Splunk® Security Content

Analytic Stories

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ESSOC. Click here for the latest version.
Acrobat logo Download topic as PDF

Splunk Security Content Analytic Story


All the Analytic Stories shipped to different Splunk products. Below is a breakdown by Category.

Abuse

Brand monitoring

Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email, Network_Resolution, Web
  • ATT&CK:
  • Last Updated: 2017-12-19

Dns amplification attacks

DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK: T1498.002
  • Last Updated: 2016-09-13

Detection Profile


ATT&CK

ID Technique Tactic
T1498.002 Reflection Amplification Impact


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Data protection

Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change_Analysis, Network_Resolution
  • ATT&CK: T1189, T1071.001, T1048.003, T1048
  • Last Updated: 2017-09-14

Detection Profile


ATT&CK

ID Technique Tactic
T1189 Drive-by Compromise Initial Access
T1071.001 Web Protocols Command and Control
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1048 Exfiltration Over Alternative Protocol Exfiltration


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Installation


Reference


version: 1


Host redirection

Detect evidence of tactics used to redirect traffic from a host to a destination other than the one intended--potentially one that is part of an adversary's attack infrastructure. An example is redirecting communications regarding patches and updates or misleading users into visiting a malicious website.

Detection Profile


ATT&CK

ID Technique Tactic
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1071.004 DNS Command and Control
T1095 Non-Application Layer Protocol Command and Control
T1189 Drive-by Compromise Initial Access
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1071.001 Web Protocols Command and Control


Kill Chain Phase

  • Command and Control


Reference


version: 1


Netsh abuse

Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.004
  • Last Updated: 2017-01-05

Web fraud detection

Monitor your environment for activity consistent with common attack techniques bad actors use when attempting to compromise web servers or other web-related assets.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1136, T1078
  • Last Updated: 2018-10-08

Detection Profile


ATT&CK

ID Technique Tactic
T1136 Create Account Persistence
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1



Adversary Tactics

Baron samedit cve-2021-3156

Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1068
  • Last Updated: 2021-01-27

Detection Profile


ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation


Kill Chain Phase

  • Exploitation


Reference


version: 1


Cobalt strike

Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.011
  • Last Updated: 2021-02-16

Collection and staging

Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic
  • ATT&CK: T1114.001, T1114.002, T1036
  • Last Updated: 2020-02-03

Detection Profile


ATT&CK

ID Technique Tactic
T1114.001 Local Email Collection Collection
T1114.002 Remote Email Collection Collection
T1036 Masquerading Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Command and control

Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate command and control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.

Detection Profile


ATT&CK

ID Technique Tactic
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1071.004 DNS Command and Control
T1095 Non-Application Layer Protocol Command and Control
T1189 Drive-by Compromise Initial Access
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1071.001 Web Protocols Command and Control


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery


Reference


version: 1


Common phishing frameworks

Detect DNS and web requests to fake websites generated by the EvilGinx2 toolkit. These websites are designed to fool unwitting users who have clicked on a malicious link in a phishing email.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK: T1566.003
  • Last Updated: 2019-04-29

Detection Profile


ATT&CK

ID Technique Tactic
T1566.003 Spearphishing via Service Initial Access


Kill Chain Phase

  • Command and Control
  • Delivery


Reference


version: 1


Credential dumping

Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.


Dns hijacking

Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.

Detection Profile


ATT&CK

ID Technique Tactic
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1071.004 DNS Command and Control
T1095 Non-Application Layer Protocol Command and Control
T1189 Drive-by Compromise Initial Access
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1071.001 Web Protocols Command and Control


Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 1


Data exfiltration

The stealing of data by an adversary.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1041
  • Last Updated: 2020-10-21

Detection Profile


ATT&CK

ID Technique Tactic
T1041 Exfiltration Over C2 Channel Exfiltration


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Detect zerologon attack

Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1210, T1003.001, T1190
  • Last Updated: 2020-09-18

Detection Profile


ATT&CK

ID Technique Tactic
T1210 Exploitation of Remote Services Lateral Movement
T1003.001 LSASS Memory Credential Access
T1190 Exploit Public-Facing Application Initial Access


Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1


Disabling security tools

Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.

Detection Profile


ATT&CK

ID Technique Tactic
T1553.004 Install Root Certificate Defense Evasion
T1562.001 Disable or Modify Tools Defense Evasion
T1562.004 Disable or Modify System Firewall Defense Evasion
T1543.003 Windows Service Persistence, Privilege Escalation
T1112 Modify Registry Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Installation


Reference


version: 2


F5 tmui rce cve-2020-5902

Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1190
  • Last Updated: 2020-08-02

Lateral movement

Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic
  • ATT&CK: T1550.002, T1558.003, T1021.001, T1053.005
  • Last Updated: 2020-02-04

Detection Profile


ATT&CK

ID Technique Tactic
T1550.002 Pass the Hash Defense Evasion, Lateral Movement
T1558.003 Kerberoasting Credential Access
T1021.001 Remote Desktop Protocol Lateral Movement
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Reference


version: 2


Malicious powershell

Attackers are finding stealthy ways "live off the land," leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.001, T1027
  • Last Updated: 2017-08-23

Phishing payloads

Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1566.001, T1566.002
  • Last Updated: 2019-04-29

Detection Profile


ATT&CK

ID Technique Tactic
T1566.001 Spearphishing Attachment Initial Access
T1566.002 Spearphishing Link Initial Access


Kill Chain Phase

  • Actions on Objectives
  • Installation


Reference


version: 1


Possible backdoor activity associated with mudcarp espionage campaigns

Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.001, T1059.003, T1547.001
  • Last Updated: 2020-01-22

Detection Profile


ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution
T1059.003 Windows Command Shell Execution
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 1


Sql injection

Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • ATT&CK: T1190
  • Last Updated: 2017-09-19

Detection Profile


ATT&CK

ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access


Kill Chain Phase

  • Delivery


Reference


version: 1


Sunburst malware

Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world.

Detection Profile


ATT&CK

ID Technique Tactic
T1071.002 File Transfer Protocols Command and Control
T1059.003 Windows Command Shell Execution
T1569.002 Service Execution Execution
T1027 Obfuscated Files or Information Defense Evasion
T1543.003 Windows Service Persistence, Privilege Escalation
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1203 Exploitation for Client Execution Execution
T1505.003 Web Shell Persistence
T1071.001 Web Protocols Command and Control
T1018 Remote System Discovery Discovery


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Exfiltration
  • Exploitation
  • Installation


Reference


version: 1


Suspicious command-line executions

Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.003, T1068, T1059.001, T1036.003
  • Last Updated: 2020-02-03

Detection Profile


ATT&CK

ID Technique Tactic
T1059.003 Windows Command Shell Execution
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1059.001 PowerShell Execution
T1036.003 Rename System Utilities Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Exploitation


Reference


version: 2


Suspicious compiled html activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.001
  • Last Updated: 2021-02-11

Suspicious dns traffic

Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.

Detection Profile


ATT&CK

ID Technique Tactic
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1071.004 DNS Command and Control
T1095 Non-Application Layer Protocol Command and Control
T1189 Drive-by Compromise Initial Access
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1071.001 Web Protocols Command and Control


Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 1


Suspicious emails

Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email, UEBA
  • ATT&CK: T1566, T1566.001
  • Last Updated: 2020-01-27

Detection Profile


ATT&CK

ID Technique Tactic
T1566 Phishing Initial Access
T1566.001 Spearphishing Attachment Initial Access


Kill Chain Phase

  • Delivery


Reference


version: 1


Suspicious mshta activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.005, T1059.003, T1547.001
  • Last Updated: 2021-01-20

Suspicious okta activity

Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.001
  • Last Updated: 2020-04-02

Suspicious regsvcs regasm activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-11

Suspicious regsvr32 activity

Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.010
  • Last Updated: 2021-01-29

Suspicious rundll32 activity

Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.011, T1003.001, T1036.003
  • Last Updated: 2021-02-03

Suspicious wmi use

Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1047, T1546.003
  • Last Updated: 2018-10-23

Suspicious windows registry activities

Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.

Detection Profile


ATT&CK

ID Technique Tactic
T1548.002 Bypass User Account Control Defense Evasion, Privilege Escalation
T1222.001 Windows File and Directory Permissions Modification Defense Evasion
T1547.010 Port Monitors Persistence, Privilege Escalation
T1564.001 Hidden Files and Directories Defense Evasion
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1546.012 Image File Execution Options Injection Persistence, Privilege Escalation
T1546.011 Application Shimming Persistence, Privilege Escalation
T1546.001 Change Default File Association Persistence, Privilege Escalation
T1112 Modify Registry Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious zoom child processes

Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.003, T1068, T1059.001, T1036.003
  • Last Updated: 2020-04-13

Detection Profile


ATT&CK

ID Technique Tactic
T1059.003 Windows Command Shell Execution
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1059.001 PowerShell Execution
T1036.003 Rename System Utilities Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1


Trusted developer utilities proxy execution

Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1127, T1036.003
  • Last Updated: 2021-01-12

Detection Profile


ATT&CK

ID Technique Tactic
T1127 Trusted Developer Utilities Proxy Execution Defense Evasion
T1036.003 Rename System Utilities Defense Evasion


Kill Chain Phase

  • Exploitation


Reference


version: 1


Trusted developer utilities proxy execution msbuild

Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1127.001, T1036.003
  • Last Updated: 2021-01-21

Windows dns sigred cve-2020-1350

Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK: T1203
  • Last Updated: 2020-07-28

Windows defense evasion tactics

Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others

Detection Profile


ATT&CK

ID Technique Tactic
T1548.002 Bypass User Account Control Defense Evasion, Privilege Escalation
T1222.001 Windows File and Directory Permissions Modification Defense Evasion
T1547.010 Port Monitors Persistence, Privilege Escalation
T1564.001 Hidden Files and Directories Defense Evasion
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1546.012 Image File Execution Options Injection Persistence, Privilege Escalation
T1546.011 Application Shimming Persistence, Privilege Escalation
T1546.001 Change Default File Association Persistence, Privilege Escalation
T1112 Modify Registry Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Windows log manipulation

Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1490, T1070.001, T1070
  • Last Updated: 2017-09-12

Detection Profile


ATT&CK

ID Technique Tactic
T1490 Inhibit System Recovery Impact
T1070.001 Clear Windows Event Logs Defense Evasion
T1070 Indicator Removal on Host Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Reference


version: 2


Windows persistence techniques

Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.

Detection Profile


ATT&CK

ID Technique Tactic
T1574.009 Path Interception by Unquoted Path Defense Evasion, Persistence, Privilege Escalation
T1222.001 Windows File and Directory Permissions Modification Defense Evasion
T1547.010 Port Monitors Persistence, Privilege Escalation
T1574.011 Services Registry Permissions Weakness Defense Evasion, Persistence, Privilege Escalation
T1564.001 Hidden Files and Directories Defense Evasion
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1546.011 Application Shimming Persistence, Privilege Escalation
T1543.003 Windows Service Persistence, Privilege Escalation
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives
  • Installation


Reference


version: 2


Windows privilege escalation

Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1068, T1546.008, T1546.012, T1204.002
  • Last Updated: 2020-02-04

Detection Profile


ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1546.008 Accessibility Features Persistence, Privilege Escalation
T1546.012 Image File Execution Options Injection Persistence, Privilege Escalation
T1204.002 Malicious File Execution


Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 2



Best Practices

Asset tracking

Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Sessions
  • ATT&CK:
  • Last Updated: 2017-09-13

Detection Profile



Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Reconnaissance


Reference


version: 1


Monitor backup solution

Address common concerns when monitoring your backup processes. These searches can help you reduce risks from ransomware, device theft, or denial of physical access to a host by backing up data on endpoints.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2017-09-12

Monitor for unauthorized software

Identify and investigate prohibited/unauthorized software or processes that may be concealing malicious behavior within your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK:
  • Last Updated: 2017-09-15

Detection Profile



Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Installation


Reference


version: 1


Monitor for updates

Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Updates
  • ATT&CK:
  • Last Updated: 2017-09-15

Detection Profile



Kill Chain Phase

Reference


version: 1


Prohibited traffic allowed or protocol mismatch

Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution, Network_Traffic
  • ATT&CK: T1189, T1071.001, T1048.003, T1048
  • Last Updated: 2017-09-11

Detection Profile


ATT&CK

ID Technique Tactic
T1189 Drive-by Compromise Initial Access
T1071.001 Web Protocols Command and Control
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1048 Exfiltration Over Alternative Protocol Exfiltration


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery


Reference


version: 1


Router and infrastructure security

Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.

Detection Profile


ATT&CK

ID Technique Tactic
T1200 Hardware Additions Initial Access
T1498 Network Denial of Service Impact
T1557.002 ARP Cache Poisoning Collection, Credential Access
T1557 Man-in-the-Middle Collection, Credential Access
T1542.005 TFTP Boot Defense Evasion, Persistence
T1020.001 Traffic Duplication Exfiltration


Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Exploitation
  • Reconnaissance


Reference


version: 1


Use of cleartext protocols

Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Traffic
  • ATT&CK:
  • Last Updated: 2017-09-15

Detection Profile



Kill Chain Phase

  • Actions on Objectives
  • Reconnaissance


Reference


version: 1



Cloud Security

Aws cross account activity

Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078, T1550
  • Last Updated: 2018-06-04

Detection Profile


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1550 Use Alternate Authentication Material Defense Evasion, Lateral Movement


Kill Chain Phase

  • Lateral Movement


Reference


version: 1


Aws cryptomining

Monitor your AWS EC2 instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or EC2 instances started by previously unseen users are just a few examples of potentially malicious behavior.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004, T1535
  • Last Updated: 2018-03-08

Detection Profile


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Aws network acl activity

Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1562.007
  • Last Updated: 2018-05-21

Aws security hub alerts

This story is focused around detecting Security Hub alerts generated from AWS

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-08-04

Aws suspicious provisioning activities

Monitor your AWS provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your network.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1535
  • Last Updated: 2018-03-16

Aws user monitoring

Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2018-03-12

Cloud cryptomining

Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004, T1535
  • Last Updated: 2019-10-02

Detection Profile


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Cloud federated credential abuse

This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.

Detection Profile


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1003.001 LSASS Memory Credential Access
T1136.003 Cloud Account Persistence
T1556 Modify Authentication Process Credential Access, Defense Evasion
T1546.012 Image File Execution Options Injection Persistence, Privilege Escalation
T1204.002 Malicious File Execution


Kill Chain Phase

  • Actions on Objective
  • Actions on Objectives
  • Command and Control
  • Installation


Reference


version: 1


Container implantation monitoring and investigation

Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1525
  • Last Updated: 2020-02-20

Detection Profile


ATT&CK

ID Technique Tactic
T1525 Implant Container Image Persistence


Kill Chain Phase

Reference


version: 1


Gcp cross account activity

Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-09-01

Detection Profile


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Lateral Movement


Reference


version: 1


Kubernetes scanning activity

This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1526
  • Last Updated: 2020-04-15

Kubernetes sensitive object access activity

This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-05-20

Kubernetes sensitive role activity

This story addresses detection and response around Sensitive Role usage within a Kubernetes clusters against cluster resources and namespaces.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-05-20

Office 365 detections

This story is focused around detecting Office 365 Attacks.

Detection Profile


ATT&CK

ID Technique Tactic
T1110.001 Password Guessing Credential Access
T1136.003 Cloud Account Persistence
T1562.007 Disable or Modify Cloud Firewall Defense Evasion
T1556 Modify Authentication Process Credential Access, Defense Evasion
T1110 Brute Force Credential Access
T1114 Email Collection Collection
T1114.003 Email Forwarding Rule Collection
T1114.002 Remote Email Collection Collection


Kill Chain Phase

  • Actions on Objective
  • Actions on Objectives
  • Not Applicable


Reference


version: 1


Suspicious aws ec2 activities

Use the searches in this Analytic Story to monitor your AWS EC2 instances for evidence of anomalous activity and suspicious behaviors, such as EC2 instances that originate from unusual locations or those launched by previously unseen users (among others). Included investigative searches will help you probe more deeply, when the information warrants it.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004, T1535
  • Last Updated: 2018-02-09

Detection Profile


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious aws login activities

Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK: T1535, T1078.004
  • Last Updated: 2019-05-01

Detection Profile


ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious aws s3 activities

Use the searches in this Analytic Story to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2018-07-24

Suspicious aws traffic

Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2018-05-07

Detection Profile



Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 1


Suspicious cloud authentication activities

Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK: T1535, T1078.004
  • Last Updated: 2020-06-04

Suspicious cloud instance activities

Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-08-25

Detection Profile


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious cloud provisioning activities

Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078
  • Last Updated: 2018-08-20

Suspicious cloud user activities

Detect and investigate suspicious activities by users and roles in your cloud environments.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004, T1078
  • Last Updated: 2020-09-04

Detection Profile


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation
T1078 Valid Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious gcp storage activities

Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2020-08-05

Unusual aws ec2 modifications

Identify unusual changes to your AWS EC2 instances that may indicate malicious activity. Modifications to your EC2 instances by previously unseen users is an example of an activity that may warrant further investigation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2018-04-09

Detection Profile


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Initial Access, Persistence, Privilege Escalation


Kill Chain Phase

Reference


version: 1



Malware

Coldroot macos rat

Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2019-01-09

Dhs report ta18-074a

Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.

Detection Profile


ATT&CK

ID Technique Tactic
T1136.001 Local Account Persistence
T1071.002 File Transfer Protocols Command and Control
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1059.001 PowerShell Execution
T1059.003 Windows Command Shell Execution
T1562.004 Disable or Modify System Firewall Defense Evasion
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1543.003 Windows Service Persistence, Privilege Escalation
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1204.002 Malicious File Execution
T1112 Modify Registry Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Installation


Reference


version: 2


Dynamic dns

Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution, Web
  • ATT&CK: T1189, T1071.001, T1048.003, T1048
  • Last Updated: 2018-09-06

Detection Profile


ATT&CK

ID Technique Tactic
T1189 Drive-by Compromise Initial Access
T1071.001 Web Protocols Command and Control
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1048 Exfiltration Over Alternative Protocol Exfiltration


Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 2


Emotet malware dhs report ta18-201a

Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.

Detection Profile


ATT&CK

ID Technique Tactic
T1059.003 Windows Command Shell Execution
T1072 Software Deployment Tools Execution, Lateral Movement
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1566.001 Spearphishing Attachment Initial Access


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery
  • Exploitation
  • Installation


Reference


version: 1


Hidden cobra malware

Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.

Detection Profile


ATT&CK

ID Technique Tactic
T1070.005 Network Share Connection Removal Defense Evasion
T1071.004 DNS Command and Control
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1071.002 File Transfer Protocols Command and Control
T1059.001 PowerShell Execution
T1059.003 Windows Command Shell Execution
T1021.001 Remote Desktop Protocol Lateral Movement
T1021.002 SMB/Windows Admin Shares Lateral Movement


Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 2


Orangeworm attack group

Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.

Detection Profile


ATT&CK

ID Technique Tactic
T1569.002 Service Execution Execution
T1059.001 PowerShell Execution
T1059.003 Windows Command Shell Execution
T1574.011 Services Registry Permissions Weakness Defense Evasion, Persistence, Privilege Escalation
T1543.003 Windows Service Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Installation


Reference


version: 2


Ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.

Detection Profile


ATT&CK

ID Technique Tactic
T1490 Inhibit System Recovery Impact
T1485 Data Destruction Impact
T1482 Domain Trust Discovery Discovery
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1021.001 Remote Desktop Protocol Lateral Movement
T1047 Windows Management Instrumentation Execution
T1486 Data Encrypted for Impact Impact
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1070.001 Clear Windows Event Logs Defense Evasion
T1036.003 Rename System Utilities Defense Evasion
T1071.001 Web Protocols Command and Control
T1070 Indicator Removal on Host Defense Evasion
T1562.001 Disable or Modify Tools Defense Evasion
T1489 Service Stop Impact
T1059.003 Windows Command Shell Execution


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery


Reference


version: 1


Ransomware cloud

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1486
  • Last Updated: 2020-10-27

Ryuk ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.

Detection Profile


ATT&CK

ID Technique Tactic
T1490 Inhibit System Recovery Impact
T1485 Data Destruction Impact
T1482 Domain Trust Discovery Discovery
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1021.001 Remote Desktop Protocol Lateral Movement
T1047 Windows Management Instrumentation Execution
T1486 Data Encrypted for Impact Impact
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1070.001 Clear Windows Event Logs Defense Evasion
T1036.003 Rename System Utilities Defense Evasion
T1071.001 Web Protocols Command and Control
T1070 Indicator Removal on Host Defense Evasion
T1562.001 Disable or Modify Tools Defense Evasion
T1489 Service Stop Impact
T1059.003 Windows Command Shell Execution


Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Exploitation
  • Reconnaissance


Reference


version: 1


Samsam ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.

Detection Profile


ATT&CK

ID Technique Tactic
T1204.002 Malicious File Execution
T1485 Data Destruction Impact
T1490 Inhibit System Recovery Impact
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1082 System Information Discovery Discovery
T1021.001 Remote Desktop Protocol Lateral Movement
T1486 Data Encrypted for Impact Impact


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery
  • Installation
  • Reconnaissance


Reference


version: 1


Unusual processes

Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1016, T1218.011, T1036.003, T1204.002
  • Last Updated: 2020-02-04

Windows file extension and association abuse

Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1036.003, T1546.001
  • Last Updated: 2018-01-26

Detection Profile


ATT&CK

ID Technique Tactic
T1036.003 Rename System Utilities Defense Evasion
T1546.001 Change Default File Association Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Windows service abuse

Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.

Detection Profile


ATT&CK

ID Technique Tactic
T1569.002 Service Execution Execution
T1059.001 PowerShell Execution
T1059.003 Windows Command Shell Execution
T1574.011 Services Registry Permissions Weakness Defense Evasion, Persistence, Privilege Escalation
T1543.003 Windows Service Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives
  • Installation


Reference


version: 3



Vulnerability

Apache struts vulnerability

Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1082
  • Last Updated: 2018-12-06

Detection Profile


ATT&CK

ID Technique Tactic
T1082 System Information Discovery Discovery


Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Exploitation


Reference


version: 1


Jboss vulnerability

In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • ATT&CK: T1082
  • Last Updated: 2017-09-14

Detection Profile


ATT&CK

ID Technique Tactic
T1082 System Information Discovery Discovery


Kill Chain Phase

  • Delivery
  • Reconnaissance


Reference


version: 1


Spectre and meltdown vulnerabilities

Assess and mitigate your systems' vulnerability to Spectre and Meltdown exploitation with the searches in this Analytic Story.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Vulnerabilities
  • ATT&CK:
  • Last Updated: 2018-01-08

Detection Profile



Kill Chain Phase

Reference


version: 1


Splunk enterprise vulnerability

Keeping your Splunk deployment up to date is critical and may help you reduce the risk of CVE-2016-4859, an open-redirection vulnerability within some older versions of Splunk Enterprise. The detection search will help ensure that users are being properly authenticated and not being redirected to malicious domains.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2017-09-19

Splunk enterprise vulnerability cve-2018-11409

Reduce the risk of CVE-2018-11409, an information disclosure vulnerability within some older versions of Splunk Enterprise, with searches designed to help ensure that your Splunk system does not leak information to authenticated users.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2018-06-14



############# # Automatically generated by doc_gen.py in https://github.com/splunk/security_content # On Date: UTC # Author: Splunk Security Research # Contact: research@splunk.com #############

Last modified on 25 March, 2021
  NEXT
Introduction to Splunk Analytic Stories

This documentation applies to the following versions of Splunk® Security Content: 3.17.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters