://www.intego.com/mac-security-blog/osxcoldroot-and-the-rat-invasion/

https://objective-see.com/blog/blog_0x2A.html

https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/

version: 1

Dhs report ta18-074a

Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Traffic
Last Updated: 2020-01-22
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Create local admin accounts using net exe	T1136.001, T1071.002, T1021.002, T1569.002, T1059.001, T1562.004, T1547.001, T1543.003, T1053.005, T1204.002, T1112	Local Account, File Transfer Protocols, SMB/Windows Admin Shares, Service Execution, PowerShell, Disable or Modify System Firewall, Registry Run Keys / Startup Folder, Windows Service, Scheduled Task, Malicious File, Modify Registry	Persistence, Command And Control, Lateral Movement, Execution, Execution, Defense Evasion, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Execution, Persistence, Privilege Escalation, Execution, Defense Evasion	TTP
Detect New Local Admin account	T1136.001	Local Account	Persistence	TTP
Detect Outbound SMB Traffic	T1071.002	File Transfer Protocols	Command And Control	TTP
Detect PsExec With accepteula Flag	T1021.002	SMB/Windows Admin Shares	Lateral Movement	TTP
Detect Renamed PSExec	T1569.002	Service Execution	Execution	Hunting
Malicious PowerShell Process - Execution Policy Bypass	T1059.001	PowerShell	Execution	TTP
Processes launching netsh	T1562.004	Disable or Modify System Firewall	Defense Evasion	TTP
Registry Keys Used For Persistence	T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation	TTP
SMB Traffic Spike	T1021.002	SMB/Windows Admin Shares	Lateral Movement	Anomaly
SMB Traffic Spike - MLTK	T1021.002	SMB/Windows Admin Shares	Lateral Movement	Anomaly
Sc exe Manipulating Windows Services	T1543.003	Windows Service	Persistence, Privilege Escalation	TTP
Scheduled Task Deleted Or Created via CMD	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP
Single Letter Process On Endpoint	T1204.002	Malicious File	Execution	TTP
Suspicious Reg exe Process	T1112	Modify Registry	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Command and Control

Execution

Exploitation

Installation

Lateral Movement

Reference

https://www.us-cert.gov/ncas/alerts/TA18-074A

version: 2

Darkside ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-05-12
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Attempted Credential Dump From Registry via Reg exe	T1003.002, T1197, T1105, T1218.003, T1055, T1490, T1003.001, T1021.002, T1020, T1569.002, T1486, T1548.002	Security Account Manager, BITS Jobs, Ingress Tool Transfer, CMSTP, Process Injection, Inhibit System Recovery, LSASS Memory, SMB/Windows Admin Shares, Automated Exfiltration, Service Execution, Data Encrypted for Impact, Bypass User Account Control	Credential Access, Defense Evasion, Persistence, Command And Control, Defense Evasion, Defense Evasion, Privilege Escalation, Impact, Credential Access, Lateral Movement, Exfiltration, Execution, Impact, Privilege Escalation, Defense Evasion	TTP
BITSAdmin Download File	T1197, T1105	BITS Jobs, Ingress Tool Transfer	Defense Evasion, Persistence, Command And Control	TTP
CMLUA Or CMSTPLUA UAC Bypass	T1218.003	CMSTP	Defense Evasion	TTP
CertUtil Download With URLCache and Split Arguments	T1105	Ingress Tool Transfer	Command And Control	TTP
CertUtil Download With VerifyCtl and Split Arguments	T1105	Ingress Tool Transfer	Command And Control	TTP
Cobalt Strike Named Pipes	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Delete ShadowCopy With PowerShell	T1490	Inhibit System Recovery	Impact	TTP
Detect Mimikatz Using Loaded Images	T1003.001	LSASS Memory	Credential Access	TTP
Detect PsExec With accepteula Flag	T1021.002	SMB/Windows Admin Shares	Lateral Movement	TTP
Detect RClone Command-Line Usage	T1020	Automated Exfiltration	Exfiltration	TTP
Detect Renamed PSExec	T1569.002	Service Execution	Execution	Hunting
Detect Renamed RClone	T1020	Automated Exfiltration	Exfiltration	Hunting
Extraction of Registry Hives	T1003.002	Security Account Manager	Credential Access	TTP
Ransomware Notes bulk creation	T1486	Data Encrypted for Impact	Impact	Anomaly
SLUI RunAs Elevated	T1548.002	Bypass User Account Control	Privilege Escalation, Defense Evasion	TTP
SLUI Spawning a Process	T1548.002	Bypass User Account Control	Privilege Escalation, Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Execution

Exfiltration

Exploitation

Lateral Movement

Obfuscation

Reference

https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.htmlbig-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html

version: 1

Dynamic dns

Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Resolution
Last Updated: 2018-09-06
Use Case: Security Monitoring

Detection Profile

name	ID	Technique	Tactic	Type
DNS Exfiltration Using Nslookup App	T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001	Exfiltration Over Alternative Protocol, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Drive-by Compromise, Transfer Data to Cloud Account, Local Email Collection, Email Collection, Email Forwarding Rule, Web Protocols	Exfiltration, Command And Control, Exfiltration, Command And Control, Exfiltration, Initial Access, Exfiltration, Collection, Collection, Collection, Command And Control	TTP
Detect hosts connecting to dynamic domain providers	T1189	Drive-by Compromise	Initial Access	TTP
Excessive Usage of NSLOOKUP App	T1048	Exfiltration Over Alternative Protocol	Exfiltration	Anomaly

Kill Chain Phase

Actions on Objectives

Command and Control

Exploitation

Reference

https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

https://umbrella.cisco.com/blog/2013/04/15/on-the-trail-of-malicious-dynamic-dns-domains/

http://www.noip.com/blog/2014/07/11/dynamic-dns-can-use-2/

https://www.splunk.com/blog/2015/08/04/detecting-dynamic-dns-domains-in-splunk.html

version: 2

Emotet malware dhs report ta18-201a

Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Email, Endpoint, Network_Traffic
Last Updated: 2020-01-27
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect Rare Executables				Anomaly
Detect Use of cmd exe to Launch Script Interpreters	T1059.003, T1072, T1547.001, T1021.002, T1566.001	Windows Command Shell, Software Deployment Tools, Registry Run Keys / Startup Folder, SMB/Windows Admin Shares, Spearphishing Attachment	Execution, Execution, Lateral Movement, Persistence, Privilege Escalation, Lateral Movement, Initial Access	TTP
Detection of tools built by NirSoft	T1072	Software Deployment Tools	Execution, Lateral Movement	TTP
Email Attachments With Lots Of Spaces				Anomaly
Registry Keys Used For Persistence	T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation	TTP
SMB Traffic Spike	T1021.002	SMB/Windows Admin Shares	Lateral Movement	Anomaly
SMB Traffic Spike - MLTK	T1021.002	SMB/Windows Admin Shares	Lateral Movement	Anomaly
Suspicious Email Attachment Extensions	T1566.001	Spearphishing Attachment	Initial Access	Anomaly

Kill Chain Phase

Actions on Objectives

Command and Control

Delivery

Exploitation

Installation

Reference

https://www.us-cert.gov/ncas/alerts/TA18-201A

https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf

https://www.vkremez.com/2017/05/emotet-banking-trojan-malware-analysis.html

version: 1

Fin7

Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-09-14
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Check Elevated CMD using whoami	T1033, T1059.007, T1555.003, T1566.001, T1220	System Owner/User Discovery, JavaScript, Credentials from Web Browsers, Spearphishing Attachment, XSL Script Processing	Discovery, Execution, Credential Access, Initial Access, Defense Evasion	TTP
Cmdline Tool Not Executed In CMD Shell	T1059.007	JavaScript	Execution	TTP
Jscript Execution Using Cscript App	T1059.007	JavaScript	Execution	TTP
MS Scripting Process Loading Ldap Module	T1059.007	JavaScript	Execution	Anomaly
MS Scripting Process Loading WMI Module	T1059.007	JavaScript	Execution	Anomaly
Non Chrome Process Accessing Chrome Default Dir	T1555.003	Credentials from Web Browsers	Credential Access	Anomaly
Non Firefox Process Access Firefox Profile Dir	T1555.003	Credentials from Web Browsers	Credential Access	Anomaly
Office Application Drop Executable	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Product Spawning Wmic	T1566.001	Spearphishing Attachment	Initial Access	TTP
XSL Script Execution With WMIC	T1220	XSL Script Processing	Defense Evasion	TTP

Kill Chain Phase

Exploitation

Reference

https://en.wikipedia.org/wiki/FIN7

https://threatpost.com/fin7-windows-11-release/169206/

https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded

version: 1

Hidden cobra malware

Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Resolution, Network_Traffic
Last Updated: 2020-01-22
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Create or delete windows shares using net exe	T1070.005, T1071.004, T1048.003, T1071.002, T1021.001, T1021.002	Network Share Connection Removal, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, File Transfer Protocols, Remote Desktop Protocol, SMB/Windows Admin Shares	Defense Evasion, Command And Control, Exfiltration, Command And Control, Lateral Movement, Lateral Movement	TTP
DNS Query Length Outliers - MLTK	T1071.004	DNS	Command And Control	Anomaly
DNS Query Length With High Standard Deviation	T1048.003	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	Exfiltration	Anomaly
Detect Outbound SMB Traffic	T1071.002	File Transfer Protocols	Command And Control	TTP
Remote Desktop Network Traffic	T1021.001	Remote Desktop Protocol	Lateral Movement	Anomaly
Remote Desktop Process Running On System	T1021.001	Remote Desktop Protocol	Lateral Movement	Hunting
SMB Traffic Spike	T1021.002	SMB/Windows Admin Shares	Lateral Movement	Anomaly
SMB Traffic Spike - MLTK	T1021.002	SMB/Windows Admin Shares	Lateral Movement	Anomaly

Kill Chain Phase

Actions on Objectives

Command and Control

Reference

https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity

https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf

version: 2

Icedid

Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-07-29
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Account Discovery With Net App	T1087.002, T1562.001, T1059, T1055, T1204.002, T1548.002, T1112, T1560.001, T1218.005, T1482, T1566.001, T1547.001, T1218.011, T1053, T1005, T1218.010, T1590.005, T1027, T1053.005, T1021.002	Domain Account, Disable or Modify Tools, Command and Scripting Interpreter, Process Injection, Malicious File, Bypass User Account Control, Modify Registry, Archive via Utility, Mshta, Domain Trust Discovery, Spearphishing Attachment, Registry Run Keys / Startup Folder, Rundll32, Scheduled Task/Job, Data from Local System, Regsvr32, IP Addresses, Obfuscated Files or Information, Scheduled Task, SMB/Windows Admin Shares	Discovery, Defense Evasion, Execution, Defense Evasion, Privilege Escalation, Execution, Privilege Escalation, Defense Evasion, Defense Evasion, Collection, Defense Evasion, Discovery, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Execution, Persistence, Privilege Escalation, Collection, Defense Evasion, Reconnaissance, Defense Evasion, Execution, Persistence, Privilege Escalation, Lateral Movement	TTP
CHCP Command Execution	T1059	Command and Scripting Interpreter	Execution	TTP
Create Remote Thread In Shell Application	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Drop IcedID License dat	T1204.002	Malicious File	Execution	Hunting
Eventvwr UAC Bypass	T1548.002	Bypass User Account Control	Privilege Escalation, Defense Evasion	TTP
FodHelper UAC Bypass	T1112, T1548.002	Modify Registry, Bypass User Account Control	Defense Evasion, Privilege Escalation, Defense Evasion	TTP
IcedID Exfiltrated Archived File Creation	T1560.001	Archive via Utility	Collection	Hunting
Mshta spawning Rundll32 OR Regsvr32 Process	T1218.005	Mshta	Defense Evasion	TTP
NLTest Domain Trust Discovery	T1482	Domain Trust Discovery	Discovery	TTP
Office Application Spawn Regsvr32 process	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Application Spawn rundll32 process	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Document Executing Macro Code	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Product Spawning MSHTA	T1566.001	Spearphishing Attachment	Initial Access	TTP
Registry Keys Used For Persistence	T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation	TTP
Rundll32 Create Remote Thread To A Process	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Rundll32 CreateRemoteThread In Browser	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Rundll32 DNSQuery	T1218.011	Rundll32	Defense Evasion	TTP
Rundll32 Process Creating Exe Dll Files	T1218.011	Rundll32	Defense Evasion	TTP
Schedule Task with Rundll32 Command Trigger	T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation	TTP
Sqlite Module In Temp Folder	T1005	Data from Local System	Collection	TTP
Suspicious IcedID Regsvr32 Cmdline	T1218.010	Regsvr32	Defense Evasion	TTP
Suspicious IcedID Rundll32 Cmdline	T1218.011	Rundll32	Defense Evasion	TTP
Suspicious Rundll32 PluginInit	T1218.011	Rundll32	Defense Evasion	TTP
WinEvent Scheduled Task Created Within Public Path	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Privilege Escalation

Reconnaissance

Reference

https://threatpost.com/icedid-banking-trojan-surges-emotet/165314/

https://app.any.run/tasks/48414a33-3d66-4a46-afe5-c2003bb55ccf/

version: 1

Orangeworm attack group

Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2020-01-22
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
First Time Seen Running Windows Service	T1569.002, T1055, T1106, T1569, T1574.011, T1543.003	Service Execution, Process Injection, Native API, System Services, Services Registry Permissions Weakness, Windows Service	Execution, Defense Evasion, Privilege Escalation, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation	Anomaly
Sc exe Manipulating Windows Services	T1543.003	Windows Service	Persistence, Privilege Escalation	TTP

Kill Chain Phase

Actions on Objectives

Installation

Reference

https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia

https://www.infosecurity-magazine.com/news/healthcare-targeted-by-hacker/

version: 2

Ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Traffic
Last Updated: 2020-02-04
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
7zip CommandLine To SMB Share Path	T1560.001, T1562.007, T1548, T1489, T1490, T1218.003, T1070.004, T1485, T1204, T1020, T1087.002, T1087.001, T1482, T1069.002, T1069.001, T1562.001, T1070.001, T1531, T1569.002, T1059.005, T1070, T1222, T1491, T1574.002, T1027.005, T1546.015, T1048, T1592, T1547.001, T1047, T1112, T1021.002, T1053.005, T1036.003, T1071.001, T1218.007	Archive via Utility, Disable or Modify Cloud Firewall, Abuse Elevation Control Mechanism, Service Stop, Inhibit System Recovery, CMSTP, File Deletion, Data Destruction, User Execution, Automated Exfiltration, Domain Account, Local Account, Domain Trust Discovery, Domain Groups, Local Groups, Disable or Modify Tools, Clear Windows Event Logs, Account Access Removal, Service Execution, Visual Basic, Indicator Removal on Host, File and Directory Permissions Modification, Defacement, DLL Side-Loading, Indicator Removal from Tools, Component Object Model Hijacking, Exfiltration Over Alternative Protocol, Gather Victim Host Information, Registry Run Keys / Startup Folder, Windows Management Instrumentation, Modify Registry, SMB/Windows Admin Shares, Scheduled Task, Rename System Utilities, Web Protocols, Msiexec	Collection, Defense Evasion, Privilege Escalation, Defense Evasion, Impact, Impact, Defense Evasion, Defense Evasion, Impact, Execution, Exfiltration, Discovery, Discovery, Discovery, Discovery, Discovery, Defense Evasion, Defense Evasion, Impact, Execution, Execution, Defense Evasion, Defense Evasion, Impact, Persistence, Privilege Escalation, Defense Evasion, Defense Evasion, Privilege Escalation, Persistence, Exfiltration, Reconnaissance, Persistence, Privilege Escalation, Execution, Defense Evasion, Lateral Movement, Execution, Persistence, Privilege Escalation, Defense Evasion, Command And Control, Defense Evasion	Hunting
Allow File And Printing Sharing In Firewall	T1562.007	Disable or Modify Cloud Firewall	Defense Evasion	TTP
Allow Network Discovery In Firewall	T1562.007, T1490, T1562.001, T1491, T1574.002, T1204, T1112, T1218.003	Disable or Modify Cloud Firewall, Inhibit System Recovery, Disable or Modify Tools, Defacement, DLL Side-Loading, User Execution, Modify Registry, CMSTP	Defense Evasion, Impact, Defense Evasion, Impact, Persistence, Privilege Escalation, Defense Evasion, Execution, Defense Evasion, Defense Evasion	TTP
Allow Operation with Consent Admin	T1548	Abuse Elevation Control Mechanism	Privilege Escalation, Defense Evasion	TTP
Attempt To Disable Services	T1489	Service Stop	Impact	TTP
Attempt To delete Services	T1489	Service Stop	Impact	TTP
BCDEdit Failure Recovery Modification	T1490, T1485, T1482, T1021.001, T1486, T1059.003, T1053.005, T1562.001, T1489	Inhibit System Recovery, Data Destruction, Domain Trust Discovery, Remote Desktop Protocol, Data Encrypted for Impact, Windows Command Shell, Scheduled Task, Disable or Modify Tools, Service Stop	Impact, Impact, Discovery, Lateral Movement, Impact, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact	TTP
CMLUA Or CMSTPLUA UAC Bypass	T1218.003	CMSTP	Defense Evasion	TTP
Clear Unallocated Sector Using Cipher App	T1070.004	File Deletion	Defense Evasion	TTP
Common Ransomware Extensions	T1485	Data Destruction	Impact	Hunting
Common Ransomware Notes	T1485	Data Destruction	Impact	Hunting
Conti Common Exec parameter	T1204	User Execution	Execution	TTP
Delete A Net User	T1489	Service Stop	Impact	Anomaly
Delete ShadowCopy With PowerShell	T1490	Inhibit System Recovery	Impact	TTP
Deleting Shadow Copies	T1490, T1070, T1070.001	Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs	Impact, Defense Evasion, Defense Evasion	TTP
Detect RClone Command-Line Usage	T1020	Automated Exfiltration	Exfiltration	TTP
Detect Renamed RClone	T1020	Automated Exfiltration	Exfiltration	Hunting
Detect SharpHound Command-Line Arguments	T1087.002, T1087.001, T1482, T1069.002, T1069.001	Domain Account, Local Account, Domain Trust Discovery, Domain Groups, Local Groups	Discovery, Discovery, Discovery, Discovery, Discovery	TTP
Detect SharpHound File Modifications	T1087.002, T1087.001, T1482, T1069.002, T1069.001	Domain Account, Local Account, Domain Trust Discovery, Domain Groups, Local Groups	Discovery, Discovery, Discovery, Discovery, Discovery	TTP
Detect SharpHound Usage	T1087.002, T1087.001, T1482, T1069.002, T1069.001	Domain Account, Local Account, Domain Trust Discovery, Domain Groups, Local Groups	Discovery, Discovery, Discovery, Discovery, Discovery	TTP
Disable AMSI Through Registry	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Disable ETW Through Registry	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Disable Logs Using WevtUtil	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP
Disable Net User Account	T1489	Service Stop	Impact	TTP
Disable Windows Behavior Monitoring	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Excessive Service Stop Attempt	T1489	Service Stop	Impact	Anomaly
Excessive Usage Of Net App	T1531	Account Access Removal	Impact	Anomaly
Excessive Usage Of SC Service Utility	T1569.002	Service Execution	Execution	Anomaly
Execute Javascript With Jscript COM CLSID	T1059.005	Visual Basic	Execution	TTP
Fsutil Zeroing File	T1070	Indicator Removal on Host	Defense Evasion	TTP
ICACLS Grant Command	T1222	File and Directory Permissions Modification	Defense Evasion	TTP
Known Services Killed by Ransomware	T1490	Inhibit System Recovery	Impact	TTP
Modification Of Wallpaper	T1491	Defacement	Impact	TTP
Msmpeng Application DLL Side Loading	T1574.002	DLL Side-Loading	Persistence, Privilege Escalation, Defense Evasion	TTP
Permission Modification using Takeown App	T1222	File and Directory Permissions Modification	Defense Evasion	TTP
Powershell Disable Security Monitoring	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Powershell Enable SMB1Protocol Feature	T1027.005	Indicator Removal from Tools	Defense Evasion	TTP
Powershell Execute COM Object	T1546.015	Component Object Model Hijacking	Privilege Escalation, Persistence	TTP
Prevent Automatic Repair Mode using Bcdedit	T1490	Inhibit System Recovery	Impact	TTP
Prohibited Network Traffic Allowed	T1048	Exfiltration Over Alternative Protocol	Exfiltration	TTP
Recon AVProduct Through Pwh or WMI	T1592	Gather Victim Host Information	Reconnaissance	TTP
Recursive Delete of Directory In Batch CMD	T1070.004	File Deletion	Defense Evasion	TTP
Registry Keys Used For Persistence	T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation	TTP
Remote Process Instantiation via WMI	T1047	Windows Management Instrumentation	Execution	TTP
Resize Shadowstorage Volume	T1489	Service Stop	Impact	TTP
Revil Common Exec Parameter	T1204	User Execution	Execution	TTP
Revil Registry Entry	T1112	Modify Registry	Defense Evasion	TTP
SMB Traffic Spike	T1021.002	SMB/Windows Admin Shares	Lateral Movement	Anomaly
SMB Traffic Spike - MLTK	T1021.002	SMB/Windows Admin Shares	Lateral Movement	Anomaly
Schtasks used for forcing a reboot	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP
Spike in File Writes				Anomaly
Start Up During Safe Mode Boot	T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation	TTP
Suspicious Event Log Service Behavior	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP
Suspicious Scheduled Task from Public Directory	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	Anomaly
Suspicious wevtutil Usage	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP
System Processes Run From Unexpected Locations	T1036.003	Rename System Utilities	Defense Evasion	TTP
TOR Traffic	T1071.001	Web Protocols	Command And Control	TTP
UAC Bypass With Colorui COM Object	T1218.003	CMSTP	Defense Evasion	TTP
USN Journal Deletion	T1070	Indicator Removal on Host	Defense Evasion	TTP
Uninstall App Using MsiExec	T1218.007	Msiexec	Defense Evasion	TTP
Unusually Long Command Line				Anomaly
Unusually Long Command Line - MLTK				Anomaly
WBAdmin Delete System Backups	T1490	Inhibit System Recovery	Impact	TTP
Wbemprox COM Object Execution	T1218.003	CMSTP	Defense Evasion	TTP
WevtUtil Usage To Clear Logs	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP
Wevtutil Usage To Disable Logs	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP
WinEvent Scheduled Task Created Within Public Path	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP
WinEvent Scheduled Task Created to Spawn Shell	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP
Windows Event Log Cleared	T1070.001	Clear Windows Event Logs	Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Command and Control

Delivery

Exfiltration

Exploitation

Privilege Escalation

Reconnaissance

Reference

https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/

https://www.splunk.com/blog/2017/06/27/closing-the-detection-to-mitigation-gap-or-to-petya-or-notpetya-whocares-.html

version: 1

Ransomware cloud

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.

Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:
Last Updated: 2020-10-27
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
AWS Detect Users creating keys with encrypt policy without MFA	T1486	Data Encrypted for Impact	Impact	TTP
AWS Detect Users with KMS keys performing encryption S3	T1486	Data Encrypted for Impact	Impact	Anomaly

Kill Chain Phase

Reference

https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/

https://github.com/d1vious/git-wild-hunt

https://www.youtube.com/watch?v=PgzNib37g0M

version: 1

Remcos

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-09-23
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Disabling Remote User Account Control	T1548.002, T1036, T1547.010, T1070, T1547.001, T1546.012, T1546.011, T1113, T1543	Bypass User Account Control, Masquerading, Port Monitors, Indicator Removal on Host, Registry Run Keys / Startup Folder, Image File Execution Options Injection, Application Shimming, Screen Capture, Create or Modify System Process	Privilege Escalation, Defense Evasion, Defense Evasion, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Collection, Persistence, Privilege Escalation	TTP
Executables Or Script Creation In Suspicious Path	T1036	Masquerading	Defense Evasion	TTP
Process Deleting Its Process File Path	T1070	Indicator Removal on Host	Defense Evasion	TTP
Registry Keys Used For Persistence	T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation	TTP
Remcos RAT File Creation in Remcos Folder	T1113	Screen Capture	Collection	TTP
Suspicious Image Creation In Appdata Folder	T1113	Screen Capture	Collection	TTP
Suspicious Process File Path	T1543	Create or Modify System Process	Persistence, Privilege Escalation	TTP
Suspicious WAV file in Appdata Folder	T1113	Screen Capture	Collection	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Reference

https://success.trendmicro.com/solution/1123281-remcos-malware-information

https://attack.mitre.org/software/S0332/

https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos#:~:text=Remcos%20(acronym%20of%20Remote%20Control,used%20to%20remotely%20control%20computers.&text=Remcos%20can%20be%20used%20for,been%20used%20in%20hacking%20campaigns.

version: 1

Revil ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-06-04
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Allow Network Discovery In Firewall	T1562.007, T1490, T1562.001, T1491, T1574.002, T1204, T1112, T1218.003	Disable or Modify Cloud Firewall, Inhibit System Recovery, Disable or Modify Tools, Defacement, DLL Side-Loading, User Execution, Modify Registry, CMSTP	Defense Evasion, Impact, Defense Evasion, Impact, Persistence, Privilege Escalation, Defense Evasion, Execution, Defense Evasion, Defense Evasion	TTP
Delete ShadowCopy With PowerShell	T1490	Inhibit System Recovery	Impact	TTP
Disable Windows Behavior Monitoring	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Modification Of Wallpaper	T1491	Defacement	Impact	TTP
Msmpeng Application DLL Side Loading	T1574.002	DLL Side-Loading	Persistence, Privilege Escalation, Defense Evasion	TTP
Powershell Disable Security Monitoring	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Revil Common Exec Parameter	T1204	User Execution	Execution	TTP
Revil Registry Entry	T1112	Modify Registry	Defense Evasion	TTP
Wbemprox COM Object Execution	T1218.003	CMSTP	Defense Evasion	TTP

Kill Chain Phase

Exploitation

Reference

https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/

version: 1

Ryuk ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Traffic
Last Updated: 2020-11-06
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
BCDEdit Failure Recovery Modification	T1490, T1485, T1482, T1021.001, T1486, T1059.003, T1053.005, T1562.001, T1489	Inhibit System Recovery, Data Destruction, Domain Trust Discovery, Remote Desktop Protocol, Data Encrypted for Impact, Windows Command Shell, Scheduled Task, Disable or Modify Tools, Service Stop	Impact, Impact, Discovery, Lateral Movement, Impact, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact	TTP
Common Ransomware Extensions	T1485	Data Destruction	Impact	Hunting
Common Ransomware Notes	T1485	Data Destruction	Impact	Hunting
NLTest Domain Trust Discovery	T1482	Domain Trust Discovery	Discovery	TTP
Remote Desktop Network Bruteforce	T1021.001	Remote Desktop Protocol	Lateral Movement	TTP
Remote Desktop Network Traffic	T1021.001	Remote Desktop Protocol	Lateral Movement	Anomaly
Ryuk Test Files Detected	T1486	Data Encrypted for Impact	Impact	TTP
Ryuk Wake on LAN Command	T1059.003	Windows Command Shell	Execution	TTP
Spike in File Writes				Anomaly
Suspicious Scheduled Task from Public Directory	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	Anomaly
WBAdmin Delete System Backups	T1490	Inhibit System Recovery	Impact	TTP
WinEvent Scheduled Task Created Within Public Path	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP
WinEvent Scheduled Task Created to Spawn Shell	T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation	TTP
Windows DisableAntiSpyware Registry	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Windows Security Account Manager Stopped	T1489	Service Stop	Impact	TTP

Kill Chain Phase

Actions on Objectives

Delivery

Exploitation

Lateral Movement

Privilege Escalation

Reconnaissance

Reference

https://www.splunk.com/en_us/blog/security/detecting-ryuk-using-splunk-attack-range.html

https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

https://us-cert.cisa.gov/ncas/alerts/aa20-302a

version: 1

Samsam ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint, Network_Traffic, Web
Last Updated: 2018-12-13
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Attacker Tools On Endpoint	T1036.005, T1595, T1003, T1489, T1204.002, T1485, T1531, T1490, T1222, T1021.002, T1569.002, T1082, T1016, T1562.001, T1105, T1087, T1036, T1059, T1117, T1202, T1053, T1203, T1072, T1021.001, T1218.011, T1486, T1543.003, T1543, T1036.003, T1190	Match Legitimate Name or Location, Active Scanning, OS Credential Dumping, Service Stop, Malicious File, Data Destruction, Account Access Removal, Inhibit System Recovery, File and Directory Permissions Modification, SMB/Windows Admin Shares, Service Execution, System Information Discovery, System Network Configuration Discovery, Disable or Modify Tools, Ingress Tool Transfer, Account Discovery, Masquerading, Command and Scripting Interpreter, Regsvr32, Indirect Command Execution, Scheduled Task/Job, Exploitation for Client Execution, Software Deployment Tools, Remote Desktop Protocol, Rundll32, Data Encrypted for Impact, Windows Service, Create or Modify System Process, Rename System Utilities, Exploit Public-Facing Application	Defense Evasion, Reconnaissance, Credential Access, Impact, Execution, Impact, Impact, Impact, Defense Evasion, Lateral Movement, Execution, Discovery, Discovery, Defense Evasion, Command And Control, Discovery, Defense Evasion, Execution, , Defense Evasion, Execution, Persistence, Privilege Escalation, Execution, Execution, Lateral Movement, Lateral Movement, Defense Evasion, Impact, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Initial Access	TTP
Batch File Write to System32	T1204.002	Malicious File	Execution	TTP
Common Ransomware Extensions	T1485	Data Destruction	Impact	Hunting
Common Ransomware Notes	T1485	Data Destruction	Impact	Hunting
Deleting Shadow Copies	T1490, T1070, T1070.001	Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs	Impact, Defense Evasion, Defense Evasion	TTP
Detect PsExec With accepteula Flag	T1021.002	SMB/Windows Admin Shares	Lateral Movement	TTP
Detect Renamed PSExec	T1569.002	Service Execution	Execution	Hunting
Detect attackers scanning for vulnerable JBoss servers	T1082	System Information Discovery	Discovery	TTP
Detect malicious requests to exploit JBoss servers				TTP
File with Samsam Extension				TTP
Remote Desktop Network Bruteforce	T1021.001	Remote Desktop Protocol	Lateral Movement	TTP
Remote Desktop Network Traffic	T1021.001	Remote Desktop Protocol	Lateral Movement	Anomaly
Samsam Test File Write	T1486	Data Encrypted for Impact	Impact	TTP
Spike in File Writes				Anomaly

Kill Chain Phase

Actions on Objectives

Command and Control

Delivery

Execution

Exploitation

Installation

Lateral Movement

Reconnaissance

Reference

https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/

https://nakedsecurity.sophos.com/2018/07/31/samsam-the-almost-6-million-ransomware/

https://thehackernews.com/2018/07/samsam-ransomware-attacks.html

version: 1

Trickbot

Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-04-20
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Account Discovery With Net App	T1087.002, T1562.001, T1059, T1055, T1204.002, T1548.002, T1112, T1560.001, T1218.005, T1482, T1566.001, T1547.001, T1218.011, T1053, T1005, T1218.010, T1590.005, T1027, T1053.005, T1021.002	Domain Account, Disable or Modify Tools, Command and Scripting Interpreter, Process Injection, Malicious File, Bypass User Account Control, Modify Registry, Archive via Utility, Mshta, Domain Trust Discovery, Spearphishing Attachment, Registry Run Keys / Startup Folder, Rundll32, Scheduled Task/Job, Data from Local System, Regsvr32, IP Addresses, Obfuscated Files or Information, Scheduled Task, SMB/Windows Admin Shares	Discovery, Defense Evasion, Execution, Defense Evasion, Privilege Escalation, Execution, Privilege Escalation, Defense Evasion, Defense Evasion, Collection, Defense Evasion, Discovery, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Execution, Persistence, Privilege Escalation, Collection, Defense Evasion, Reconnaissance, Defense Evasion, Execution, Persistence, Privilege Escalation, Lateral Movement	TTP
Attempt To Stop Security Service	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Cobalt Strike Named Pipes	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Mshta spawning Rundll32 OR Regsvr32 Process	T1218.005	Mshta	Defense Evasion	TTP
Office Application Spawn rundll32 process	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Document Executing Macro Code	T1566.001	Spearphishing Attachment	Initial Access	TTP
Office Product Spawn CMD Process	T1218.005	Mshta	Defense Evasion	TTP
Powershell Remote Thread To Known Windows Process	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Schedule Task with Rundll32 Command Trigger	T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation	TTP
Suspicious Rundll32 StartW	T1218.011	Rundll32	Defense Evasion	TTP
Trickbot Named Pipe	T1055	Process Injection	Defense Evasion, Privilege Escalation	TTP
Wermgr Process Connecting To IP Check Web Services	T1590.005	IP Addresses	Reconnaissance	TTP
Wermgr Process Create Executable File	T1027	Obfuscated Files or Information	Defense Evasion	TTP
Wermgr Process Spawned CMD Or Powershell Process	T1059	Command and Scripting Interpreter	Execution	TTP
Write Executable in SMB Share	T1021.002	SMB/Windows Admin Shares	Lateral Movement	TTP

Kill Chain Phase

Actions on Objectives

Exploitation

Installation

Lateral Movement

Reconnaissance

Reference

https://en.wikipedia.org/wiki/Trickbot

https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/

version: 1

Unusual processes

Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2020-02-04
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Attacker Tools On Endpoint	T1036.005, T1595, T1003, T1489, T1204.002, T1485, T1531, T1490, T1222, T1021.002, T1569.002, T1082, T1016, T1562.001, T1105, T1087, T1036, T1059, T1117, T1202, T1053, T1203, T1072, T1021.001, T1218.011, T1486, T1543.003, T1543, T1036.003, T1190	Match Legitimate Name or Location, Active Scanning, OS Credential Dumping, Service Stop, Malicious File, Data Destruction, Account Access Removal, Inhibit System Recovery, File and Directory Permissions Modification, SMB/Windows Admin Shares, Service Execution, System Information Discovery, System Network Configuration Discovery, Disable or Modify Tools, Ingress Tool Transfer, Account Discovery, Masquerading, Command and Scripting Interpreter, Regsvr32, Indirect Command Execution, Scheduled Task/Job, Exploitation for Client Execution, Software Deployment Tools, Remote Desktop Protocol, Rundll32, Data Encrypted for Impact, Windows Service, Create or Modify System Process, Rename System Utilities, Exploit Public-Facing Application	Defense Evasion, Reconnaissance, Credential Access, Impact, Execution, Impact, Impact, Impact, Defense Evasion, Lateral Movement, Execution, Discovery, Discovery, Defense Evasion, Command And Control, Discovery, Defense Evasion, Execution, , Defense Evasion, Execution, Persistence, Privilege Escalation, Execution, Execution, Lateral Movement, Lateral Movement, Defense Evasion, Impact, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Initial Access	TTP
Credential Extraction indicative of FGDump and CacheDump with s option	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction indicative of FGDump and CacheDump with v option	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction indicative of use of Mimikatz modules	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction native Microsoft debuggers peek into the kernel	T1003	OS Credential Dumping	Credential Access	TTP
Credential Extraction native Microsoft debuggers via z command line option	T1003	OS Credential Dumping	Credential Access	TTP
Detect Rare Executables				Anomaly
Detect processes used for System Network Configuration Discovery	T1016	System Network Configuration Discovery	Discovery	TTP
First time seen command line argument	T1059, T1117, T1202	Command and Scripting Interpreter, Regsvr32, Indirect Command Execution	Execution, , Defense Evasion	Anomaly
More than usual number of LOLBAS applications in short time period	T1059, T1053	Command and Scripting Interpreter, Scheduled Task/Job	Execution, Execution, Persistence, Privilege Escalation	Anomaly
Rare Parent-Child Process Relationship	T1203, T1059, T1053, T1072	Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools	Execution, Execution, Execution, Persistence, Privilege Escalation, Execution, Lateral Movement	Anomaly
RunDLL Loading DLL By Ordinal	T1218.011	Rundll32	Defense Evasion	TTP
System Processes Run From Unexpected Locations	T1036.003	Rename System Utilities	Defense Evasion	TTP
Unusually Long Command Line				Anomaly
Unusually Long Command Line				Anomaly
Unusually Long Command Line - MLTK				Anomaly
WinRM Spawning a Process	T1190	Exploit Public-Facing Application	Initial Access	TTP

Kill Chain Phase

Actions on Objectives

Command and Control

Denial of Service

Exploitation

Installation

Privilege Escalation

Reference

https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html

https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf

https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262

version: 2

Windows file extension and association abuse

Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2018-01-26
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Execution of File with Multiple Extensions	T1036.003, T1127.001, T1218.011, T1127, T1036	Rename System Utilities, MSBuild, Rundll32, Trusted Developer Utilities Proxy Execution, Masquerading	Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion	TTP

Kill Chain Phase

Actions on Objectives

Reference

https://blog.malwarebytes.com/cybercrime/2013/12/file-extensions-2/

https://attack.mitre.org/wiki/Technique/T1042

version: 1

Windows service abuse

Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2017-11-02
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
First Time Seen Running Windows Service	T1569.002, T1055, T1106, T1569, T1574.011, T1543.003	Service Execution, Process Injection, Native API, System Services, Services Registry Permissions Weakness, Windows Service	Execution, Defense Evasion, Privilege Escalation, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation	Anomaly
Illegal Service and Process Control via Mimikatz modules	T1055, T1106, T1569	Process Injection, Native API, System Services	Defense Evasion, Privilege Escalation, Execution, Execution	TTP
Illegal Service and Process Control via PowerSploit modules	T1055, T1106, T1569	Process Injection, Native API, System Services	Defense Evasion, Privilege Escalation, Execution, Execution	TTP
Reg exe Manipulating Windows Services Registry Keys	T1574.011	Services Registry Permissions Weakness	Persistence, Privilege Escalation, Defense Evasion	TTP
Sc exe Manipulating Windows Services	T1543.003	Windows Service	Persistence, Privilege Escalation	TTP

Kill Chain Phase

Actions on Objectives

Installation

Reference

https://attack.mitre.org/wiki/Technique/T1050

https://attack.mitre.org/wiki/Technique/T1031

version: 3

Xmrig

Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of command and control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2021-05-07
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Attacker Tools On Endpoint	T1036.005, T1595, T1003, T1489, T1204.002, T1485, T1531, T1490, T1222, T1021.002, T1569.002, T1082, T1016, T1562.001, T1105, T1087, T1036, T1059, T1117, T1202, T1053, T1203, T1072, T1021.001, T1218.011, T1486, T1543.003, T1543, T1036.003, T1190	Match Legitimate Name or Location, Active Scanning, OS Credential Dumping, Service Stop, Malicious File, Data Destruction, Account Access Removal, Inhibit System Recovery, File and Directory Permissions Modification, SMB/Windows Admin Shares, Service Execution, System Information Discovery, System Network Configuration Discovery, Disable or Modify Tools, Ingress Tool Transfer, Account Discovery, Masquerading, Command and Scripting Interpreter, Regsvr32, Indirect Command Execution, Scheduled Task/Job, Exploitation for Client Execution, Software Deployment Tools, Remote Desktop Protocol, Rundll32, Data Encrypted for Impact, Windows Service, Create or Modify System Process, Rename System Utilities, Exploit Public-Facing Application	Defense Evasion, Reconnaissance, Credential Access, Impact, Execution, Impact, Impact, Impact, Defense Evasion, Lateral Movement, Execution, Discovery, Discovery, Defense Evasion, Command And Control, Discovery, Defense Evasion, Execution, , Defense Evasion, Execution, Persistence, Privilege Escalation, Execution, Execution, Lateral Movement, Lateral Movement, Defense Evasion, Impact, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Initial Access	TTP
Attempt To Disable Services	T1489	Service Stop	Impact	TTP
Attempt To delete Services	T1489	Service Stop	Impact	TTP
Delete A Net User	T1489	Service Stop	Impact	Anomaly
Deleting Of Net Users	T1531	Account Access Removal	Impact	TTP
Deny Permission using Cacls Utility	T1222	File and Directory Permissions Modification	Defense Evasion	TTP
Disable Net User Account	T1489	Service Stop	Impact	TTP
Disable Windows App Hotkeys	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Disabling Net User Account	T1531	Account Access Removal	Impact	TTP
Download Files Using Telegram	T1105	Ingress Tool Transfer	Command And Control	TTP
Enumerate Users Local Group Using Telegram	T1087	Account Discovery	Discovery	TTP
Excessive Attempt To Disable Services	T1489	Service Stop	Impact	Anomaly
Excessive Service Stop Attempt	T1489	Service Stop	Impact	Anomaly
Excessive Usage Of Cacls App	T1222	File and Directory Permissions Modification	Defense Evasion	Anomaly
Excessive Usage Of Net App	T1531	Account Access Removal	Impact	Anomaly
Excessive Usage Of Taskkill	T1562.001	Disable or Modify Tools	Defense Evasion	Anomaly
Executables Or Script Creation In Suspicious Path	T1036	Masquerading	Defense Evasion	TTP
Grant Permission Using Cacls Utility	T1222	File and Directory Permissions Modification	Defense Evasion	TTP
Hide User Account From Sign-In Screen	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
ICACLS Grant Command	T1222	File and Directory Permissions Modification	Defense Evasion	TTP
Icacls Deny Command	T1222	File and Directory Permissions Modification	Defense Evasion	TTP
Modify ACL permission To Files Or Folder	T1222	File and Directory Permissions Modification	Defense Evasion	TTP
Modify ACLs Permission Of Files Or Folders	T1222	File and Directory Permissions Modification	Defense Evasion	Anomaly
Process Kill Base On File Path	T1562.001	Disable or Modify Tools	Defense Evasion	TTP
Schtasks Run Task On Demand	T1053	Scheduled Task/Job	Execution, Persistence, Privilege Escalation	TTP
Suspicious Driver Loaded Path	T1543.003	Windows Service	Persistence, Privilege Escalation	TTP
Suspicious Process File Path	T1543	Create or Modify System Process	Persistence, Privilege Escalation	TTP
XMRIG Driver Loaded	T1543.003	Windows Service	Persistence, Privilege Escalation	TTP

Kill Chain Phase

Actions on Objectives

Command and Control

Exploitation

Installation

Reference

https://github.com/xmrig/xmrig

https://www.getmonero.org/resources/user-guides/mine-to-pool.html

https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/

https://blog.checkpoint.com/2021/03/11/february-2021s-most-wanted-malware-trickbot-takes-over-following-emotet-shutdown/

version: 1

Vulnerability

Apache struts vulnerability

Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Endpoint
Last Updated: 2018-12-06
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Suspicious Java Classes				Anomaly
Unusually Long Content-Type Length				Anomaly
Web Servers Executing Suspicious Processes	T1082	System Information Discovery	Discovery	TTP

Kill Chain Phase

Actions on Objectives

Delivery

Exploitation

Reference

https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/v3.2/dev/rules/REQUEST-944-APPLICATION-ATTACK-JAVA.conf

version: 1

Jboss vulnerability

In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel:Web
Last Updated: 2017-09-14
Use Case: Advanced Threat Detection

Detection Profile

name	ID	Technique	Tactic	Type
Detect attackers scanning for vulnerable JBoss servers	T1082	System Information Discovery	Discovery	TTP
Detect malicious requests to exploit JBoss servers				TTP

Kill Chain Phase

Delivery

Reconnaissance

Reference

http://www.deependresearch.org/2016/04/jboss-exploits-view-from-victim.html

version: 1

#############
# Automatically generated by doc_gen.py in https://github.com/splunk/security_content
# On Date: 2021-09-27 18:37:39.621200 UTC
# Author: Splunk Security Research
# Contact: research@splunk.com
#############

View analytic stories on the Splunk Security Content website

Related Answers

Splunk Security Content Analytic Story

Abuse

Brand monitoring

Detection Profile

Kill Chain Phase

Reference

Dns amplification attacks

Detection Profile

Kill Chain Phase

Reference

Data protection

Detection Profile

Kill Chain Phase

Reference

Netsh abuse

Detection Profile

Kill Chain Phase

Reference

Adversary Tactics

Active directory discovery

Detection Profile

Kill Chain Phase

Reference

Active directory password spraying

Detection Profile

Kill Chain Phase

Reference

Bits jobs

Detection Profile

Kill Chain Phase

Reference

Baron samedit cve-2021-3156

Detection Profile

Kill Chain Phase

Reference

Cobalt strike

Detection Profile

Kill Chain Phase

Reference

Collection and staging

Detection Profile

Kill Chain Phase

Reference

Command and control

Detection Profile

Kill Chain Phase

Reference

Credential dumping

Detection Profile

Kill Chain Phase

Reference

Dns hijacking

Detection Profile

Kill Chain Phase

Reference

Data exfiltration

Detection Profile

Kill Chain Phase

Reference

Deobfuscate-decode files or information

Detection Profile

Kill Chain Phase

Reference

Detect zerologon attack

Detection Profile

Kill Chain Phase

Reference

Disabling security tools

Detection Profile

Kill Chain Phase

Reference

Domain trust discovery

Detection Profile

Kill Chain Phase

Reference

F5 tmui rce cve-2020-5902

Detection Profile

Kill Chain Phase