Splunk® Security Content

Detections

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ESSOC. Click here for the latest version.
Acrobat logo Download topic as PDF

Splunk Security Content Detections


All the detections shipped to different Splunk products. Below is a breakdown by kind.

Application

Detect new login attempts to routers

The search queries the authentication logs for assets that are categorized as routers in the ES Assets and Identity Framework, to identify connections that have not been seen before in the last 30 days.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK:
  • Last Updated: 2017-09-12

Search

| tstats `security_content_summariesonly` count earliest(_time) as earliest latest(_time) as latest from datamodel=Authentication where Authentication.dest_category=router by Authentication.dest Authentication.user | eval isOutlier=if(earliest >= relative_time(now(), "-30d@d"), 1, 0) | where isOutlier=1 | `security_content_ctime(earliest)` | `security_content_ctime(latest)` | `drop_dm_object_name("Authentication")` | `detect_new_login_attempts_to_routers_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must ensure the network router devices are categorized as "router" in the Assets and identity table. You must also populate the Authentication data model with logs related to users authenticating to routing infrastructure.

Required field

  • _time
  • Authentication.dest_category
  • Authentication.dest
  • Authentication.user



Kill Chain Phase

  • Actions on Objectives


Known False Positives

Legitimate router connections may appear as new connections

Reference

Test Dataset

version: 1


Email attachments with lots of spaces

Attackers often use spaces as a means to obfuscate an attachment's file extension. This search looks for messages with email attachments that have many spaces within the file names.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email
  • ATT&CK:
  • Last Updated: 2017-09-19

Search

| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) | search space_ratio >= 0.1 | rex field=recipient_address "(?<recipient_user>.*)@" | `email_attachments_with_lots_of_spaces_filter`

Associated Analytic Story


How To Implement

You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. The threshold ratio is set to 10%, but this value can be configured to suit each environment. \

**Splunk Phantom Playbook Integration**\

If Splunk Phantom is also configured in your environment, a playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/` and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.

Required field

  • _time
  • All_Email.recipient
  • All_Email.file_name
  • All_Email.src_user
  • All_Email.file_name
  • All_Email.message_id



Kill Chain Phase

  • Delivery


Known False Positives

None at this time

Reference

Test Dataset

version: 2


Email files written outside of the outlook directory

The search looks at the change-analysis data model and detects email files created outside the normal Outlook directory.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1114.001
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name=*.pst OR Filesystem.file_name=*.ost) Filesystem.file_path != "C:\\Users\\*\\My Documents\\Outlook Files\\*" Filesystem.file_path!="C:\\Users\\*\\AppData\\Local\\Microsoft\\Outlook*" by Filesystem.action Filesystem.process_id Filesystem.file_name Filesystem.dest | `drop_dm_object_name("Filesystem")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `email_files_written_outside_of_the_outlook_directory_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records the file-system activity from your hosts to populate the Endpoint.Filesystem data model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or by other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.

Required field

  • _time
  • Filesystem.file_path
  • Filesystem.file_name
  • Filesystem.action
  • Filesystem.process_id
  • Filesystem.dest


ATT&CK

ID Technique Tactic
T1114.001 Local Email Collection Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators and users sometimes prefer backing up their email data by moving the email files into a different folder. These attempts will be detected by the search.

Reference

Test Dataset

version: 3


Email servers sending high volume traffic to hosts

This search looks for an increase of data transfers from your email server to your clients. This could be indicative of a malicious actor collecting data using your email server.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Traffic
  • ATT&CK: T1114.002
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` sum(All_Traffic.bytes_out) as bytes_out from datamodel=Network_Traffic where All_Traffic.src_category=email_server by All_Traffic.dest_ip _time span=1d | `drop_dm_object_name("All_Traffic")` | eventstats avg(bytes_out) as avg_bytes_out stdev(bytes_out) as stdev_bytes_out | eventstats count as num_data_samples avg(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_avg_bytes_out stdev(eval(if(_time < relative_time(now(), "@d"), bytes_out, null))) as per_source_stdev_bytes_out by dest_ip | eval minimum_data_samples = 4, deviation_threshold = 3 | where num_data_samples >= minimum_data_samples AND bytes_out > (avg_bytes_out + (deviation_threshold * stdev_bytes_out)) AND bytes_out > (per_source_avg_bytes_out + (deviation_threshold * per_source_stdev_bytes_out)) AND _time >= relative_time(now(), "@d") | eval num_standard_deviations_away_from_server_average = round(abs(bytes_out - avg_bytes_out) / stdev_bytes_out, 2), num_standard_deviations_away_from_client_average = round(abs(bytes_out - per_source_avg_bytes_out) / per_source_stdev_bytes_out, 2) | table dest_ip, _time, bytes_out, avg_bytes_out, per_source_avg_bytes_out, num_standard_deviations_away_from_server_average, num_standard_deviations_away_from_client_average | `email_servers_sending_high_volume_traffic_to_hosts_filter`

Associated Analytic Story


How To Implement

This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. Your email servers must be categorized as "email_server" for the search to work, as well. You may need to adjust the deviation_threshold and minimum_data_samples values based on the network traffic in your environment. The "deviation_threshold" field is a multiplying factor to control how much variation you're willing to tolerate. The "minimum_data_samples" field is the minimum number of connections of data samples required for the statistic to be valid.

Required field

  • _time
  • All_Traffic.bytes_out
  • All_Traffic.src_category
  • All_Traffic.dest_ip


ATT&CK

ID Technique Tactic
T1114.002 Remote Email Collection Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

The false-positive rate will vary based on how you set the deviation_threshold and data_samples values. Our recommendation is to adjust these values based on your network traffic to and from your email servers.

Reference

Test Dataset

version: 2


Monitor email for brand abuse

This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email
  • ATT&CK:
  • Last Updated: 2018-01-05

Search

| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id | `drop_dm_object_name("All_Email")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval temp=split(src_user, "@") | eval email_domain=mvindex(temp, 1) | lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse | search domain_abuse=true | table message_id, src_user, email_domain, recipients, firstTime, lastTime | `monitor_email_for_brand_abuse_filter`

Associated Analytic Story


How To Implement

You need to ingest email header data. Specifically the sender's address (src_user) must be populated. You also need to have run the search "ESCU - DNSTwist Domain Names", which creates the permutations of the domain that will be checked for.

Required field

  • _time
  • All_Email.recipient
  • All_Email.src_user
  • All_Email.message_id



Kill Chain Phase

  • Delivery


Known False Positives

None at this time

Reference

Test Dataset

version: 2


Multiple okta users with invalid credentials from the same ip

This search detects Okta login failures due to bad credentials for multiple users originating from the same ip address.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.001
  • Last Updated: 2020-07-21

Search

`okta` outcome.reason=INVALID_CREDENTIALS | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | stats min(_time) as firstTime max(_time) as lastTime dc(user) as distinct_users values(user) as users by src_ip, displayMessage, outcome.reason, country, state, city | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search distinct_users > 5 | `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter`

Associated Analytic Story


How To Implement

This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.

Required field

  • _time
  • outcome.reason
  • client.geographicalContext.country
  • client.geographicalContext.state
  • client.geographicalContext.city
  • user
  • src_ip
  • displayMessage


ATT&CK

ID Technique Tactic
T1078.001 Default Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

A single public IP address servicing multiple legitmate users may trigger this search. In addition, the threshold of 5 distinct users may be too low for your needs. You may modify the included filter macro `multiple_okta_users_with_invalid_credentials_from_the_same_ip_filter` to raise the threshold or except specific IP adresses from triggering this search.

Reference

Test Dataset

version: 2


No windows updates in a time frame

This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Updates
  • ATT&CK:
  • Last Updated: 2017-09-15

Search

| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest Updates.status Updates.vendor_product | rename Updates.dest as Host | rename Updates.status as "Update Status" | rename Updates.vendor_product as Product | eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0) | `security_content_ctime(lastTime)` | search isOutlier=1 | rename lastTime as "Last Update Time", | table Host, "Update Status", Product, "Last Update Time" | `no_windows_updates_in_a_time_frame_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, it requires that the 'Update' data model is being populated. This can be accomplished by ingesting Windows events or the Windows Update log via a universal forwarder on the Windows endpoints you wish to monitor. The Windows add-on should be also be installed and configured to properly parse Windows events in Splunk. There may be other data sources which can populate this data model, including vulnerability management systems.

Required field

  • _time
  • Updates.status
  • Updates.vendor_product
  • Updates.dest



Kill Chain Phase

Known False Positives

None identified

Reference

Test Dataset

version: 1


Okta account lockout events

Detect Okta user lockout events

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.001
  • Last Updated: 2020-07-21

Search

`okta` displayMessage="Max sign in attempts exceeded" | rename client.geographicalContext.country as country, client.geographicalContext.state as state, client.geographicalContext.city as city | table _time, user, country, state, city, src_ip | `okta_account_lockout_events_filter`

Associated Analytic Story


How To Implement

This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.

Required field

  • _time
  • displayMessage
  • client.geographicalContext.country
  • client.geographicalContext.state
  • client.geographicalContext.city


ATT&CK

ID Technique Tactic
T1078.001 Default Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

None. Account lockouts should be followed up on to determine if the actual user was the one who caused the lockout, or if it was an unauthorized actor.

Reference

Test Dataset

version: 2


Okta failed sso attempts

Detect failed Okta SSO events

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.001
  • Last Updated: 2020-07-21

Search

`okta` displayMessage="User attempted unauthorized access to app" | stats min(_time) as firstTime max(_time) as lastTime values(app) as Apps count by user, result ,displayMessage, src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_failed_sso_attempts_filter`

Associated Analytic Story


How To Implement

This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.

Required field

  • _time
  • displayMessage
  • app
  • user
  • result
  • src_ip


ATT&CK

ID Technique Tactic
T1078.001 Default Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

There may be a faulty config preventing legitmate users from accessing apps they should have access to.

Reference

Test Dataset

version: 2


Okta user logins from multiple cities

This search detects logins from the same user from different cities in a 24 hour period.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.001
  • Last Updated: 2020-07-21

Search

`okta` displayMessage="User login to Okta" client.geographicalContext.city!=null | stats min(_time) as firstTime max(_time) as lastTime dc(client.geographicalContext.city) as locations values(client.geographicalContext.city) as cities values(client.geographicalContext.state) as states by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `okta_user_logins_from_multiple_cities_filter` | search locations > 1

Associated Analytic Story


How To Implement

This search is specific to Okta and requires Okta logs are being ingested in your Splunk deployment.

Required field

  • _time
  • displayMessage
  • client.geographicalContext.city
  • client.geographicalContext.state
  • user


ATT&CK

ID Technique Tactic
T1078.001 Default Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

Users in your enviornment may legitmately be travelling and loggin in from different locations. This search is useful for those users that should *not* be travelling for some reason, such as the COVID-19 pandemic. The search also relies on the geographical information being populated in the Okta logs. It is also possible that a connection from another region may be attributed to a login from a remote VPN endpoint.

Reference

Test Dataset

version: 2


Phishing email detection by machine learning method - ssa

Malicious mails can conduct phishing that induces readers to open attachment, click links or trigger third party service. This detect uses Natural Language Processing (NLP) approach to analyze an email message's content (Sender, Subject and Body) and judge whether it is a phishing email. The detection adopts a deep learning (neural network) model that employs character level embeddings plus LSTM layers to perform classification. The model is pre-trained and then published as ONNX format. Current sample model is trained using the dataset published at https://github.com/splunk/attack_data/tree/master/datasets/T1566_Phishing_Email/splunk_train.json User are expected to re-train the model by combining with their own training data for better accuracy using the provided model file (SMLE notebook). DSP pipeline then processes the email message and passes it as an event to Apply ML Models function, which returns the probability of a phishing email. Current implementation assumes the email is fed to DSP in JSON format contains at least email's sender, subject and its message body, including reply content, if any.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1566
  • Last Updated: 2020-08-25

Search

| from read_ssa_enriched_events() | eval eventLine=concat(ucast(map_get(input_event, "From"), "string", " "), " ", ucast(map_get(input_event, "Subject"), "string", " "), " ", ucast(map_get(input_event, "Content"), "string", " "), " "), _time=map_get(input_event, "_time") | where eventLine IS NOT NULL | eval mapC={" ": 32, "!": 33, "\"": 34, "#": 35, "$": 36, "%": 37, "&": 38, "`": 39, "(": 40, ")": 41, "*": 42, "+": 43, ",": 44, "-": 45, ".": 46, "/": 47, "0": 48, "1": 49, "2": 50, "3": 51, "4": 52, "5": 53, "6": 54, "7": 55, "8": 56, "9": 57, ":": 58, ";": 59, "<": 60, "=": 61, ">": 62, "?": 63, "@": 64, "A": 65, "B": 66, "C": 67, "D": 68, "E": 69, "F": 70, "G": 71, "H": 72, "I": 73, "J": 74, "K": 75, "L": 76, "M": 77, "N": 78, "O": 79, "P": 80, "Q": 81, "R": 82, "S": 83, "T": 84, "U": 85, "V": 86, "W": 87, "X": 88, "Y": 89, "Z": 90, "[": 91, "\\": 92, "]": 93, "^": 94, "_": 95, "`": 96, "a": 97, "b": 98, "c": 99, "d": 100, "e": 101, "f": 102, "g": 103, "h": 104, "i": 105, "j": 106, "k": 107, "l": 108, "m": 109, "n": 110, "o": 111, "p": 112, "q": 113, "r": 114, "s": 115, "t": 116, "u": 117, "v": 118, "w": 119, "x": 120, "y": 121, "z": 122, "{": 123, " |": 124, "}": 125, "~": 126}, ml_in = for_each(iterator(mvrange(1,129), "i"), cast(map_get(mapC, substr(eventLine, i, 1)), "float") ) | apply_model connection_id="YOUR_S3_ONNX_CONNECTOR_ID" name="phishing_email_v8" path="s3://smle-experiments/models/phishing_email" | eval probability = mvindex(ml_out, 0) | where probability > 0.5 | eval start_time=_time, end_time=_time, entities="TBD", body="TBD" | select probability, body, entities, start_time, end_time | into write_ssa_detected_events();

Associated Analytic Story

How To Implement

Events are fed to DSP contains at least email's sender, subject and its message body.

Required field

ATT&CK

ID Technique Tactic
T1566 Phishing Initial Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Because of imbalance of anomaly data in training, the model will less likely report false positive. Instead, the model is more prone to false negative. Current best recall score is ~85%

Reference

Test Dataset

version: 1


Suspicious email attachment extensions

This search looks for emails that have attachments with suspicious file extensions.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email
  • ATT&CK: T1566.001
  • Last Updated: 2020-07-22

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name("All_Email")` | `suspicious_email_attachments` | `suspicious_email_attachment_extensions_filter`

Associated Analytic Story


How To Implement

You need to ingest data from emails. Specifically, the sender's address and the file names of any attachments must be mapped to the Email data model. \

**Splunk Phantom Playbook Integration**\

If Splunk Phantom is also configured in your environment, a Playbook called "Suspicious Email Attachment Investigate and Delete" can be configured to run when any results are found by this detection search. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, and add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search. The notable event will be sent to Phantom and the playbook will gather further information about the file attachment and its network behaviors. If Phantom finds malicious behavior and an analyst approves of the results, the email will be deleted from the user's inbox.

Required field

  • _time
  • All_Email.file_name
  • All_Email.src_user
  • All_Email.message_id


ATT&CK

ID Technique Tactic
T1566.001 Spearphishing Attachment Initial Access


Kill Chain Phase

  • Delivery


Known False Positives

None identified

Reference

Test Dataset

version: 3


Suspicious java classes

This search looks for suspicious Java classes that are often used to exploit remote command execution in common Java frameworks, such as Apache Struts.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2018-12-06

Search

`stream_http` http_method=POST http_content_length>1 | regex form_data="(?i)java\.lang\.(?:runtime |processbuilder)" | rename src_ip as src | stats count earliest(_time) as firstTime, latest(_time) as lastTime, values(url) as uri, values(status) as status, values(http_user_agent) as http_user_agent by src, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `suspicious_java_classes_filter`

Associated Analytic Story


How To Implement

In order to properly run this search, Splunk needs to ingest data from your web-traffic appliances that serve or sit in the path of your Struts application servers. This can be accomplished by indexing data from a web proxy, or by using network traffic-analysis tools, such as Splunk Stream or Bro.

Required field

  • _time
  • http_method
  • http_content_length
  • src_ip
  • url
  • status
  • http_user_agent
  • src
  • dest



Kill Chain Phase

  • Exploitation


Known False Positives

There are no known false positives.

Reference

Test Dataset

version: 1


Web servers executing suspicious processes

This search looks for suspicious processes on all systems labeled as web servers.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1082
  • Last Updated: 2019-04-01

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.dest_category="web_server" AND (Processes.process="*whoami*" OR Processes.process="*ping*" OR Processes.process="*iptables*" OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*") by Processes.process Processes.process_name, Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model. In addition, web servers will need to be identified in the Assets and Identity Framework of Enterprise Security.

Required field

  • _time
  • Processes.dest_category
  • Processes.process
  • Processes.process_name
  • Processes.dest
  • Processes.user


ATT&CK

ID Technique Tactic
T1082 System Information Discovery Discovery


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Some of these processes may be used legitimately on web servers during maintenance or other administrative tasks.

Reference

Test Dataset

version: 1



Cloud

Aws create policy version to allow all resources

This search looks for AWS CloudTrail events where a user created a policy version that allows them to access any resource in their account

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2021-02-22

Search

`cloudtrail` eventName=CreatePolicyVersion eventSource = iam.amazonaws.com errorCode = success | spath input=requestParameters.policyDocument output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | search key_policy_action_1 = "*" | stats count min(_time) as firstTime max(_time) as lastTime values(key_policy_statements) as policy_added by eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_create_policy_version_to_allow_all_resources_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Required field

  • _time
  • eventName
  • userAgent
  • errorCode
  • requestParameters.userName


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

While this search has no known false positives, it is possible that an AWS admin has legitimately created a policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources

Reference


Test Dataset


version: 2


Aws createaccesskey

This search looks for AWS CloudTrail events where a user A who has already permission to create access keys, makes an API call to create access keys for another user B. Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B)

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1136.003
  • Last Updated: 2021-03-02

Search

`cloudtrail` eventName = CreateAccessKey userAgent !=console.amazonaws.com errorCode = success | search userName!=requestParameters.userName | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_createaccesskey_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Required field

  • _time
  • eventName
  • userAgent
  • errorCode
  • requestParameters.userName


ATT&CK

ID Technique Tactic
T1136.003 Cloud Account Persistence


Kill Chain Phase

  • Actions on Objectives


Known False Positives

While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.

Reference


Test Dataset


version: 1


Aws createloginprofile

This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same src_ip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same src_ip

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1136.003
  • Last Updated: 2021-03-02

Search

`cloudtrail` eventName = CreateLoginProfile | rename requestParameters.userName as new_login_profile | table src_ip eventName new_login_profile userName | join new_login_profile src_ip [ | search `cloudtrail` eventName = ConsoleLogin | rename userName as new_login_profile | stats count values(eventName) min(_time) as firstTime max(_time) as lastTime by eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn new_login_profile src_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`] | `aws_createloginprofile_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Required field

  • _time
  • eventName
  • userAgent
  • errorCode
  • requestParameters.userName


ATT&CK

ID Technique Tactic
T1136.003 Cloud Account Persistence


Kill Chain Phase

  • Actions on Objectives


Known False Positives

While this search has no known false positives, it is possible that an AWS admin has legitimately created a login profile for another user.

Reference


Test Dataset


version: 1


Aws cross account activity from previously unseen account

This search looks for AssumeRole events where an IAM role in a different account is requested for the first time. This search is deprecated and have been translated to use the latest Authentication Datamodel.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK:
  • Last Updated: 2020-05-28

Search

| tstats min(_time) as firstTime max(_time) as lastTime from datamodel=Authentication where Authentication.signature=AssumeRole by Authentication.vendor_account Authentication.user Authentication.src Authentication.user_role | `drop_dm_object_name(Authentication)` | rex field=user_role "arn:aws:sts:*:(?<dest_account>.*):" | where vendor_account != dest_account | rename vendor_account as requestingAccountId dest_account as requestedAccountId | lookup previously_seen_aws_cross_account_activity requestingAccountId, requestedAccountId, OUTPUTNEW firstTime | eval status = if(firstTime > relative_time(now(), "-24h@h"),"New Cross Account Activity","Previously Seen") | where status = "New Cross Account Activity" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_cross_account_activity_from_previously_unseen_account_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen AWS Cross Account Activity - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen AWS Cross Account Activity - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `aws_cross_account_activity_from_previously_unseen_account_filter` macro.

Required field

  • _time
  • Authentication.signature
  • Authentication.vendor_account
  • Authentication.user
  • Authentication.user_role
  • Authentication.src



Kill Chain Phase

  • Actions on Objectives


Known False Positives

Using multiple AWS accounts and roles is perfectly valid behavior. It's suspicious when an account requests privileges of an account it hasn't before. You should validate with the account owner that this is a legitimate request.

Reference

Test Dataset


version: 1


Aws detect users creating keys with encrypt policy without mfa

This search provides detection of KMS keys which action kms:Encrypt is accessible for everyone (also outside of your organization). This is an identicator that your account is compromised and the attacker uses the encryption key to compromise another company.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1486
  • Last Updated: 2021-01-11

Search

`cloudtrail` eventName=CreateKey OR eventName=PutKeyPolicy | spath input=requestParameters.policy output=key_policy_statements path=Statement{} | mvexpand key_policy_statements | spath input=key_policy_statements output=key_policy_action_1 path=Action | spath input=key_policy_statements output=key_policy_action_2 path=Action{} | eval key_policy_action=mvappend(key_policy_action_1, key_policy_action_2) | spath input=key_policy_statements output=key_policy_principal path=Principal.AWS | search key_policy_action="kms:Encrypt" AND key_policy_principal="*" | stats count min(_time) as firstTime max(_time) as lastTime by eventName eventSource eventID awsRegion userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_detect_users_creating_keys_with_encrypt_policy_without_mfa_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs

Required field

  • _time
  • eventName
  • eventSource
  • eventID
  • awsRegion
  • requestParameters.policy
  • userIdentity.principalId


ATT&CK

ID Technique Tactic
T1486 Data Encrypted for Impact Impact


Kill Chain Phase

Known False Positives

unknown

Reference


Test Dataset


version: 1


Aws detect users with kms keys performing encryption s3

This search provides detection of users with KMS keys performing encryption specifically against S3 buckets.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1486
  • Last Updated: 2021-01-11

Search

`cloudtrail` eventName=CopyObject requestParameters.x-amz-server-side-encryption="aws:kms" | rename requestParameters.bucketName AS bucket_name, requestParameters.x-amz-copy-source AS src_file, requestParameters.key AS dest_file | stats count min(_time) as firstTime max(_time) as lastTime values(src_file) AS src_file values(dest_file) AS dest_file values(userAgent) AS userAgent values(region) AS region values(src) AS src by user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_detect_users_with_kms_keys_performing_encryption_s3_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs

Required field

  • _time
  • eventName
  • requestParameters.x-amz-server-side-encryption
  • requestParameters.bucketName
  • requestParameters.x-amz-copy-source
  • requestParameters.key
  • userAgent
  • region


ATT&CK

ID Technique Tactic
T1486 Data Encrypted for Impact Impact


Kill Chain Phase

Known False Positives

bucket with S3 encryption

Reference


Test Dataset


version: 1


Aws excessive security scanning

This search looks for AWS CloudTrail events and analyse the amount of eventNames which starts with Describe by a single user. This indicates that this user scans the configuration of your AWS cloud environment.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1526
  • Last Updated: 2021-04-13

Search

`cloudtrail` eventName=Describe* OR eventName=List* OR eventName=Get* | stats dc(eventName) as dc_events min(_time) as firstTime max(_time) as lastTime values(eventName) as eventName values(src) as src values(userAgent) as userAgent by user userIdentity.arn | where dc_events > 50 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_excessive_security_scanning_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Required field

  • _time
  • eventName
  • src
  • userAgent
  • user
  • userIdentity.arn


ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery


Kill Chain Phase

  • Actions on Objectives


Known False Positives

While this search has no known false positives.

Reference


Test Dataset


version: 1


Aws iam accessdenied discovery events

The following detection identifies excessive AccessDenied events within an hour timeframe. It is possible that an access key to AWS may have been stolen and is being misused to perform discovery events. In these instances, the access is not available with the key stolen therefore these events will be generated.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Security Analytics for AWS
  • Datamodel:
  • ATT&CK: T1580
  • Last Updated: 2021-04-05

Search

`cloudtrail` (errorCode = "AccessDenied") user_type=IAMUser (userAgent!=*.amazonaws.com) | bucket _time span=1h | stats count as failures min(_time) as firstTime max(_time) as lastTime, dc(eventName) as methods, dc(eventSource) as sources values(userIdentity.arn) by src_ip, userIdentity.arn, _time | where failures >= 5 and methods >= 1 and sources >= 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_accessdenied_discovery_events_filter`

Associated Analytic Story


How To Implement

The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.

Required field

  • _time
  • eventName
  • eventSource
  • userAgent
  • errorCode
  • userIdentity.type


ATT&CK

ID Technique Tactic
T1580 Cloud Infrastructure Discovery Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

It is possible to start this detection will need to be tuned by source IP or user. In addition, change the count values to an upper threshold to restrict false positives.

Reference


Test Dataset


version: 1


Aws iam assume role policy brute force

The following detection identifies any malformed policy document exceptions with a status of `failure`. A malformed policy document exception occurs in instances where roles are attempted to be assumed, or brute forced. In a brute force attempt, using a tool like CloudSploit or Pacu, an attempt will look like `arn:aws:iam::111111111111:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS`. Meaning, when an adversary is attempting to identify a role name, multiple failures will occur. This detection focuses on the errors of a remote attempt that is failing.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Security Analytics for AWS
  • Datamodel:
  • ATT&CK: T1580, T1110
  • Last Updated: 2021-04-01

Search

`cloudtrail` (errorCode=MalformedPolicyDocumentException) status=failure (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyName) as policy_name by src eventName eventSource aws_account_id errorCode requestParameters.policyDocument userAgent eventID awsRegion userIdentity.principalId user_arn | where count >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_assume_role_policy_brute_force_filter`

Associated Analytic Story


How To Implement

The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs. Set the `where count` greater than a value to identify suspicious activity in your environment.

Required field

  • _time
  • eventName
  • userAgent
  • errorCode
  • requestParameters.policyName


ATT&CK

ID Technique Tactic
T1580 Cloud Infrastructure Discovery Discovery
T1110 Brute Force Credential Access


Kill Chain Phase

  • Reconnaissance


Known False Positives

This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users.

Reference


Test Dataset


version: 1


Aws iam delete policy

The following detection identifes when a policy is deleted on AWS. This does not identify whether successful or failed, but the error messages tell a story of suspicious attempts. There is a specific process to follow when deleting a policy. First, detach the policy from all users, groups, and roles that the policy is attached to, using DetachUserPolicy , DetachGroupPolicy , or DetachRolePolicy.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Security Analytics for AWS
  • Datamodel:
  • ATT&CK: T1098
  • Last Updated: 2021-04-01

Search

`cloudtrail` eventName=DeletePolicy (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policyArn by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId userIdentity.arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_delete_policy_filter`

Associated Analytic Story


How To Implement

The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.

Required field

  • _time
  • eventName
  • userAgent
  • errorCode
  • requestParameters.policyArn


ATT&CK

ID Technique Tactic
T1098 Account Manipulation Persistence


Kill Chain Phase

  • Actions on Objectives


Known False Positives

This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete policies (least privilege). In addition, this may be saved seperately and tuned for failed or success attempts only.

Reference


Test Dataset


version: 1


Aws iam failure group deletion

This detection identifies failure attempts to delete groups. We want to identify when a group is attempting to be deleted, but either access is denied, there is a conflict or there is no group. This is indicative of administrators performing an action, but also could be suspicious behavior occurring. Review parallel IAM events - recently added users, new groups and so forth.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Security Analytics for AWS
  • Datamodel:
  • ATT&CK: T1098
  • Last Updated: 2021-04-01

Search

`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode IN (NoSuchEntityException,DeleteConflictException, AccessDenied) (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) as group_name by src eventName eventSource aws_account_id errorCode errorMessage userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_failure_group_deletion_filter`

Associated Analytic Story


How To Implement

The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.

Required field

  • _time
  • eventName
  • userAgent
  • errorCode
  • requestParameters.groupName


ATT&CK

ID Technique Tactic
T1098 Account Manipulation Persistence


Kill Chain Phase

  • Actions on Objectives


Known False Positives

This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).

Reference


Test Dataset


version: 1


Aws iam successful group deletion

The following query uses IAM events to track the success of a group being deleted on AWS. This is typically not indicative of malicious behavior, but a precurser to additional events thay may unfold. Review parallel IAM events - recently added users, new groups and so forth. Inversely, review failed attempts in a similar manner.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Splunk Security Analytics for AWS
  • Datamodel:
  • ATT&CK: T1069.003, T1098
  • Last Updated: 2021-03-31

Search

`cloudtrail` eventSource=iam.amazonaws.com eventName=DeleteGroup errorCode=success (userAgent!=*.amazonaws.com) | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.groupName) by src eventName eventSource errorCode user_agent awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_iam_successful_group_deletion_filter`

Associated Analytic Story


How To Implement

The Splunk AWS Add-on and Splunk App for AWS is required to utilize this data. The search requires AWS Cloudtrail logs.

Required field

  • _time
  • eventName
  • userAgent
  • errorCode
  • requestParameters.groupName


ATT&CK

ID Technique Tactic
T1069.003 Cloud Groups Discovery
T1098 Account Manipulation Persistence


Kill Chain Phase

  • Actions on Objectives


Known False Positives

This detection will require tuning to provide high fidelity detection capabilties. Tune based on src addresses (corporate offices, VPN terminations) or by groups of users. Not every user with AWS access should have permission to delete groups (least privilege).

Reference


Test Dataset


version: 1


Aws network access control list created with all open ports

The search looks for AWS CloudTrail events to detect if any network ACLs were created with all the ports open to a specified CIDR.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1562.007
  • Last Updated: 2021-01-11

Search

`cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol=-1 | append [search `cloudtrail` eventName=CreateNetworkAclEntry OR eventName=ReplaceNetworkAclEntry requestParameters.ruleAction=allow requestParameters.egress=false requestParameters.aclProtocol!=-1 | eval port_range='requestParameters.portRange.to' - 'requestParameters.portRange.from' | where port_range>1024] | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.ruleAction requestParameters.egress requestParameters.aclProtocol requestParameters.portRange.to requestParameters.portRange.from src userAgent requestParameters.cidrBlock | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_network_access_control_list_created_with_all_open_ports_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS, version 4.4.0 or later, and configure your AWS CloudTrail inputs.

Required field

  • _time
  • eventName
  • requestParameters.ruleAction
  • requestParameters.egress
  • requestParameters.aclProtocol
  • requestParameters.portRange.to
  • requestParameters.portRange.from
  • requestParameters.cidrBlock
  • userName
  • userIdentity.principalId
  • userAgent


ATT&CK

ID Technique Tactic
T1562.007 Disable or Modify Cloud Firewall Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It's possible that an admin has created this ACL with all ports open for some legitimate purpose however, this should be scoped and not allowed in production environment.

Reference

Test Dataset


version: 2


Aws network access control list deleted

Enforcing network-access controls is one of the defensive mechanisms used by cloud administrators to restrict access to a cloud instance. After the attacker has gained control of the AWS console by compromising an admin account, they can delete a network ACL and gain access to the instance from anywhere. This search will query the AWS CloudTrail logs to detect users deleting network ACLs.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1562.007
  • Last Updated: 2021-01-12

Search

`cloudtrail` eventName=DeleteNetworkAclEntry requestParameters.egress=false | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId eventName requestParameters.egress src userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_network_access_control_list_deleted_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs.

Required field

  • _time
  • eventName
  • requestParameters.egress
  • userName
  • userIdentity.principalId
  • src
  • userAgent


ATT&CK

ID Technique Tactic
T1562.007 Disable or Modify Cloud Firewall Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It's possible that a user has legitimately deleted a network ACL.

Reference

Test Dataset


version: 2


Aws saml access by provider user and principal

This search provides specific SAML access from specific Service Provider, user and targeted principal at AWS. This search provides specific information to detect abnormal access or potential credential hijack or forgery, specially in federated environments using SAML protocol inside the perimeter or cloud provider.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2021-01-26

Search

`cloudtrail` eventName=Assumerolewithsaml | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.principalArn requestParameters.roleArn requestParameters.roleSessionName recipientAccountId responseElements.issuer sourceIPAddress userAgent | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_saml_access_by_provider_user_and_principal_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs

Required field

  • _time
  • eventName
  • requestParameters.principalArn
  • requestParameters.roleArn
  • requestParameters.roleSessionName
  • recipientAccountId
  • responseElements.issuer
  • sourceIPAddress
  • userAgent


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

Attacks using a Golden SAML or SAML assertion hijacks or forgeries are very difficult to detect as accessing cloud providers with these assertions looks exactly like normal access, however things such as source IP sourceIPAddress user, and principal targeted at receiving cloud provider along with endpoint credential access and abuse detection searches can provide the necessary context to detect these attacks.

Reference


Test Dataset


version: 1


Aws saml update identity provider

This search provides detection of updates to SAML provider in AWS. Updates to SAML provider need to be monitored closely as they may indicate possible perimeter compromise of federated credentials, or backdoor access from another cloud provider set by attacker.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2021-01-26

Search

`cloudtrail` eventName=UpdateSAMLProvider | stats count min(_time) as firstTime max(_time) as lastTime by eventType eventName requestParameters.sAMLProviderArn userIdentity.sessionContext.sessionIssuer.arn sourceIPAddress userIdentity.accessKeyId userIdentity.principalId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_saml_update_identity_provider_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Required field

  • _time
  • eventName
  • eventType
  • requestParameters.sAMLProviderArn
  • userIdentity.sessionContext.sessionIssuer.arn
  • sourceIPAddress
  • userIdentity.accessKeyId
  • userIdentity.principalId


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

Updating a SAML provider or creating a new one may not necessarily be malicious however it needs to be closely monitored.

Reference


Test Dataset


version: 1


Aws setdefaultpolicyversion

This search looks for AWS CloudTrail events where a user has set a default policy versions. Attackers have been know to use this technique for Privilege Escalation in case the previous versions of the policy had permissions to access more resources than the current version of the policy

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.004
  • Last Updated: 2021-03-02

Search

`cloudtrail` eventName=SetDefaultPolicyVersion eventSource = iam.amazonaws.com | stats count min(_time) as firstTime max(_time) as lastTime values(requestParameters.policyArn) as policy_arn by src requestParameters.versionId eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userIdentity.principalId user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_setdefaultpolicyversion_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Required field

  • _time
  • eventName
  • userAgent
  • errorCode
  • requestParameters.userName
  • eventSource


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

While this search has no known false positives, it is possible that an AWS admin has legitimately set a default policy to allow a user to access all resources. That said, AWS strongly advises against granting full control to all AWS resources

Reference


Test Dataset


version: 1


Aws updateloginprofile

This search looks for AWS CloudTrail events where a user A who has already permission to update login profile, makes an API call to update login profile for another user B . Attackers have been know to use this technique for Privilege Escalation in case new victim(user B) has more permissions than old victim(user B)

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1136.003
  • Last Updated: 2021-03-02

Search

`cloudtrail` eventName = UpdateLoginProfile userAgent !=console.amazonaws.com errorCode = success | search userName!=requestParameters.userName | stats count min(_time) as firstTime max(_time) as lastTime by requestParameters.userName src eventName eventSource aws_account_id errorCode userAgent eventID awsRegion userName user_arn | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`aws_updateloginprofile_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Required field

  • _time
  • eventName
  • userAgent
  • errorCode
  • requestParameters.userName


ATT&CK

ID Technique Tactic
T1136.003 Cloud Account Persistence


Kill Chain Phase

  • Actions on Objectives


Known False Positives

While this search has no known false positives, it is possible that an AWS admin has legitimately created keys for another user.

Reference


Test Dataset


version: 1


Abnormally high number of cloud infrastructure api calls

This search will detect a spike in the number of API calls made to your cloud infrastructure environment by a user.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-09-07

Search

| tstats count as api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.user!=unknown All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_api_calls_v1 threshold=0.005 | rename "IsOutlier(api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where api_calls > expected_upper_threshold | eval distance_from_threshold = api_calls - expected_upper_threshold | table _time, user, command, api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_infrastructure_api_calls_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Infrastructure API Calls Per User` to create the probability density function.

Required field

  • _time
  • All_Changes.command
  • All_Changes.user
  • All_Changes.status


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Reference

Test Dataset


version: 1


Abnormally high number of cloud instances destroyed

This search finds for the number successfully destroyed cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-08-21

Search

| tstats count as instances_destroyed values(All_Changes.object_id) as object_id from datamodel=Change where All_Changes.action=deleted AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_destroyed_v1] | where cardinality >=16 | apply cloud_excessive_instances_destroyed_v1 threshold=0.005 | rename "IsOutlier(instances_destroyed)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | eval distance_from_threshold = instances_destroyed - expected_upper_threshold | table _time, user, instances_destroyed, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_destroyed_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Destroyed` to create the probability density function.

Required field

  • _time
  • All_Changes.object_id
  • All_Changes.action
  • All_Changes.status
  • All_Changes.object_category
  • All_Changes.user


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Many service accounts configured within a cloud infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.

Reference

Test Dataset

version: 1


Abnormally high number of cloud instances launched

This search finds for the number successfully created cloud instances for every 4 hour block. This is split up between weekdays and the weekend. It then applies the probability densitiy model previously created and alerts on any outliers.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-08-21

Search

| tstats count as instances_launched values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=created) AND All_Changes.status=success AND All_Changes.object_category=instance by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join HourOfDay isWeekend [summary cloud_excessive_instances_created_v1] | where cardinality >=16 | apply cloud_excessive_instances_created_v1 threshold=0.005 | rename "IsOutlier(instances_launched)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | eval distance_from_threshold = instances_launched - expected_upper_threshold | table _time, user, instances_launched, expected_upper_threshold, distance_from_threshold, object_id | `abnormally_high_number_of_cloud_instances_launched_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Instances Launched` to create the probability density function.

Required field

  • _time
  • All_Changes.object_id
  • All_Changes.action
  • All_Changes.status
  • All_Changes.object_category
  • All_Changes.user


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Many service accounts configured within an AWS infrastructure are known to exhibit this behavior. Please adjust the threshold values and filter out service accounts from the output. Always verify if this search alerted on a human user.

Reference

Test Dataset

version: 2


Abnormally high number of cloud security group api calls

This search will detect a spike in the number of API calls made to your cloud infrastructure environment about security groups by a user.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-09-07

Search

| tstats count as security_group_api_calls values(All_Changes.command) as command from datamodel=Change where All_Changes.object_category=firewall AND All_Changes.status=success by All_Changes.user _time span=1h | `drop_dm_object_name("All_Changes")` | eval HourOfDay=strftime(_time, "%H") | eval HourOfDay=floor(HourOfDay/4)*4 | eval DayOfWeek=strftime(_time, "%w") | eval isWeekend=if(DayOfWeek >= 1 AND DayOfWeek <= 5, 0, 1) | join user HourOfDay isWeekend [ summary cloud_excessive_security_group_api_calls_v1] | where cardinality >=16 | apply cloud_excessive_security_group_api_calls_v1 threshold=0.005 | rename "IsOutlier(security_group_api_calls)" as isOutlier | where isOutlier=1 | eval expected_upper_threshold = mvindex(split(mvindex(BoundaryRanges, -1), ":"), 0) | where security_group_api_calls > expected_upper_threshold | eval distance_from_threshold = security_group_api_calls - expected_upper_threshold | table _time, user, command, security_group_api_calls, expected_upper_threshold, distance_from_threshold | `abnormally_high_number_of_cloud_security_group_api_calls_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs. You also must run the baseline search `Baseline Of Cloud Security Group API Calls Per User` to create the probability density function model.

Required field

  • _time
  • All_Changes.command
  • All_Changes.object_category
  • All_Changes.status
  • All_Changes.user


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Reference

Test Dataset


version: 1


Amazon eks kubernetes pod scan detection

This search provides detection information on unauthenticated requests against Kubernetes' Pods API

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1526
  • Last Updated: 2020-04-15

Search

`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods" | rename source as cluster_name sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI) by src_ip cluster_name user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `amazon_eks_kubernetes_pod_scan_detection_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on forAWS (version 4.4.0 or later), then configure your AWS CloudWatch EKS Logs.Please also customize the `kubernetes_pods_aws_scan_fingerprint_detection` macro to filter out the false positives.

Required field

  • _time
  • user.username
  • verb
  • objectRef.resource
  • requestURI
  • source
  • sourceIPs{}
  • responseStatus.reason
  • responseStatus.code
  • userAgent
  • src_ip
  • user.groups{}


ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

Not all unauthenticated requests are malicious, but frequency, UA and source IPs and direct request to API provide context.

Reference

Test Dataset

version: 1


Amazon eks kubernetes cluster scan detection

This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster in AWS

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1526
  • Last Updated: 2020-04-15

Search

`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!="AWS Security Scanner" | rename sourceIPs{} as src_ip | stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI) by src_ip user.username user.groups{} | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` |`amazon_eks_kubernetes_cluster_scan_detection_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your CloudWatch EKS Logs inputs.

Required field

  • _time
  • user.username
  • userAgent
  • sourceIPs{}
  • responseStatus.reason
  • source
  • responseStatus.code
  • verb
  • requestURI
  • src_ip
  • user.groups{}


ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

Not all unauthenticated requests are malicious, but frequency, UA and source IPs will provide context.

Reference

Test Dataset

version: 1


Cloud api calls from previously unseen user roles

This search looks for new commands from each user role.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078
  • Last Updated: 2020-09-04

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where All_Changes.user_type=AssumedRole AND All_Changes.status=success by All_Changes.user, All_Changes.command All_Changes.object | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUserApiCall=min(firstTimeSeen) | where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),"-24h@h") | table firstTime, user, object, command |`security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cloud_api_calls_from_previously_unseen_user_roles_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud API Calls Per User Role - Initial` to build the initial table of user roles, commands, and times. You must also enable the second baseline search `Previously Seen Cloud API Calls Per User Role - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `cloud_api_calls_from_previously_unseen_user_roles_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_api_calls_from_previously_unseen_user_roles_filter`

Required field

  • _time
  • All_Changes.user
  • All_Changes.user_type
  • All_Changes.status
  • All_Changes.command
  • All_Changes.object


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

.

Reference

Test Dataset


version: 1


Cloud compute instance created by previously unseen user

This search looks for cloud compute instances created by users who have not created them before.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-08-21

Search

| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest from datamodel=Change where All_Changes.action=created by All_Changes.user All_Changes.vendor_region | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime, user, dest, count vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_by_previously_unseen_user_filter`

Associated Analytic Story


How To Implement

You must be ingesting the appropriate cloud-infrastructure logs Run the "Previously Seen Cloud Compute Creations By User" support search to create of baseline of previously seen users.

Required field

  • _time
  • All_Changes.object
  • All_Changes.action
  • All_Changes.user
  • All_Changes.vendor_region


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

It's possible that a user will start to create compute instances for the first time, for any number of reasons. Verify with the user launching instances that this is the intended behavior.

Reference

Test Dataset


version: 1


Cloud compute instance created in previously unused region

This search looks at cloud-infrastructure events where an instance is created in any region within the last hour and then compares it to a lookup file of previously seen regions where instances have been created.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1535
  • Last Updated: 2020-09-02

Search

| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.vendor_region, All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h") | table firstTime, user, dest, count , vendor_region | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_in_previously_unused_region_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Regions - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Regions - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_in_previously_unused_region_filter` macro.

Required field

  • _time
  • All_Changes.object_id
  • All_Changes.action
  • All_Changes.vendor_region
  • All_Changes.user


ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It's possible that a user has unknowingly started an instance in a new region. Please verify that this activity is legitimate.

Reference

Test Dataset


version: 1


Cloud compute instance created with previously unseen image

This search looks for cloud compute instances being created with previously unseen image IDs.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK:
  • Last Updated: 2018-10-12

Search

| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.image_id, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where image_id != "unknown" | lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenImage=min(firstTimeSeen) | where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), "-24h@h") | table firstTime, user, image_id, count, dest | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_image_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Images - Initial` to build the initial table of images observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Images - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_image_filter` macro.

Required field

  • _time
  • All_Changes.object_id
  • All_Changes.action
  • All_Changes.Instance_Changes.image_id
  • All_Changes.user



Kill Chain Phase

Known False Positives

After a new image is created, the first systems created with that image will cause this alert to fire. Verify that the image being used was created by a legitimate user.

Reference

Test Dataset


version: 1


Cloud compute instance created with previously unseen instance type

Find EC2 instances being created with previously unseen instance types.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK:
  • Last Updated: 2020-09-12

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest, count from datamodel=Change where All_Changes.action=created by All_Changes.Instance_Changes.instance_type, All_Changes.user | `drop_dm_object_name("All_Changes")` | `drop_dm_object_name("Instance_Changes")` | where instance_type != "unknown" | lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenInstanceType=min(firstTimeSeen) | where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h") | table firstTime, user, dest, count, instance_type | `security_content_ctime(firstTime)` | `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Compute Instance Types - Initial` to build the initial table of instance types observed and times. You must also enable the second baseline search `Previously Seen Cloud Compute Instance Types - Update` to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the `cloud_compute_instance_created_with_previously_unseen_instance_type_filter` macro.

Required field

  • _time
  • All_Changes.object_id
  • All_Changes.action
  • All_Changes.Instance_Changes.instance_type
  • All_Changes.user



Kill Chain Phase

Known False Positives

It is possible that an admin will create a new system using a new instance type that has never been used before. Verify with the creator that they intended to create the system with the new instance type.

Reference

Test Dataset


version: 1


Cloud instance modified by previously unseen user

This search looks for cloud instances being modified by users who have not previously modified them.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-07-29

Search

| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command from datamodel=Change where All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success by All_Changes.user | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenUser=min(firstTimeSeen) | where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h") | table firstTime user command object_id count | `security_content_ctime(firstTime)` | `cloud_instance_modified_by_previously_unseen_user_filter`

Associated Analytic Story


How To Implement

This search has a dependency on other searches to create and update a baseline of users observed to be associated with this activity. The search "Previously Seen Cloud Instance Modifications By User - Update" should be enabled for this detection to properly work.

Required field

  • _time
  • All_Changes.object_id
  • All_Changes.command
  • All_Changes.action
  • All_Changes.change_type
  • All_Changes.status
  • All_Changes.user


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

It's possible that a new user will start to modify EC2 instances when they haven't before for any number of reasons. Verify with the user that is modifying instances that this is the intended behavior.

Reference

Test Dataset


version: 1


Cloud provisioning activity from previously unseen city

This search looks for cloud provisioning activities from previously unseen cities. Provisioning activities are defined broadly as any event that runs or creates something.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078
  • Last Updated: 2020-10-09

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(City) | lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCity=min(firstTimeSeen) | where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, City, user, object, command | `cloud_provisioning_activity_from_previously_unseen_city_filter` | `security_content_ctime(firstTime)`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_city_filter` macro.

Required field

  • _time
  • All_Changes.action
  • All_Changes.status
  • All_Changes.src
  • All_Changes.user
  • All_Changes.object
  • All_Changes.command


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\

This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

Reference

Test Dataset


version: 1


Cloud provisioning activity from previously unseen country

This search looks for cloud provisioning activities from previously unseen countries. Provisioning activities are defined broadly as any event that runs or creates something.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078
  • Last Updated: 2020-10-09

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Country) | lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenCountry=min(firstTimeSeen) | where isnull(firstTimeSeenCountry) OR firstTimeSeenCountry > relative_time(now(), "-24h@h") | table firstTime, src, Country, user, object, command | `cloud_provisioning_activity_from_previously_unseen_country_filter` | `security_content_ctime(firstTime)`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_country_filter` macro.

Required field

  • _time
  • All_Changes.action
  • All_Changes.status
  • All_Changes.src
  • All_Changes.user
  • All_Changes.object
  • All_Changes.command


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\

This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

Reference

Test Dataset


version: 1


Cloud provisioning activity from previously unseen ip address

This search looks for cloud provisioning activities from previously unseen IP addresses. Provisioning activities are defined broadly as any event that runs or creates something.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078
  • Last Updated: 2020-08-16

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) as object_id from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.command | `drop_dm_object_name("All_Changes")` | lookup previously_seen_cloud_provisioning_activity_sources src as src OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenSrc=min(firstTimeSeen) | where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, user, object_id, command | `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` | `security_content_ctime(firstTime)`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_ip_address_filter` macro.

Required field

  • _time
  • All_Changes.object_id
  • All_Changes.action
  • All_Changes.status
  • All_Changes.src
  • All_Changes.user
  • All_Changes.command


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\

This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

Reference

Test Dataset


version: 1


Cloud provisioning activity from previously unseen region

This search looks for cloud provisioning activities from previously unseen regions. Provisioning activities are defined broadly as any event that runs or creates something.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078
  • Last Updated: 2020-08-16

Search

| tstats earliest(_time) as firstTime, latest(_time) as lastTime from datamodel=Change where (All_Changes.action=started OR All_Changes.action=created) All_Changes.status=success by All_Changes.src, All_Changes.user, All_Changes.object, All_Changes.command | `drop_dm_object_name("All_Changes")` | iplocation src | where isnotnull(Region) | lookup previously_seen_cloud_provisioning_activity_sources Region as Region OUTPUT firstTimeSeen, enough_data | eventstats max(enough_data) as enough_data | where enough_data=1 | eval firstTimeSeenRegion=min(firstTimeSeen) | where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`) | table firstTime, src, Region, user, object, command | `cloud_provisioning_activity_from_previously_unseen_region_filter` | `security_content_ctime(firstTime)`

Associated Analytic Story


How To Implement

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search `Previously Seen Cloud Provisioning Activity Sources - Initial` to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search `Previously Seen Cloud Provisioning Activity Sources - Update` to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the `previously_unseen_cloud_provisioning_activity_window` macro. You can also provide additional filtering for this search by customizing the `cloud_provisioning_activity_from_previously_unseen_region_filter` macro.

Required field

  • _time
  • All_Changes.action
  • All_Changes.status
  • All_Changes.src
  • All_Changes.user
  • All_Changes.object
  • All_Changes.command


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching within, plus what is stored in the cache feature. But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.\

This search will fire any time a new IP address is seen in the **GeoIP** database for any kind of provisioning activity. If you typically do all provisioning from tools inside of your country, there should be few false positives. If you are located in countries where the free version of **MaxMind GeoIP** that ships by default with Splunk has weak resolution (particularly small countries in less economically powerful regions), this may be much less valuable to you.

Reference

Test Dataset


version: 1


Detect aws console login by new user

This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK:
  • Last Updated: 2020-05-28

Search

| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user | `drop_dm_object_name(Authentication)` | inputlookup append=t previously_seen_users_console_logins | stats min(firstTime) as firstTime max(lastTime) as lastTime by user | eval userStatus=if(firstTime >=relative_time(now(),"-24h@h"), "First Time Logging into AWS Console", "Previously Seen User") |where userStatus="First Time Logging into AWS Console" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_aws_console_login_by_new_user_filter`

Associated Analytic Story


How To Implement

You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines.

Required field

  • _time
  • Authentication.signature
  • Authentication.user



Kill Chain Phase

  • Actions on Objectives


Known False Positives

When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.

Reference

Test Dataset


version: 1


Detect aws console login by user from new city

This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK: T1535
  • Last Updated: 2020-10-07

Search

| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | table firstTime lastTime user City | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats earliest(firstTime) AS earliestseen by user City | fields earliestseen user City] | eval userCity=if(firstTime >= relative_time(now(), "-24h@h"), "New City","Previously Seen City") | eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "New User","Old User") | where userCity = "New City" AND userStatus != "Old User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user City userStatus userCity | `detect_aws_console_login_by_user_from_new_city_filter`

Associated Analytic Story


How To Implement

You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_city_filter` macro.

Required field

  • _time
  • Authentication.signature
  • Authentication.user
  • Authentication.src


ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.

Reference

Test Dataset


version: 1


Detect aws console login by user from new country

This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK: T1535
  • Last Updated: 2020-10-07

Search

| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | table firstTime lastTime user Country | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats earliest(firstTime) AS earliestseen by user Country | fields earliestseen user Country] | eval userCountry=if(firstTime >= relative_time(now(), "-24h@h"), "New Country","Previously Seen Country") | eval userStatus=if(earliestseen >= relative_time(now(),"-24h@h") OR isnull(earliestseen), "New User","Old User") | where userCountry = "New Country" AND userStatus != "Old User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user Country userStatus userCountry | `detect_aws_console_login_by_user_from_new_country_filter`

Associated Analytic Story


How To Implement

You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_country_filter` macro.

Required field

  • _time
  • Authentication.signature
  • Authentication.user
  • Authentication.src


ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.

Reference

Test Dataset


version: 1


Detect aws console login by user from new region

This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK: T1535
  • Last Updated: 2020-10-07

Search

| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src | iplocation Authentication.src | `drop_dm_object_name(Authentication)` | table firstTime lastTime user Region | join user type=outer [ | inputlookup previously_seen_users_console_logins | stats earliest(firstTime) AS earliestseen by user Region | fields earliestseen user Region] | eval userRegion=if(firstTime >= relative_time(now(), "-24h@h"), "New Region","Previously Seen Region") | eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "New User","Old User") | where userRegion = "New Region" AND userStatus != "Old User" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime user Region userStatus userRegion | `detect_aws_console_login_by_user_from_new_region_filter`

Associated Analytic Story


How To Implement

You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the `Previously Seen Users in AWS CloudTrail - Initial` support search only once to create a baseline of previously seen IAM users within the last 30 days. Run `Previously Seen Users in AWS CloudTrail - Update` hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the `detect_aws_console_login_by_user_from_new_region_filter` macro.

Required field

  • _time
  • Authentication.signature
  • Authentication.user
  • Authentication.src


ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

When a legitimate new user logins for the first time, this activity will be detected. Check how old the account is and verify that the user activity is legitimate.

Reference

Test Dataset


version: 1


Detect gcp storage access from a new ip

This search looks at GCP Storage bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed a GCP Storage bucket.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2020-08-10

Search

`google_gcp_pubsub_message` | multikv | rename sc_status_ as status | rename cs_object_ as bucket_name | rename c_ip_ as remote_ip | rename cs_uri_ as request_uri | rename cs_method_ as operation | search status="\"200\"" | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip operation request_uri | table firstTime, lastTime, bucket_name, remote_ip, operation, request_uri | inputlookup append=t previously_seen_gcp_storage_access_from_remote_ip.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip operation request_uri | outputlookup previously_seen_gcp_storage_access_from_remote_ip.csv | eval newIP=if(firstTime >= relative_time(now(),"-70m@m"), 1, 0) | where newIP=1 | eval first_time=strftime(firstTime,"%m/%d/%y %H:%M:%S") | eval last_time=strftime(lastTime,"%m/%d/%y %H:%M:%S") | table first_time last_time bucket_name remote_ip operation request_uri | `detect_gcp_storage_access_from_a_new_ip_filter`

Associated Analytic Story


How To Implement

This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview). In order to capture public GCP Storage Bucket access logs, you must also enable storage bucket logging to your PubSub Topic as per https://cloud.google.com/storage/docs/access-logs. These logs are deposited into the nominated Storage Bucket on an hourly basis and typically show up by 15 minutes past the hour. It is recommended to configure any saved searches or correlation searches in Enterprise Security to run on an hourly basis at 30 minutes past the hour (cron definition of 30 * * * *). A lookup table (previously_seen_gcp_storage_access_from_remote_ip.csv) stores the previously seen access requests, and is used by this search to determine any newly seen IP addresses accessing the Storage Buckets.

Required field

  • _time
  • sc_status_
  • cs_object_
  • c_ip_
  • cs_uri_
  • cs_method_


ATT&CK

ID Technique Tactic
T1530 Data from Cloud Storage Object Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

GCP Storage buckets can be accessed from any IP (if the ACLs are open to allow it), as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past two hours.

Reference

Test Dataset

version: 1


Detect new open gcp storage buckets

This search looks for GCP PubSub events where a user has created an open/public GCP Storage bucket.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2020-08-05

Search

`google_gcp_pubsub_message` data.resource.type=gcs_bucket data.protoPayload.methodName=storage.setIamPermissions | spath output=action path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action | spath output=user path=data.protoPayload.authenticationInfo.principalEmail | spath output=location path=data.protoPayload.resourceLocation.currentLocations{} | spath output=src path=data.protoPayload.requestMetadata.callerIp | spath output=bucketName path=data.protoPayload.resourceName | spath output=role path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role | spath output=member path=data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member | search (member=allUsers AND action=ADD) | table _time, bucketName, src, user, location, action, role, member | search `detect_new_open_gcp_storage_buckets_filter`

Associated Analytic Story


How To Implement

This search relies on the Splunk Add-on for Google Cloud Platform, setting up a Cloud Pub/Sub input, along with the relevant GCP PubSub topics and logging sink to capture GCP Storage Bucket events (https://cloud.google.com/logging/docs/routing/overview).

Required field

  • _time
  • data.resource.type
  • data.protoPayload.methodName
  • data.protoPayload.serviceData.policyDelta.bindingDeltas{}.action
  • data.protoPayload.authenticationInfo.principalEmail
  • data.protoPayload.resourceLocation.currentLocations{}
  • data.protoPayload.requestMetadata.callerIp
  • data.protoPayload.resourceName
  • data.protoPayload.serviceData.policyDelta.bindingDeltas{}.role
  • data.protoPayload.serviceData.policyDelta.bindingDeltas{}.member


ATT&CK

ID Technique Tactic
T1530 Data from Cloud Storage Object Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

While this search has no known false positives, it is possible that a GCP admin has legitimately created a public bucket for a specific purpose. That said, GCP strongly advises against granting full control to the "allUsers" group.

Reference

Test Dataset

version: 1


Detect new open s3 buckets over aws cli

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket over the aws cli.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2021-01-12

Search

`cloudtrail` eventSource="s3.amazonaws.com" eventName=PutBucketAcl OR requestParameters.accessControlList.x-amz-grant-read-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-write-acp IN ("*AuthenticatedUsers","*AllUsers") OR requestParameters.accessControlList.x-amz-grant-full-control IN ("*AuthenticatedUsers","*AllUsers") | rename requestParameters.bucketName AS bucketName | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId userAgent bucketName requestParameters.accessControlList.x-amz-grant-read requestParameters.accessControlList.x-amz-grant-read-acp requestParameters.accessControlList.x-amz-grant-write requestParameters.accessControlList.x-amz-grant-write-acp requestParameters.accessControlList.x-amz-grant-full-control | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_over_aws_cli_filter`

Associated Analytic Story


How To Implement

Required field

  • _time
  • eventSource
  • eventName
  • requestParameters.accessControlList.x-amz-grant-read-acp
  • requestParameters.accessControlList.x-amz-grant-write
  • requestParameters.accessControlList.x-amz-grant-write-acp
  • requestParameters.accessControlList.x-amz-grant-full-control
  • requestParameters.bucketName
  • userName
  • userIdentity.principalId
  • userAgent
  • bucketName


ATT&CK

ID Technique Tactic
T1530 Data from Cloud Storage Object Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group.

Reference

Test Dataset


version: 1


Detect new open s3 buckets

This search looks for AWS CloudTrail events where a user has created an open/public S3 bucket.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2021-01-12

Search

`cloudtrail` eventSource=s3.amazonaws.com eventName=PutBucketAcl | rex field=_raw "(?<json_field>{.+})" | spath input=json_field output=grantees path=requestParameters.AccessControlPolicy.AccessControlList.Grant{} | search grantees=* | mvexpand grantees | spath input=grantees output=uri path=Grantee.URI | spath input=grantees output=permission path=Permission | search uri IN ("http://acs.amazonaws.com/groups/global/AllUsers","http://acs.amazonaws.com/groups/global/AuthenticatedUsers") | search permission IN ("READ","READ_ACP","WRITE","WRITE_ACP","FULL_CONTROL") | rename requestParameters.bucketName AS bucketName | stats count min(_time) as firstTime max(_time) as lastTime by userName userIdentity.principalId userAgent uri permission bucketName | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_open_s3_buckets_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk.

Required field

  • _time
  • eventSource
  • eventName
  • requestParameters.bucketName
  • userName
  • userIdentity.principalId
  • userAgent
  • uri
  • permission


ATT&CK

ID Technique Tactic
T1530 Data from Cloud Storage Object Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

While this search has no known false positives, it is possible that an AWS admin has legitimately created a public bucket for a specific purpose. That said, AWS strongly advises against granting full control to the "All Users" group.

Reference

Test Dataset


version: 2


Detect s3 access from a new ip

This search looks at S3 bucket-access logs and detects new or previously unseen remote IP addresses that have successfully accessed an S3 bucket.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2018-06-28

Search

`aws_s3_accesslogs` http_status=200 [search `aws_s3_accesslogs` http_status=200 | stats earliest(_time) as firstTime latest(_time) as lastTime by bucket_name remote_ip | inputlookup append=t previously_seen_S3_access_from_remote_ip.csv | stats min(firstTime) as firstTime, max(lastTime) as lastTime by bucket_name remote_ip | outputlookup previously_seen_S3_access_from_remote_ip.csv | eval newIP=if(firstTime >= relative_time(now(), "-70m@m"), 1, 0) | where newIP=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table bucket_name remote_ip] | iplocation remote_ip |rename remote_ip as src_ip | table _time bucket_name src_ip City Country operation request_uri | `detect_s3_access_from_a_new_ip_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your S3 access logs' inputs. This search works best when you run the "Previously Seen S3 Bucket Access by Remote IP" support search once to create a history of previously seen remote IPs and bucket names.

Required field

  • _time
  • http_status
  • bucket_name
  • remote_ip


ATT&CK

ID Technique Tactic
T1530 Data from Cloud Storage Object Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

S3 buckets can be accessed from any IP, as long as it can make a successful connection. This will be a false postive, since the search is looking for a new IP within the past hour

Reference

Test Dataset

version: 1


Detect spike in aws security hub alerts for ec2 instance

This search looks for a spike in number of of AWS security Hub alerts for an EC2 instance in 4 hours intervals

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2021-01-26

Search

`aws_securityhub_finding` "Resources{}.Type"=AWSEC2Instance | bucket span=4h _time | stats count AS alerts values(Title) as Title values(Types{}) as Types values(vendor_account) as vendor_account values(vendor_region) as vendor_region values(severity) as severity by _time dest | eventstats avg(alerts) as total_alerts_avg, stdev(alerts) as total_alerts_stdev | eval threshold_value = 3 | eval isOutlier=if(alerts > total_alerts_avg+(total_alerts_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time dest alerts Title Types vendor_account vendor_region severity isOutlier total_alerts_avg | `detect_spike_in_aws_security_hub_alerts_for_ec2_instance_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.

Required field

  • _time
  • Resources{}.Type
  • Title
  • Types{}
  • vendor_account
  • vendor_region
  • severity
  • dest



Kill Chain Phase

Known False Positives

None

Reference

Test Dataset


version: 3


Detect spike in aws security hub alerts for user

This search looks for a spike in number of of AWS security Hub alerts for an AWS IAM User in 4 hours intervals.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2021-01-26

Search

`aws_securityhub_finding` "findings{}.Resources{}.Type"= AwsIamUser | rename findings{}.Resources{}.Id as user | bucket span=4h _time | stats count AS alerts by _time user | eventstats avg(alerts) as total_launched_avg, stdev(alerts) as total_launched_stdev | eval threshold_value = 2 | eval isOutlier=if(alerts > total_launched_avg+(total_launched_stdev * threshold_value), 1, 0) | search isOutlier=1 | table _time user alerts |`detect_spike_in_aws_security_hub_alerts_for_user_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your Security Hub inputs. The threshold_value should be tuned to your environment and schedule these searches according to the bucket span interval.

Required field

  • _time
  • findings{}.Resources{}.Type
  • indings{}.Resources{}.Id
  • user



Kill Chain Phase

Known False Positives

None

Reference

Test Dataset

version: 3


Detect spike in s3 bucket deletion

This search detects users creating spikes in API activity related to deletion of S3 buckets in your AWS environment. It will also update the cache file that factors in the latest data.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2018-11-27

Search

`cloudtrail` eventName=DeleteBucket [search `cloudtrail` eventName=DeleteBucket | spath output=arn path=userIdentity.arn | stats count as apiCalls by arn | inputlookup s3_deletion_baseline append=t | fields - latestCount | stats values(*) as * by arn | rename apiCalls as latestCount | eval newAvgApiCalls=avgApiCalls + (latestCount-avgApiCalls)/720 | eval newStdevApiCalls=sqrt(((pow(stdevApiCalls, 2)*719 + (latestCount-newAvgApiCalls)*(latestCount-avgApiCalls))/720)) | eval avgApiCalls=coalesce(newAvgApiCalls, avgApiCalls), stdevApiCalls=coalesce(newStdevApiCalls, stdevApiCalls), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table arn, latestCount, numDataPoints, avgApiCalls, stdevApiCalls | outputlookup s3_deletion_baseline | eval dataPointThreshold = 15, deviationThreshold = 3 | eval isSpike=if((latestCount > avgApiCalls+deviationThreshold*stdevApiCalls) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | rename arn as userIdentity.arn | table userIdentity.arn] | spath output=user userIdentity.arn | spath output=bucketName path=requestParameters.bucketName | stats values(bucketName) as bucketName, count as numberOfApiCalls, dc(eventName) as uniqueApisCalled by user | `detect_spike_in_s3_bucket_deletion_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the minimum number of data points required to have a statistically significant amount of data to determine. The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of S3 Bucket deletion activity by ARN" support search once to create a baseline of previously seen S3 bucket-deletion activity.

Required field

  • _time
  • eventName
  • userIdentity.arn


ATT&CK

ID Technique Tactic
T1530 Data from Cloud Storage Object Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Based on the values of`dataPointThreshold` and `deviationThreshold`, the false positive rate may vary. Please modify this according the your environment.

Reference

Test Dataset

version: 1


Detect spike in blocked outbound traffic from your aws

This search will detect spike in blocked outbound network connections originating from within your AWS environment. It will also update the cache file that factors in the latest data.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2018-05-07

Search

`cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) [search `cloudwatchlogs_vpcflow` action=blocked (src_ip=10.0.0.0/8 OR src_ip=172.16.0.0/12 OR src_ip=192.168.0.0/16) ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) | stats count as numberOfBlockedConnections by src_ip | inputlookup baseline_blocked_outbound_connections append=t | fields - latestCount | stats values(*) as * by src_ip | rename numberOfBlockedConnections as latestCount | eval newAvgBlockedConnections=avgBlockedConnections + (latestCount-avgBlockedConnections)/720 | eval newStdevBlockedConnections=sqrt(((pow(stdevBlockedConnections, 2)*719 + (latestCount-newAvgBlockedConnections)*(latestCount-avgBlockedConnections))/720)) | eval avgBlockedConnections=coalesce(newAvgBlockedConnections, avgBlockedConnections), stdevBlockedConnections=coalesce(newStdevBlockedConnections, stdevBlockedConnections), numDataPoints=if(isnull(latestCount), numDataPoints, numDataPoints+1) | table src_ip, latestCount, numDataPoints, avgBlockedConnections, stdevBlockedConnections | outputlookup baseline_blocked_outbound_connections | eval dataPointThreshold = 5, deviationThreshold = 3 | eval isSpike=if((latestCount > avgBlockedConnections+deviationThreshold*stdevBlockedConnections) AND numDataPoints > dataPointThreshold, 1, 0) | where isSpike=1 | table src_ip] | stats values(dest_ip) as "Blocked Destination IPs", values(interface_id) as "resourceId" count as numberOfBlockedConnections, dc(dest_ip) as uniqueDestConnections by src_ip | `detect_spike_in_blocked_outbound_traffic_from_your_aws_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your VPC Flow logs. You can modify `dataPointThreshold` and `deviationThreshold` to better fit your environment. The `dataPointThreshold` variable is the number of data points required to meet the definition of "spike." The `deviationThreshold` variable is the number of standard deviations away from the mean that the value must be to be considered a spike. This search works best when you run the "Baseline of Blocked Outbound Connection" support search once to create a history of previously seen blocked outbound connections.

Required field

  • _time
  • action
  • src_ip
  • dest_ip



Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Known False Positives

The false-positive rate may vary based on the values of`dataPointThreshold` and `deviationThreshold`. Additionally, false positives may result when AWS administrators roll out policies enforcing network blocks, causing sudden increases in the number of blocked outbound connections.

Reference

Test Dataset

version: 1


Gcp detect gcploit framework

This search provides detection of GCPloit exploitation framework. This framework can be used to escalate privileges and move laterally from compromised high privilege accounts.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-10-08

Search

`google_gcp_pubsub_message` data.protoPayload.request.function.timeout=539s | table src src_user data.resource.labels.project_id data.protoPayload.request.function.serviceAccountEmail data.protoPayload.authorizationInfo{}.permission data.protoPayload.request.location http_user_agent | `gcp_detect_gcploit_framework_filter`

Associated Analytic Story


How To Implement

You must install splunk GCP add-on. This search works with gcp:pubsub:message logs

Required field

  • _time
  • data.protoPayload.request.function.timeout
  • src
  • src_user
  • data.resource.labels.project_id
  • data.protoPayload.request.function.serviceAccountEmail
  • data.protoPayload.authorizationInfo{}.permission
  • data.protoPayload.request.location
  • http_user_agent


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Lateral Movement


Known False Positives

Payload.request.function.timeout value can possibly be match with other functions or requests however the source user and target request account may indicate an attempt to move laterally accross acounts or projects

Reference


Test Dataset

version: 1


Gcp kubernetes cluster pod scan detection

This search provides information of unauthenticated requests via user agent, and authentication data against Kubernetes cluster's pods

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1526
  • Last Updated: 2020-07-17

Search

`google_gcp_pubsub_message` category=kube-audit |spath input=properties.log |search responseStatus.code=401 |table sourceIPs{} userAgent verb requestURI responseStatus.reason properties.pod | `gcp_kubernetes_cluster_pod_scan_detection_filter`

Associated Analytic Story


How To Implement

You must install the GCP App for Splunk (version 2.0.0 or later), then configure stackdriver and set a Pub/Sub subscription to be imported to Splunk.

Required field

  • _time
  • category
  • responseStatus.code
  • sourceIPs{}
  • userAgent
  • verb
  • requestURI
  • responseStatus.reason
  • properties.pod


ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

Not all unauthenticated requests are malicious, but frequency, User Agent, source IPs and pods will provide context.

Reference

Test Dataset

version: 1


High number of login failures from a single source

This search will detect more than 5 login failures in Office365 Azure Active Directory from a single source IP address. Please adjust the threshold value of 5 as suited for your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1110.001
  • Last Updated: 2020-12-16

Search

`o365_management_activity` Operation=UserLoginFailed record_type=AzureActiveDirectoryStsLogon app=AzureActiveDirectory | stats count dc(user) as accounts_locked values(user) as user values(LogonError) as LogonError values(authentication_method) as authentication_method values(signature) as signature values(UserAgent) as UserAgent by src_ip record_type Operation app | search accounts_locked >= 5 | `high_number_of_login_failures_from_a_single_source_filter`

Associated Analytic Story


How To Implement

Required field

  • _time
  • Operation
  • record_type
  • app
  • user
  • LogonError
  • authentication_method
  • signature
  • UserAgent
  • src_ip
  • record_type


ATT&CK

ID Technique Tactic
T1110.001 Password Guessing Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

unknown

Reference

Test Dataset

version: 1


Kubernetes aws detect suspicious kubectl calls

This search provides information on anonymous Kubectl calls with IP, verb namespace and object access context

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-06-23

Search

`aws_cloudwatchlogs_eks` userAgent=kubectl* sourceIPs{}!=127.0.0.1 sourceIPs{}!=::1 src_user=system:anonymous | table src_ip src_user verb userAgent requestURI | stats count by src_ip src_user verb userAgent requestURI |`kubernetes_aws_detect_suspicious_kubectl_calls_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs.

Required field

  • _time
  • userAgent
  • sourceIPs{}
  • src_user
  • src_ip
  • verb
  • requestURI



Kill Chain Phase

  • Lateral Movement


Known False Positives

Kubectl calls are not malicious by nature. However source IP, verb and Object can reveal potential malicious activity, specially anonymous suspicious IPs and sensitive objects such as configmaps or secrets

Reference

Test Dataset

version: 1


New container uploaded to aws ecr

This searches show information on uploaded containers including source user, image id, source IP user type, http user agent, region, first time, last time of operation (PutImage). These searches are based on Cloud Infrastructure Data Model.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1525
  • Last Updated: 2020-02-20

Search

| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Cloud_Infrastructure.Compute where Compute.user_type!="AssumeRole" AND Compute.http_user_agent="AWS Internal" AND Compute.event_name="PutImage" by Compute.image_id Compute.src_user Compute.src Compute.region Compute.msg Compute.user_type | `drop_dm_object_name("Compute")` | `new_container_uploaded_to_aws_ecr_filter`

Associated Analytic Story


How To Implement

You must install the AWS App for Splunk (version 5.1.0 or later) and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail inputs. You must also install Cloud Infrastructure data model. Please also customize the `container_implant_aws_detection_filter` macro to filter out the false positives.

Required field

  • _time


ATT&CK

ID Technique Tactic
T1525 Implant Internal Image Persistence


Kill Chain Phase

Known False Positives

Uploading container is a normal behavior from developers or users with access to container registry.

Reference

Test Dataset

version: 1


O365 add app role assignment grant user

This search detects the creation of a new Federation setting by alerting about an specific event related to its creation.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1136.003
  • Last Updated: 2021-01-26

Search

`o365_management_activity` Workload=AzureActiveDirectory Operation="Add app role assignment grant to user." | stats count min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(Actor{}.Type) as Actor.Type by ActorIpAddress dest ResultStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_add_app_role_assignment_grant_user_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Workload
  • Operation
  • Actor{}.ID
  • Actor{}.Type
  • ActorIpAddress
  • dest
  • ResultStatus


ATT&CK

ID Technique Tactic
T1136.003 Cloud Account Persistence


Kill Chain Phase

  • Actions on Objective


Known False Positives

The creation of a new Federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.

Reference


Test Dataset


version: 1


O365 added service principal

This search detects the creation of a new Federation setting by alerting about an specific event related to its creation.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1136.003
  • Last Updated: 2021-01-26

Search

`o365_management_activity` Workload=AzureActiveDirectory signature="Add service principal credentials." | stats min(_time) as firstTime max(_time) as lastTime values(Actor{}.ID) as Actor.ID values(ModifiedProperties{}.Name) as ModifiedProperties.Name values(ModifiedProperties{}.NewValue) as ModifiedProperties.NewValue values(Target{}.ID) as Target.ID by ActorIpAddress signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_added_service_principal_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Workload
  • signature
  • Actor{}.ID
  • ModifiedProperties{}.Name
  • ModifiedProperties{}.NewValue
  • Target{}.ID
  • ActorIpAddress


ATT&CK

ID Technique Tactic
T1136.003 Cloud Account Persistence


Kill Chain Phase

  • Actions on Objective


Known False Positives

The creation of a new Federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.

Reference


Test Dataset


version: 1


O365 bypass mfa via trusted ip

This search detects newly added IP addresses/CIDR blocks to the list of MFA Trusted IPs to bypass multi factor authentication. Attackers are often known to use this technique so that they can bypass the MFA system.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1562.007
  • Last Updated: 2021-01-12

Search

`o365_management_activity` signature="Set Company Information." ModifiedProperties{}.Name=StrongAuthenticationPolicy | rex max_match=100 field=ModifiedProperties{}.NewValue "(?<ip_addresses_new_added>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" | rex max_match=100 field=ModifiedProperties{}.OldValue "(?<ip_addresses_old>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\/\d{1,2})" | eval ip_addresses_old=if(isnotnull(ip_addresses_old),ip_addresses_old,"0") | mvexpand ip_addresses_new_added | where isnull(mvfind(ip_addresses_old,ip_addresses_new_added)) |stats count min(_time) as firstTime max(_time) as lastTime values(ip_addresses_old) as ip_addresses_old by user ip_addresses_new_added signature vendor_product vendor_account status user_id action | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_bypass_mfa_via_trusted_ip_filter`

Associated Analytic Story


How To Implement

You must install Splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • signature
  • ModifiedProperties{}.Name
  • ModifiedProperties{}.NewValue
  • ModifiedProperties{}.OldValue
  • user
  • vendor_product
  • vendor_account
  • status
  • user_id
  • action


ATT&CK

ID Technique Tactic
T1562.007 Disable or Modify Cloud Firewall Defense Evasion


Kill Chain Phase

  • Actions on Objective


Known False Positives

Unless it is a special case, it is uncommon to continually update Trusted IPs to MFA configuration.

Reference


Test Dataset


version: 1


O365 disable mfa

This search detects when multi factor authentication has been disabled, what entitiy performed the action and against what user

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1556
  • Last Updated: 2020-12-16

Search

`o365_management_activity` Operation="Disable Strong Authentication." | stats count earliest(_time) as firstTime latest(_time) as lastTime by UserType Operation user status signature dest ResultStatus |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_disable_mfa_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Operation
  • UserType
  • user
  • status
  • signature
  • dest
  • ResultStatus


ATT&CK

ID Technique Tactic
T1556 Modify Authentication Process Credential Access, Defense Evasion, Persistence


Kill Chain Phase

  • Actions on Objective


Known False Positives

Unless it is a special case, it is uncommon to disable MFA or Strong Authentication

Reference


Test Dataset


version: 1


O365 excessive authentication failures alert

This search detects when an excessive number of authentication failures occur this search also includes attempts against MFA prompt codes

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1110
  • Last Updated: 2020-12-16

Search

`o365_management_activity` Workload=AzureActiveDirectory UserAuthenticationMethod=* status=Failed | stats count earliest(_time) as firstTime latest(_time) values(UserAuthenticationMethod) AS UserAuthenticationMethod values(UserAgent) AS UserAgent values(status) AS status values(src_ip) AS src_ip by user | where count > 10 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_excessive_authentication_failures_alert_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Workload
  • UserAuthenticationMethod
  • status
  • UserAgent
  • src_ip
  • user


ATT&CK

ID Technique Tactic
T1110 Brute Force Credential Access


Kill Chain Phase

  • Not Applicable


Known False Positives

The threshold for alert is above 10 attempts and this should reduce the number of false positives.

Reference


Test Dataset


version: 1


O365 excessive sso logon errors

This search detects accounts with high number of Single Sign ON (SSO) logon errors. Excessive logon errors may indicate attempts to bruteforce of password or single sign on token hijack or reuse.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1556
  • Last Updated: 2021-01-26

Search

`o365_management_activity` Workload=AzureActiveDirectory LogonError=SsoArtifactInvalidOrExpired | stats count min(_time) as firstTime max(_time) as lastTime by LogonError ActorIpAddress UserAgent UserId | where count > 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_excessive_sso_logon_errors_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Workload
  • LogonError
  • ActorIpAddress
  • UserAgent
  • UserId


ATT&CK

ID Technique Tactic
T1556 Modify Authentication Process Credential Access, Defense Evasion, Persistence


Kill Chain Phase

  • Actions on Objective


Known False Positives

Logon errors may not be malicious in nature however it may indicate attempts to reuse a token or password obtained via credential access attack.

Reference


Test Dataset


version: 1


O365 new federated domain added

This search detects the addition of a new Federated domain.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1136.003
  • Last Updated: 2021-01-26

Search

`o365_management_activity` Workload=Exchange Operation="Add-FederatedDomain" | stats count min(_time) as firstTime max(_time) as lastTime values(Parameters{}.Value) as Parameters.Value by ObjectId Operation OrganizationName OriginatingServer UserId UserKey | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `o365_new_federated_domain_added_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity.

Required field

  • _time
  • Workload
  • Operation
  • Parameters{}.Value
  • ObjectId
  • OrganizationName
  • OriginatingServer
  • UserId
  • UserKey


ATT&CK

ID Technique Tactic
T1136.003 Cloud Account Persistence


Kill Chain Phase

  • Actions on Objective


Known False Positives

The creation of a new Federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.

Reference


Test Dataset


version: 1


O365 pst export alert

This search detects when a user has performed an Ediscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1114
  • Last Updated: 2020-12-16

Search

`o365_management_activity` Category=ThreatManagement Name="eDiscovery search started or exported" | stats count earliest(_time) as firstTime latest(_time) as lastTime by Source Severity AlertEntityId Operation Name |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `o365_pst_export_alert_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Category
  • Name
  • Source
  • Severity
  • AlertEntityId
  • Operation


ATT&CK

ID Technique Tactic
T1114 Email Collection Collection


Kill Chain Phase

  • Actions on Objective


Known False Positives

PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored.

Reference


Test Dataset


version: 1


O365 suspicious admin email forwarding

This search detects when an admin configured a forwarding rule for multiple mailboxes to the same destination.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1114.003
  • Last Updated: 2020-12-16

Search

`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_admin_email_forwarding_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Operation
  • Parameters


ATT&CK

ID Technique Tactic
T1114.003 Email Forwarding Rule Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

unknown

Reference

Test Dataset


version: 1


O365 suspicious rights delegation

This search detects the assignment of rights to accesss content from another mailbox. This is usually only assigned to a service account.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1114.002
  • Last Updated: 2020-12-15

Search

`o365_management_activity` Operation=Add-MailboxPermission | spath input=Parameters | rename User AS src_user, Identity AS dest_user | search AccessRights=FullAccess OR AccessRights=SendAs OR AccessRights=SendOnBehalf | stats count earliest(_time) as firstTime latest(_time) as lastTime by user src_user dest_user Operation AccessRights |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_rights_delegation_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Operation
  • Parameters


ATT&CK

ID Technique Tactic
T1114.002 Remote Email Collection Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Service Accounts

Reference

Test Dataset


version: 1


O365 suspicious user email forwarding

This search detects when multiple user configured a forwarding rule to the same destination.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1114.003
  • Last Updated: 2020-12-16

Search

`o365_management_activity` Operation=Set-Mailbox | spath input=Parameters | rename Identity AS src_user | search ForwardingSmtpAddress=* | stats dc(src_user) AS count_src_user earliest(_time) as firstTime latest(_time) as lastTime values(src_user) AS src_user values(user) AS user by ForwardingSmtpAddress | where count_src_user > 1 |`security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` |`o365_suspicious_user_email_forwarding_filter`

Associated Analytic Story


How To Implement

You must install splunk Microsoft Office 365 add-on. This search works with o365:management:activity

Required field

  • _time
  • Operation
  • Parameters


ATT&CK

ID Technique Tactic
T1114.003 Email Forwarding Rule Collection


Kill Chain Phase

  • Actions on Objectives


Known False Positives

unknown

Reference

Test Dataset


version: 1


Aws detect attach to role policy

This search provides detection of an user attaching itself to a different role trust policy. This can be used for lateral movement and escalation of privileges.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-07-27

Search

`aws_cloudwatchlogs_eks` attach policy | spath requestParameters.policyArn | table sourceIPAddress user_access_key userIdentity.arn userIdentity.sessionContext.sessionIssuer.arn eventName errorCode errorMessage status action requestParameters.policyArn userIdentity.sessionContext.attributes.mfaAuthenticated userIdentity.sessionContext.attributes.creationDate | `aws_detect_attach_to_role_policy_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs

Required field

  • _time
  • requestParameters.policyArn


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Lateral Movement


Known False Positives

Attach to policy can create a lot of noise. This search can be adjusted to provide specific values to identify cases of abuse (i.e status=failure). The search can provide context for common users attaching themselves to higher privilege policies or even newly created policies.

Reference

Test Dataset

version: 1


Aws detect permanent key creation

This search provides detection of accounts creating permanent keys. Permanent keys are not created by default and they are only needed for programmatic calls. Creation of Permanent key is an important event to monitor.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-07-27

Search

`aws_cloudwatchlogs_eks` CreateAccessKey | spath eventName | search eventName=CreateAccessKey "userIdentity.type"=IAMUser | table sourceIPAddress userName userIdentity.type userAgent action status responseElements.accessKey.createDate responseElements.accessKey.status responseElements.accessKey.accessKeyId |`aws_detect_permanent_key_creation_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with cloudwatch logs

Required field

  • _time
  • eventName
  • userIdentity.type
  • sourceIPAddress
  • userName userIdentity.type
  • userAgent
  • action
  • status
  • responseElements.accessKey.createDate
  • esponseElements.accessKey.status
  • responseElements.accessKey.accessKeyId


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Lateral Movement


Known False Positives

Not all permanent key creations are malicious. If there is a policy of rotating keys this search can be adjusted to provide better context.

Reference

Test Dataset

version: 1


Aws detect role creation

This search provides detection of role creation by IAM users. Role creation is an event by itself if user is creating a new role with trust policies different than the available in AWS and it can be used for lateral movement and escalation of privileges.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-07-27

Search

`aws_cloudwatchlogs_eks` event_name=CreateRole action=created userIdentity.type=AssumedRole requestParameters.description=Allows* | table sourceIPAddress userIdentity.principalId userIdentity.arn action event_name awsRegion http_user_agent mfa_auth msg requestParameters.roleName requestParameters.description responseElements.role.arn responseElements.role.createDate | `aws_detect_role_creation_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs

Required field

  • _time
  • event_name
  • action
  • userIdentity.type
  • requestParameters.description
  • sourceIPAddress
  • userIdentity.principalId
  • userIdentity.arn
  • action
  • event_name
  • awsRegion
  • http_user_agent
  • mfa_auth
  • msg
  • requestParameters.roleName
  • requestParameters.description
  • responseElements.role.arn
  • responseElements.role.createDate


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Lateral Movement


Known False Positives

CreateRole is not very common in common users. This search can be adjusted to provide specific values to identify cases of abuse. In general AWS provides plenty of trust policies that fit most use cases.

Reference

Test Dataset

version: 1


Aws detect sts assume role abuse

This search provides detection of suspicious use of sts:AssumeRole. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-07-27

Search

`cloudtrail` user_type=AssumedRole userIdentity.sessionContext.sessionIssuer.type=Role | table sourceIPAddress userIdentity.arn user_agent user_access_key status action requestParameters.roleName responseElements.role.roleName responseElements.role.createDate | `aws_detect_sts_assume_role_abuse_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs

Required field

  • _time
  • user_type
  • userIdentity.sessionContext.sessionIssuer.type
  • sourceIPAddress
  • userIdentity.arn
  • user_agent
  • user_access_key
  • status
  • action
  • requestParameters.roleName
  • esponseElements.role.roleName
  • esponseElements.role.createDate


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Lateral Movement


Known False Positives

Sts:AssumeRole can be very noisy as it is a standard mechanism to provide cross account and cross resources access. This search can be adjusted to provide specific values to identify cases of abuse.

Reference

Test Dataset

version: 1


Aws detect sts get session token abuse

This search provides detection of suspicious use of sts:GetSessionToken. These tokens can be created on the go and used by attackers to move laterally and escalate privileges.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1550
  • Last Updated: 2020-07-27

Search

`aws_cloudwatchlogs_eks` ASIA userIdentity.type=IAMUser | spath eventName | search eventName=GetSessionToken | table sourceIPAddress eventTime userIdentity.arn userName userAgent user_type status region | `aws_detect_sts_get_session_token_abuse_filter`

Associated Analytic Story


How To Implement

You must install splunk AWS add-on and Splunk App for AWS. This search works with cloudwatch logs

Required field

  • _time
  • userIdentity.type
  • eventName
  • sourceIPAddress
  • eventTime
  • userIdentity.arn
  • userName
  • userAgent
  • user_type
  • status
  • region


ATT&CK

ID Technique Tactic
T1550 Use Alternate Authentication Material Defense Evasion, Lateral Movement


Kill Chain Phase

  • Lateral Movement


Known False Positives

Sts:GetSessionToken can be very noisy as in certain environments numerous calls of this type can be executed. This search can be adjusted to provide specific values to identify cases of abuse. In specific environments the use of field requestParameters.serialNumber will need to be used.

Reference

Test Dataset

version: 1



Endpoint

Access lsass memory for dump creation

Detect memory dumping of the LSASS process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2019-12-06

Search

`sysmon` EventCode=10 TargetImage=*lsass.exe CallTrace=*dbgcore.dll* OR CallTrace=*dbghelp.dll* | stats count min(_time) as firstTime max(_time) as lastTime by Computer, TargetImage, TargetProcessId, SourceImage, SourceProcessId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `access_lsass_memory_for_dump_creation_filter`

Associated Analytic Story


How To Implement

This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 10 for lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

  • _time
  • EventCode
  • TargetImage
  • CallTrace
  • Computer
  • TargetProcessId
  • SourceImage
  • SourceProcessId


ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.

Reference


Test Dataset


version: 2


Account discovery with net app

this search is to detect a potential account discovery series of command used by several malware or attack to recon the target machine. This technique is also seen in some note worthy malware like trickbot where it runs a cmd process, or even drop its module that will execute the said series of net command. This series of command are good correlation search and indicator of attacker recon if seen in the machines within a none technical user or department (HR, finance, ceo and etc) network.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1087.002
  • Last Updated: 2021-05-03

Search

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="net.exe" OR Processes.process_name="net1.exe" AND (Processes.process="*user*" OR Processes.process="*config*" OR Processes.process="*view /all*") by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `account_discovery_with_net_app_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.

Required field

  • _time
  • Processes.parent_process_name
  • Processes.parent_process_id
  • Processes.process_name
  • Processes.process
  • Processes.process_id
  • Processes.process_guid
  • Processes.dest
  • Processes.user


ATT&CK

ID Technique Tactic
T1087.002 Domain Account Discovery


Kill Chain Phase

  • Exploitation


Known False Positives

admin or power user may used this series of command.

Reference


Test Dataset


version: 1


Allow inbound traffic by firewall rule registry

This analytic detects a potential suspicious modification of firewall rule registry allowing inbound traffic in specific port with public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1021.001
  • Last Updated: 2021-05-26

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\System\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules\\*" Registry.registry_value_name = "* |Action=Allow |*" Registry.registry_value_name = "* |Dir=In |*" Registry.registry_value_name = "* |Profile=Public |*" Registry.registry_value_name = "* |LPort=*" by Registry.registry_path Registry.registry_key_name Registry.user Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `allow_inbound_traffic_by_firewall_rule_registry_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.

Required field

  • _time
  • Registry.registry_path
  • Registry.registry_value_name
  • Registry.registry_key_name
  • Registry.dest
  • Registry.user


ATT&CK

ID Technique Tactic
T1021.001 Remote Desktop Protocol Lateral Movement


Kill Chain Phase

  • Exploitation


Known False Positives

network admin may add/remove/modify public inbound firewall rule that may cause this rule to be triggered.

Reference


Test Dataset


version: 1


Allow inbound traffic in firewall rule

This search is to detect suspicious powershell command to allow inbound traffic in specific local port with public profile. This technique was seen in some attacker want to have a remote access to a machine by allowing the traffic in firewall rule.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1021.001
  • Last Updated: 2021-05-19

Search

`powershell` EventCode=4104 Message = "*firewall*" Message = "*Public*" Message = "*Inbound*" Message = "*Allow*" Message = "*-LocalPort*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_inbound_traffic_in_firewall_rule_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.

Required field

  • _time
  • EventCode
  • Message
  • ComputerName
  • User


ATT&CK

ID Technique Tactic
T1021.001 Remote Desktop Protocol Lateral Movement


Kill Chain Phase

  • Exploitation


Known False Positives

administrator may allow inbound traffic in certain network or machine.

Reference


Test Dataset


version: 1


Allow operation with consent admin

this search is to detect a potential privilege escalation attempt to do malicious task. This registry modification is designed to allows the Consent Admin to perform an operation that requires elevation without consent or credentials. We also found this in some attacker to gain privilege escalation to the compromise machine.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1548
  • Last Updated: 2021-06-10

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" Registry.registry_key_name = ConsentPromptBehaviorAdmin Registry.registry_value_name = "DWORD (0x00000000)" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

Required field

  • _time
  • Registry.registry_path
  • Registry.registry_key_name
  • Registry.registry_value_name
  • Registry.dest


ATT&CK

ID Technique Tactic
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset


version: 1


Anomalous usage of 7zip

The following detection identifies a 7z.exe spawned from `Rundll32.exe` or `Dllhost.exe`. It is assumed that the adversary has brought in `7z.exe` and `7z.dll`. It has been observed where an adversary will rename `7z.exe`. Additional coverage may be required to identify the behavior of renamed instances of `7z.exe`. During triage, identify the source of injection into `Rundll32.exe` or `Dllhost.exe`. Capture any files written to disk and analyze as needed. Review parallel processes for additional behaviors. Typically, archiving files will result in exfiltration.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1560.001
  • Last Updated: 2021-04-22

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `anomalous_usage_of_7zip_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1560.001 Archive via Utility Collection


Kill Chain Phase

  • Actions on Objective


Known False Positives

False positives should be limited as this behavior is not normal for `rundll32.exe` or `dllhost.exe` to spawn and run 7zip.

Reference


Test Dataset


version: 1


Any powershell downloadfile

The following analytic identifies the use of PowerShell downloading a file using `DownloadFile` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.001
  • Last Updated: 2021-03-01

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=PowerShell_ISE.exe) Processes.process=*DownloadFile* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `any_powershell_downloadfile_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution


Kill Chain Phase

  • Exploitation


Known False Positives

False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.

Reference


Test Dataset


version: 1


Any powershell downloadstring

The following analytic identifies the use of PowerShell downloading a file using `DownloadString` method. This particular method is utilized in many different PowerShell frameworks to download files and output to disk. Identify the source (IP/domain) and destination file and triage appropriately. If AMSI logging or PowerShell transaction logs are available, review for further details of the implant.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.001
  • Last Updated: 2021-03-01

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=powershell.exe OR Processes.process_name=pwsh.exe OR Processes.process_name=PowerShell_ISE.exe Processes.process=*.DownloadString* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `any_powershell_downloadstring_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution


Kill Chain Phase

  • Exploitation


Known False Positives

False positives may be present and filtering will need to occur by parent process or command line argument. It may be required to modify this query to an EDR product for more granular coverage.

Reference


Test Dataset


version: 1


Applying stolen credentials via mimikatz modules

This detection indicates use of Mimikatz modules that facilitate Pass-the-Token attack, Golden or Silver kerberos ticket attack, and Skeleton key attack.

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)kerberos::ptt/)=true OR match_regex(cmd_line, /(?i)kerberos::golden/)=true OR match_regex(cmd_line, /(?i)kerberos::silver/)=true OR match_regex(cmd_line, /(?i)misc::skeleton/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1055 Process Injection Defense Evasion, Privilege Escalation
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1098 Account Manipulation Persistence
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1547 Boot or Logon Autostart Execution Persistence, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
T1554 Compromise Client Software Binary Persistence
T1556 Modify Authentication Process Credential Access, Defense Evasion, Persistence
T1558 Steal or Forge Kerberos Tickets Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset


version: 1


Applying stolen credentials via powersploit modules

Stolen credentials are applied by methods such as user impersonation, credential injection, spoofing of authentication processes or getting hold of critical accounts. This detection indicates such activities carried out by PowerSploit exploit kit APIs.

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Invoke-CredentialInjection/)=true OR match_regex(cmd_line, /(?i)Invoke-TokenManipulation/)=true OR match_regex(cmd_line, /(?i)Invoke-UserImpersonation/)=true OR match_regex(cmd_line, /(?i)Get-System/)=true OR match_regex(cmd_line, /(?i)Invoke-RevertToSelf/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1055 Process Injection Defense Evasion, Privilege Escalation
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1098 Account Manipulation Persistence
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1547 Boot or Logon Autostart Execution Persistence, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
T1554 Compromise Client Software Binary Persistence
T1555 Credentials from Password Stores Credential Access
T1558 Steal or Forge Kerberos Tickets Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset


version: 1


Assessment of credential strength via dsinternals modules

This detection identifies use of DSInternals modules that verify password strength, i.e., identify week accounts that would be easily compromised.

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Test-PasswordQuality/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1098 Account Manipulation Persistence
T1087 Account Discovery Discovery
T1201 Password Policy Discovery Discovery
T1552 Unsecured Credentials Credential Access
T1555 Credentials from Password Stores Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Attempt to add certificate to untrusted store

Attempt To Add Certificate To Untrusted Store

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1553.004
  • Last Updated: 2020-11-03

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=*certutil* (Processes.process=*-addstore*) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `attempt_to_add_certificate_to_untrusted_store_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.process
  • Processes.process_name
  • Processes.parent_process
  • Processes.user


ATT&CK

ID Technique Tactic
T1553.004 Install Root Certificate Defense Evasion


Kill Chain Phase

  • Installation
  • Actions on Objectives


Known False Positives

There may be legitimate reasons for administrators to add a certificate to the untrusted certificate store. In such cases, this will typically be done on a large number of systems.

Reference

Test Dataset


version: 6


Attempt to stop security service

This search looks for attempts to stop security-related services on the endpoint.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = net.exe OR Processes.process_name = sc.exe) Processes.process="* stop *" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |lookup security_services_lookup service as process OUTPUTNEW category, description | search category=security | `attempt_to_stop_security_service_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data. The search is shipped with a lookup file, `security_services.csv`, that can be edited to update the list of services to monitor. This lookup file can be edited directly where it lives in `$SPLUNK_HOME/etc/apps/DA-ESS-ContentUpdate/lookups`, or via the Splunk console. You should add the names of services an attacker might use on the command line and surround with asterisks (*****), so that they work properly when searching the command line. The file should be updated with the names of any services you would like to monitor for attempts to stop the service.,

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Installation
  • Actions on Objectives


Known False Positives

None identified. Attempts to disable security-related services should be identified and understood.

Reference

Test Dataset


version: 3


Attempted credential dump from registry via reg exe

Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.002
  • Last Updated: 2019-12-02

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=reg.exe OR Processes.process_name=cmd.exe) Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\System* OR Processes.process=*HKLM\\Security* OR Processes.process=*HKLM\\System* OR Processes.process=*HKLM\\SAM*) by Processes.user Processes.process_name Processes.process Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `attempted_credential_dump_from_registry_via_reg_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.dest


ATT&CK

ID Technique Tactic
T1003.002 Security Account Manager Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference

Test Dataset


version: 4


Attempted credential dump from registry via reg exe

Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-6-04

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)) | eval process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null), dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null) | where process_name="cmd.exe" OR process_name="reg.exe" | where cmd_line != null AND match_regex(cmd_line, /(?i)save\s+/)=true AND ( match_regex(cmd_line, /(?i)HKLM\\Security/)=true OR match_regex(cmd_line, /(?i)HKLM\\SAM/)=true OR match_regex(cmd_line, /(?i)HKLM\\System/)=true OR match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\Security/)=true OR match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\SAM/)=true OR match_regex(cmd_line, /(?i)HKEY_LOCAL_MACHINE\\System/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend(dest_device_id, dest_user_id), body=create_map(["cmd_line", cmd_line, "process_name", process_name]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting windows endpoint data that tracks process activity, including parent-child relationships from your endpoints.

Required field

  • process_name
  • _time
  • dest_device_id
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Bcdedit failure recovery modification

This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1490
  • Last Updated: 2020-12-21

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = bcdedit.exe Processes.process="*recoveryenabled*" (Processes.process="* no*") by Processes.process_name Processes.process Processes.parent_process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bcdedit_failure_recovery_modification_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. Tune based on parent process names.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.parent_process_name
  • Processes.dest
  • Processes.user


ATT&CK

ID Technique Tactic
T1490 Inhibit System Recovery Impact


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators may modify the boot configuration.

Reference


Test Dataset


version: 1


Bits job persistence

The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in a oneliner or ran in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1197
  • Last Updated: 2021-03-29

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=bitsadmin.exe Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* ) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bits_job_persistence_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process
  • Processes.parent_process
  • Processes.process_name
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1197 BITS Jobs Defense Evasion, Persistence


Kill Chain Phase

  • Exploitation


Known False Positives

Limited false positives will be present. Typically, applications will use `BitsAdmin.exe`. Any filtering should be done based on command-line arguments (legitimate applications) or parent process.

Reference


Test Dataset


version: 1


Bitsadmin download file

The following query identifies Microsoft Background Intelligent Transfer Service utility `bitsadmin.exe` using the `transfer` parameter to download a remote object. In addition, look for `download` or `upload` on the command-line, the switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically once executed, a follow on command will be used to execute the dropped file. Note that the network connection or file modification events related will not spawn or create from `bitsadmin.exe`, but the artifacts will appear in a parallel process of `svchost.exe` with a command-line similar to `svchost.exe -k netsvcs -s BITS`. It's important to review all parallel and child processes to capture any behaviors and artifacts. In some suspicious and malicious instances, BITS jobs will be created. You can use `bitsadmin /list /verbose` to list out the jobs during investigation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1197, T1105
  • Last Updated: 2021-03-26

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=bitsadmin.exe Processes.process=*transfer* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `bitsadmin_download_file_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process
  • Processes.parent_process
  • Processes.process_name
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1197 BITS Jobs Defense Evasion, Persistence
T1105 Ingress Tool Transfer Command And Control


Kill Chain Phase

  • Exploitation


Known False Positives

Limited false positives, however it may be required to filter based on parent process name or network connection.

Reference


Test Dataset


version: 1


Batch file write to system32

The search looks for a batch file (.bat) written to the Windows system directory tree.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1204.002
  • Last Updated: 2018-12-14

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.dest) as dest values(Filesystem.file_name) as file_name values(Filesystem.user) as user from datamodel=Endpoint.Filesystem by Filesystem.file_path | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | rex field=file_name "(?<file_extension>\.[^\.]+)$" | search file_path=*system32* AND file_extension=.bat | `batch_file_write_to_system32_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the file-system activity from your hosts to populate the Endpoint file-system data-model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Required field

  • _time
  • Filesystem.dest
  • Filesystem.file_name
  • Filesystem.user
  • Filesystem.file_path


ATT&CK

ID Technique Tactic
T1204.002 Malicious File Execution


Kill Chain Phase

  • Delivery


Known False Positives

It is possible for this search to generate a notable event for a batch file write to a path that includes the string "system32", but is not the actual Windows system directory. As such, you should confirm the path of the batch file identified by the search. In addition, a false positive may be generated by an administrator copying a legitimate batch file in this directory tree. You should confirm that the activity is legitimate and modify the search to add exclusions, as necessary.

Reference

Test Dataset


version: 1


Cmd echo pipe - escalation

This analytic identifies a common behavior by Cobalt Strike and other frameworks where the adversary will escalate privileges, either via `jump` (Cobalt Strike PTH) or `getsystem`, using named-pipe impersonation. A suspicious event will look like `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.003, T1543.003
  • Last Updated: 2021-05-20

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=cmd.exe OR Processes.process=*%comspec%*) (Processes.process=*echo* AND Processes.process=*pipe*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmd_echo_pipe___escalation_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1059.003 Windows Command Shell Execution
T1543.003 Windows Service Persistence, Privilege Escalation


Kill Chain Phase

  • Exploitation
  • Privilege Escalation


Known False Positives

Unknown. It is possible filtering may be required to ensure fidelity.

Reference


Test Dataset


version: 1


Cmlua or cmstplua uac bypass

This analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.003
  • Last Updated: 2021-05-13

Search

`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files*")) | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded process_name Computer EventCode Signed ProcessId | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name and imageloaded executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • Image
  • ImageLoaded
  • process_name
  • Computer
  • EventCode
  • Signed
  • ProcessId


ATT&CK

ID Technique Tactic
T1218.003 CMSTP Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

Legitimate windows application that are not on the list loading this dll. Filter as needed.

Reference


Test Dataset


version: 1


Certutil download with urlcache and split arguments

Certutil.exe may download a file from a remote destination using `-urlcache`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. However, it is uncommon for `certutil.exe` to write files to world writeable paths.\ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1105
  • Last Updated: 2021-03-23

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process=*urlcache* Processes.process=*split* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_urlcache_and_split_arguments_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process
  • Processes.parent_process
  • Processes.process_name
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1105 Ingress Tool Transfer Command And Control


Kill Chain Phase

  • Exploitation


Known False Positives

Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.

Reference


Test Dataset


version: 1


Certutil download with verifyctl and split arguments

Certutil.exe may download a file from a remote destination using `-VerifyCtl`. This behavior does require a URL to be passed on the command-line. In addition, `-f` (force) and `-split` (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for `certutil.exe` to contact public IP space. \ During triage, capture any files on disk and review. Review the reputation of the remote IP or domain in question. Using `-VerifyCtl`, the file will either be written to the current working directory or `%APPDATA%\..\LocalLow\Microsoft\CryptnetUrlCache\Content\<hash>`.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1105
  • Last Updated: 2021-03-23

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process=*verifyctl* Processes.process=*split* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_download_with_verifyctl_and_split_arguments_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process
  • Processes.parent_process
  • Processes.process_name
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1105 Ingress Tool Transfer Command And Control


Kill Chain Phase

  • Exploitation


Known False Positives

Limited false positives in most environments, however tune as needed based on parent-child relationship or network connection.

Reference


Test Dataset


version: 1


Certutil with decode argument

CertUtil.exe may be used to `encode` and `decode` a file, including PE and script code. Encoding will convert a file to base64 with `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----` tags. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - `encodehex` and `decodehex`. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1140
  • Last Updated: 2021-03-23

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process=*decode* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `certutil_with_decode_argument_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process
  • Processes.parent_process
  • Processes.process_name
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1140 Deobfuscate/Decode Files or Information Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

Typically seen used to `encode` files, but it is possible to see legitimate use of `decode`. Filter based on parent-child relationship, file paths, endpoint or user.

Reference


Test Dataset


version: 1


Certutil exe certificate extraction

This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK:
  • Last Updated: 2021-01-26

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=certutil.exe Processes.process = "* -exportPFX *" by Processes.parent_process Processes.process_name Processes.process Processes.user | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `certutil_exe_certificate_extraction_filter`

Associated Analytic Story


How To Implement

Required field

  • _time
  • Processes.process
  • Processes.process_name
  • Processes.parent_process
  • Processes.user



Kill Chain Phase

  • Installation


Known False Positives

Unless there are specific use cases, manipulating or exporting certificates using certutil is uncommon. Extraction of certificate has been observed during attacks such as Golden SAML and other campaigns targeting Federated services.

Reference

Test Dataset


version: 1


Child processes of spoolsv exe

This search looks for child processes of spoolsv.exe. This activity is associated with a POC privilege-escalation exploit associated with CVE-2018-8440. Spoolsv.exe is the process associated with the Print Spooler service in Windows and typically runs as SYSTEM.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1068
  • Last Updated: 2020-03-16

Search

| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=spoolsv.exe AND Processes.process_name!=regsvr32.exe by Processes.dest Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `child_processes_of_spoolsv_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model. Update the `children_of_spoolsv_filter` macro to filter out legitimate child processes spawned by spoolsv.exe.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.parent_process_name
  • Processes.process_name
  • Processes.dest
  • Processes.parent_process
  • Processes.user


ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation


Kill Chain Phase

  • Exploitation


Known False Positives

Some legitimate printer-related processes may show up as children of spoolsv.exe. You should confirm that any activity as legitimate and may be added as exclusions in the search.

Reference

Test Dataset

version: 3


Clear unallocated sector using cipher app

this search is to detect execution of cipher.exe to clear the unallocated sectors of a specific disk. This technique was seen in some ransomwareto make it impossible to forensically recover deleted files.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1070.004
  • Last Updated: 2021-06-10

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cipher.exe" Processes.process = "*/w:*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clear_unallocated_sector_using_cipher_app_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • Processes.parent_process_name
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user
  • Processes.process_id
  • Processes.process_guid


ATT&CK

ID Technique Tactic
T1070.004 File Deletion Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

administrator may execute this app to manage disk

Reference


Test Dataset


version: 1


Clop common exec parameter

The following analytics are designed to identifies some CLOP ransomware variant that using arguments to execute its main code or feature of its code. In this variant if the parameter is "runrun", CLOP ransomware will try to encrypt files in network shares and if it is "temp.dat", it will try to read from some stream pipe or file start encrypting files within the infected local machines. This technique can be also identified as an anti-sandbox technique to make its code non-responsive since it is waiting for some parameter to execute properly.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1204
  • Last Updated: 2021-03-17

Search

| tstats `security_content_summariesonly` values(Processes.process) as cmdline values(Processes.parent_process_name) as parent_process values(Processes.process_name) count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name != "*temp.dat*" Processes.process = "*runrun*" OR Processes.process = "*temp.dat*" by Processes.parent_process_name Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_common_exec_parameter_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • Processes.process
  • Processes.parent_process_name
  • _time
  • Processes.process_name
  • Processes.dest
  • Processes.user
  • Processes.process_id


ATT&CK

ID Technique Tactic
T1204 User Execution Execution


Kill Chain Phase

  • Obfuscation


Known False Positives

Operators can execute third party tools using these parameters.

Reference


Test Dataset


version: 1


Clop ransomware known service name

This detection is to identify the common service name created by the CLOP ransomware as part of its persistence and high privilege code execution in the infected machine. Ussually CLOP ransomware use StartServiceCtrlDispatcherW API in creating this service entry.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1543
  • Last Updated: 2021-03-17

Search

`wineventlog_system` EventCode=7045 Service_Name IN ("SecurityCenterIBM", "WinCheckDRVs") | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `clop_ransomware_known_service_name_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.

Required field

  • EventCode
  • cmdline
  • _time
  • parent_process_name
  • process_name
  • OriginalFileName
  • process_path


ATT&CK

ID Technique Tactic
T1543 Create or Modify System Process Persistence, Privilege Escalation


Kill Chain Phase

  • Privilege Escalation


Known False Positives

unknown

Reference


Test Dataset


version: 1


Cobalt strike named pipes

The following analytic identifies the use of default or publicly known named pipes used with Cobalt Strike. A named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. Cobalt Strike uses named pipes in many ways and has default values used with the Artifact Kit and Malleable C2 Profiles. The following query assists with identifying these default named pipes. Each EDR product presents named pipes a little different. Consider taking the values and generating a query based on the product of choice. \ Upon triage, review the process performing the named pipe. If it is explorer.exe, It is possible it was injected into by another process. Review recent parallel processes to identify suspicious patterns or behaviors. A parallel process may have a network connection, review and follow the connection back to identify any file modifications.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1055
  • Last Updated: 2021-02-22

Search

`sysmon` EventID=17 OR EventID=18 PipeName IN (\\msagent_*, \\wkssvc*, \\DserNamePipe*, \\srvsvc_*, \\mojo.*, \\postex_*, \\status_*, \\MSSE-*, \\spoolss_*, \\win_svc*, \\ntsvcs*, \\winsock*, \\UIA_PIPE*) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, process_name, process_id process_path, PipeName | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cobalt_strike_named_pipes_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • EventID
  • PipeName
  • Computer
  • process_name
  • process_path
  • process_id


ATT&CK

ID Technique Tactic
T1055 Process Injection Defense Evasion, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Known False Positives

The idea of using named pipes with Cobalt Strike is to blend in. Therefore, some of the named pipes identified and added may cause false positives. Filter by process name or pipe name to reduce false positives.

Reference


Test Dataset


version: 1


Common ransomware extensions

The search looks for file modifications with extensions commonly used by Ransomware

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1485
  • Last Updated: 2020-11-09

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | rex field=file_name "(?<file_extension>\.[^\.]+)$" | `ransomware_extensions` | `common_ransomware_extensions_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.\ This search produces fields (`query`,`query_length`,`count`) that are not yet supported by ES Incident Review and therefore cannot be viewed when a notable event is raised. These fields contribute additional context to the notable. To see the additional metadata, add the following fields, if not already present, to Incident Review - Event Attributes (Configure > Incident Management > Incident Review Settings > Add New Entry):\\n1. **Label:** Name, **Field:** Name\ 1. \ 1. **Label:** File Extension, **Field:** file_extension\ Detailed documentation on how to create a new field within Incident Review may be found here: `https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Customizenotables#Add_a_field_to_the_notable_event_details`

Required field

  • _time
  • Filesystem.user
  • Filesystem.dest
  • Filesystem.file_path
  • Filesystem.file_name


ATT&CK

ID Technique Tactic
T1485 Data Destruction Impact


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It is possible for a legitimate file with these extensions to be created. If this is a true ransomware attack, there will be a large number of files created with these extensions.

Reference

Test Dataset


version: 4


Common ransomware notes

The search looks for files created with names matching those typically used in ransomware notes that tell the victim how to get their data back.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1485
  • Last Updated: 2020-11-09

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.user) as user values(Filesystem.dest) as dest values(Filesystem.file_path) as file_path from datamodel=Endpoint.Filesystem by Filesystem.file_name | `drop_dm_object_name(Filesystem)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `ransomware_notes` | `common_ransomware_notes_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records file-system activity from your hosts to populate the Endpoint Filesystem data-model node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report file-system reads and writes.

Required field

  • _time
  • Filesystem.user
  • Filesystem.dest
  • Filesystem.file_path
  • Filesystem.file_name


ATT&CK

ID Technique Tactic
T1485 Data Destruction Impact


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It's possible that a legitimate file could be created with the same name used by ransomware note files.

Reference

Test Dataset


version: 4


Conti common exec parameter

This search detects the suspicious commandline argument of revil ransomware to encrypt specific or all local drive and network shares of the compromised machine or host.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1204
  • Last Updated: 2021-06-02

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*-m local*" OR Processes.process = "*-m net*" OR Processes.process = "*-m all*" OR Processes.process = "*-nomutex*" by Processes.process_name Processes.process Processes.parent_process_name Processes.parent_process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `conti_common_exec_parameter_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.parent_process_name
  • Processes.parent_process
  • Processes.dest Processes.user
  • Processes.process_id
  • Processes.process_guid


ATT&CK

ID Technique Tactic
T1204 User Execution Execution


Kill Chain Phase

  • Exploitation


Known False Positives

3rd party tool may have commandline parameter that can trigger this detection.

Reference


Test Dataset


version: 1


Create remote thread into lsass

Detect remote thread creation into LSASS consistent with credential dumping.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2019-12-06

Search

`sysmon` EventID=8 TargetImage=*lsass.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, EventCode, TargetImage, TargetProcessId | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_remote_thread_into_lsass_filter`

Associated Analytic Story


How To Implement

This search needs Sysmon Logs with a Sysmon configuration, which includes EventCode 8 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

  • _time
  • EventID
  • TargetImage
  • Computer
  • EventCode
  • TargetImage
  • TargetProcessId


ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Other tools can access LSASS for legitimate reasons and generate an event. In these cases, tweaking the search may help eliminate noise.

Reference


Test Dataset


version: 1


Create service in suspicious file path

This detection is to identify a creation of "user mode service" where the service file path is located in non-common service folder in windows.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1569.001, T1569.002
  • Last Updated: 2021-03-12

Search

`wineventlog_system` EventCode=7045 Service_File_Name = "*\.exe" NOT (Service_File_Name IN ("C:\\Windows\\*", "C:\\Program File*", "C:\\Programdata\\*", "%systemroot%\\*")) Service_Type = "user mode service" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Service_File_Name Service_Name Service_Start_Type Service_Type | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `create_service_in_suspicious_file_path_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the Service name, Service File Name Service Start type, and Service Type from your endpoints.

Required field

  • EventCode
  • Service_File_Name
  • Service_Type
  • _time
  • Service_Name
  • Service_Start_Type


ATT&CK

ID Technique Tactic
T1569.001 Launchctl Execution
T1569.002 Service Execution Execution


Kill Chain Phase

  • Privilege Escalation


Known False Positives

unknown

Reference


Test Dataset


version: 1


Create local admin accounts using net exe

This search looks for the creation of local administrator accounts using net.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1136.001
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=net.exe OR Processes.process_name=net1.exe) AND (Processes.process=*localgroup* OR Processes.process=*/add* OR Processes.process=*user*) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |`create_local_admin_accounts_using_net_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.dest


ATT&CK

ID Technique Tactic
T1136.001 Local Account Persistence


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators often leverage net.exe to create admin accounts.

Reference

Test Dataset


version: 4


Create or delete windows shares using net exe

This search looks for the creation or deletion of hidden shares using net.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1070.005
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processs.process_name=net.exe OR Processes.process_name=net1.exe) by Processes.process Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.user
  • Processes.parent_process
  • Processs.process_name
  • Processes.process
  • Processes.dest


ATT&CK

ID Technique Tactic
T1070.005 Network Share Connection Removal Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators often leverage net.exe to create or delete network shares. You should verify that the activity was intentional and is legitimate.

Reference


Test Dataset


version: 5


Creation of shadow copy

Monitor for signs that Vssadmin or Wmic has been used to create a shadow copy.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.003
  • Last Updated: 2019-12-10

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe Processes.process=*create* Processes.process=*shadow*) OR (Processes.process_name=wmic.exe Processes.process=*shadowcopy* Processes.process=*create*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_shadow_copy_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1003.003 NTDS Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Legitimate administrator usage of Vssadmin or Wmic will create false positives.

Reference


Test Dataset


version: 1


Creation of shadow copy with wmic and powershell

This search detects the use of wmic and Powershell to create a shadow copy.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.003
  • Last Updated: 2019-12-10

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=wmic* OR Processes.process_name=powershell* Processes.process=*shadowcopy* Processes.process=*create* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_shadow_copy_with_wmic_and_powershell_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1003.003 NTDS Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Legtimate administrator usage of wmic to create a shadow copy.

Reference


Test Dataset


version: 1


Creation of lsass dump with taskmgr

Detect the hands on keyboard behavior of Windows Task Manager creating a prcoess dump of lsass.exe. Upon this behavior occurring, a file write/modification will occur in the users profile under \AppData\Local\Temp. The dump file, lsass.dmp, cannot be renamed, however if the dump occurs more than once, it will be named lsass (2).dmp.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2020-02-03

Search

`sysmon` EventID=11 process_name=taskmgr.exe TargetFilename=*lsass*.dmp | stats count min(_time) as firstTime max(_time) as lastTime by Computer, object_category, process_name, TargetFilename | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `creation_of_lsass_dump_with_taskmgr_filter`

Associated Analytic Story


How To Implement

This search requires Sysmon Logs and a Sysmon configuration, which includes EventCode 11 for detecting file create of lsass.dmp. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

  • _time
  • EventID
  • process_name
  • TargetFilename
  • Computer
  • object_category


ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators can create memory dumps for debugging purposes, but memory dumps of the LSASS process would be unusual.

Reference


Test Dataset


version: 1


Credential dumping via copy command from shadow copy

This search detects credential dumping using copy command from a shadow copy.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.003
  • Last Updated: 2019-12-10

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe (Processes.process=*\\system32\\config\\sam* OR Processes.process=*\\system32\\config\\security* OR Processes.process=*\\system32\\config\\system* OR Processes.process=*\\windows\\ntds\\ntds.dit*) by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `credential_dumping_via_copy_command_from_shadow_copy_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1003.003 NTDS Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

unknown

Reference


Test Dataset


version: 1


Credential dumping via symlink to shadow copy

This search detects the creation of a symlink to a shadow copy.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.003
  • Last Updated: 2019-12-10

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe Processes.process=*mklink* Processes.process=*HarddiskVolumeShadowCopy* by Processes.dest Processes.user Processes.process_name Processes.process Processes.parent_process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `credential_dumping_via_symlink_to_shadow_copy_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1003.003 NTDS Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

unknown

Reference


Test Dataset


version: 1


Credential extraction indicative of fgdump and cachedump with s option

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. FGdump is a newer version of pwdump tool that extracts NTLM and LanMan password hashes from Windows. Cachedump is a publicly-available tool that extracts cached password hashes from a system's registry.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-18

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), process_path=ucast(map_get(input_event, "process_path"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null) | where cmd_line != null AND process_name != null AND parent_process_name != null AND match_regex(parent_process_name, /(?i)System32\\services.exe/)=true AND match_regex(process_name, /(?i)cachedump\d{0,2}.exe/)=true AND match_regex(process_path, /(?i)\\Temp/)=true AND match_regex(cmd_line, /(?i)\-s/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • process_name
  • parent_process_name
  • _time
  • process_path
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference

Test Dataset


version: 1


Credential extraction indicative of fgdump and cachedump with v option

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. FGdump is a newer version of pwdump tool that extracts NTLM and LanMan password hashes from Windows. Cachedump is a publicly-available tool that extracts cached password hashes from a system's registry.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-18

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), process_path=ucast(map_get(input_event, "process_path"), "string", null) | where cmd_line != null AND process_name != null AND process_path != null AND match_regex(process_name, /(?i)cachedump\d{0,2}.exe/)=true AND match_regex(process_path, /(?i)\\Temp/)=true AND match_regex(cmd_line, /(?i)\-v/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line, "process_name", process_name]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • process_name
  • _time
  • process_path
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference

Test Dataset


version: 1


Credential extraction indicative of lazagne command line options

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. LaZagne is a tool that extracts various kinds of credentials from a local computer, including account passwords, domain passwords, browser passwords, etc.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1003, T1555
  • Last Updated: 2020-10-18

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND match_regex(cmd_line, /(?i)all\s+\-oA\s+\-output/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access
T1555 Credentials from Password Stores Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference

Test Dataset


version: 1


Credential extraction indicative of use of dsinternals credential conversion modules

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. DSInternals is a collection of PowerShell modules commonly employed in exploits.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-21

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), process_name=ucast(map_get(input_event, "process_name"), "string", null), process_path=ucast(map_get(input_event, "process_path"), "string", null), cmd_line=ucast(map_get(input_event, "process"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)ConvertFrom-ADManagedPasswordBlob/)=true OR match_regex(cmd_line, /(?i)ConvertFrom-GPPrefPassword/)=true OR match_regex(cmd_line, /(?i)ConvertFrom-UnicodePassword/)=true OR match_regex(cmd_line, /(?i)ConvertTo-GPPrefPassword/)=true OR match_regex(cmd_line, /(?i)ConvertTo-KerberosKey/)=true OR match_regex(cmd_line, /(?i)ConvertTo-LMHash/)=true OR match_regex(cmd_line, /(?i)ConvertTo-NTHash/)=true OR match_regex(cmd_line, /(?i)ConvertTo-OrgIdHash/)=true OR match_regex(cmd_line, /(?i)ConvertTo-UnicodePassword/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line, "process_name", process_name]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • process_name
  • parent_process_name
  • _time
  • process_path
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset


version: 1


Credential extraction indicative of use of dsinternals modules

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. DSInternals is a collection of PowerShell modules commonly employed in exploits.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-21

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), process_name=ucast(map_get(input_event, "process_name"), "string", null), process_path=ucast(map_get(input_event, "process_path"), "string", null), cmd_line=ucast(map_get(input_event, "process"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Get-ADDBBackupKey/)=true OR match_regex(cmd_line, /(?i)Get-ADDBDomainController/)=true OR match_regex(cmd_line, /(?i)Get-ADDBKdsRootKey/)=true OR match_regex(cmd_line, /(?i)Get-ADDBSchemaAttribute/)=true OR match_regex(cmd_line, /(?i)Get-ADKeyCredential/)=true OR match_regex(cmd_line, /(?i)Get-ADReplAccount/)=true OR match_regex(cmd_line, /(?i)Get-ADReplBackupKey/)=true OR match_regex(cmd_line, /(?i)Get-ADSIAccount/)=true OR match_regex(cmd_line, /(?i)Get-AzureADUserEx/)=true OR match_regex(cmd_line, /(?i)Get-BootKey/)=true OR match_regex(cmd_line, /(?i)Get-LsaBackupKey/)=true OR match_regex(cmd_line, /(?i)Get-LsaPolicyInformation/)=true OR match_regex(cmd_line, /(?i)Get-SamPasswordPolicy/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line, "process_name", process_name]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • process_name
  • parent_process_name
  • _time
  • process_path
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset


version: 1


Credential extraction indicative of use of mimikatz modules

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. Mimikatz is a collection of tools and modules commonly employed in Windows exploits.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-21

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)CRYPTO::Certificates/)=true OR match_regex(cmd_line, /(?i)CRYPTO::keys/)=true OR match_regex(cmd_line, /(?i)kerberos::list/)=true OR match_regex(cmd_line, /(?i)kerberos::tgt/)=true OR match_regex(cmd_line, /(?i)lsadump::sam/)=true OR match_regex(cmd_line, /(?i)lsadump::secrets/)=true OR match_regex(cmd_line, /(?i)lsadump::cache/)=true OR match_regex(cmd_line, /(?i)lsadump::lsa/)=true OR match_regex(cmd_line, /(?i)lsadump::trust/)=true OR match_regex(cmd_line, /(?i)lsadump::backupkeys/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset


version: 1


Credential extraction indicative of use of powersploit modules

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. PowerSploit is a collection of Microsoft PowerShell modules commonly employed in exploits.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-21

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND ( match_regex(cmd_line, /(?i)Get-ApplicationHost/)=true OR match_regex(cmd_line, /(?i)Get-CachedGPPPassword/)=true OR match_regex(cmd_line, /(?i)Get-GPPAutologon/)=true OR match_regex(cmd_line, /(?i)Get-GPPPassword/)=true OR match_regex(cmd_line, /(?i)Get-RegistryAutoLogon/)=true OR match_regex(cmd_line, /(?i)Get-SiteListPassword/)=true OR match_regex(cmd_line, /(?i)Get-SPNTicket/)=true OR match_regex(cmd_line, /(?i)Request-SPNTicket/)=true OR match_regex(cmd_line, /(?i)Get-VaultCredential/)=true OR match_regex(cmd_line, /(?i)Invoke-Kerberoast/)=true ) | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset


version: 1


Credential extraction native microsoft debuggers peek into the kernel

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. Native Microsoft debuggers, such as kd, ntkd, livekd and windbg, can be leveraged to read credential material directly from memory and process dumps.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-18

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null) | where cmd_line != null AND parent_process_name != null AND process_name != null AND ( match_regex(parent_process_name, /(?i)ntkd\.exe/)=true OR match_regex(parent_process_name, /(?i)livekd\.exe/)=true ) AND match_regex(process_name, /(?i)conhost\.exe/)=true AND match_regex(cmd_line, /(?i)0xffffffff/)=true AND match_regex(cmd_line, /(?i)\-ForceV1/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • process_name
  • parent_process_name
  • _time
  • dest_device_id
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, using debuggers this way may be indicative of developers analyzing crash dumps of their code. Note, even for developers this is an unusual way of working on code - debuggers are mostly used to step through code, not analyze its crash dumps.

Reference


Test Dataset


version: 1


Credential extraction native microsoft debuggers via z command line option

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. Native Microsoft debuggers, such as kd, ntkd, livekd and windbg, can be leveraged to read credential material directly from memory and process dumps.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-18

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null) | where cmd_line != null AND process_name != null AND ( match_regex(process_name, /^(?i)ntkd\.exe/)=true OR match_regex(process_name, /^(?i)kd\.exe/)=true ) AND match_regex(cmd_line, /(?i)\-z\s+/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line, "process_name", process_name]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • process_name
  • _time
  • dest_device_id
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, using debuggers this way may be indicative of developers analyzing crash dumps of their code. Note, even for developers this is an unusual way of working on code - debuggers are mostly used to step through code, not analyze its crash dumps.

Reference

Test Dataset


version: 1


Credential extraction via get-addbaccount module present in powersploit and dsinternals

Credential extraction is often an illegal recovery of credential material from secured authentication resources and repositories. This process may also involve decryption or other transformations of the stored credential material. PowerSploit and DSInternals are common exploit APIs offering PowerShell modules for various exploits of Windows and Active Directory environments.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2020-10-18

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null) | where cmd_line != null AND match_regex(cmd_line, /(?i)Get-ADDBAccount/)=true AND match_regex(cmd_line, /(?i)\-dbpath[\s;:\.\ |]+/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • dest_device_id
  • dest_user_id
  • process
  • _time


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference

Test Dataset


version: 1


Dllhost with no command line arguments with network

The following analytic identifies DLLHost.exe with no command line arguments with a network connection. It is unusual for DLLHost.exe to execute with no command line arguments present. This particular behavior is common with malicious software, including Cobalt Strike. During investigation, triage any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. DLLHost.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1055
  • Last Updated: 2021-04-19

Search

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=dllhost.exe by _time span=1h Processes.process_id Processes.process_name Processes.dest Processes.process_path Processes.process Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | regex process="(dllhost\.exe.{0,4}$)" | join process_id [ | tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Ports where Ports.dest_port !="0" by Ports.process_id Ports.dest Ports.dest_port | `drop_dm_object_name(Ports)` | rename dest as connection_to_CNC] | table _time dest parent_process_name process_name process_path process process_id connection_to_CNC dest_port | `dllhost_with_no_command_line_arguments_with_network_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` and `port` node.

Required field

  • _time
  • EventID
  • process_name
  • process_id
  • parent_process_name
  • dest_port
  • process_path


ATT&CK

ID Technique Tactic
T1055 Process Injection Defense Evasion, Privilege Escalation


Kill Chain Phase

  • Exploitation


Known False Positives

Although unlikely, some legitimate third party applications may use a moved copy of dllhost, triggering a false positive.

Reference


Test Dataset


version: 1


Dns exfiltration using nslookup app

this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type, TXT, A, AAAA, that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1048
  • Last Updated: 2021-04-15

Search

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.parent_process) as parent_process count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "nslookup.exe" Processes.process = "*-querytype=*" OR Processes.process="*-qt=*" OR Processes.process="*-q=*" OR Processes.process="-type=*" OR Processes.process="*-retry=*" by Processes.dest Processes.user Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dns_exfiltration_using_nslookup_app_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used.

Required field

  • _time
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.process_id


ATT&CK

ID Technique Tactic
T1048 Exfiltration Over Alternative Protocol Exfiltration


Kill Chain Phase

  • Exploitation


Known False Positives

admin nslookup usage

Reference


Test Dataset


version: 1


Dsquery domain discovery

The following analytic identifies "dsquery.exe" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary perform domain trust discovery. Note that this query does not identify any other variations of "Dsquery.exe" usage.\ Within this detection, it is assumed `dsquery.exe` is not moved or renamed.\ The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "dsquery.exe" and its parent process.\ DSQuery.exe is natively found in `C:\Windows\system32` and `C:\Windows\syswow64` and only on Server operating system.\ The following DLL(s) are loaded when DSQuery.exe is launched `dsquery.dll`. If found loaded by another process, it is possible dsquery is running within that process context in memory.\ In addition to trust discovery, review parallel processes for additional behaviors performed. Identify the parent process and capture any files (batch files, for example) being used.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1482
  • Last Updated: 2021-03-31

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=dsquery.exe Processes.process=*trustedDomain* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dsquery_domain_discovery_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1482 Domain Trust Discovery Discovery


Kill Chain Phase

  • Exploitation


Known False Positives

Limited false positives. If there is a true false positive, filter based on command-line or parent process.

Reference


Test Dataset


version: 1


Delete shadowcopy with powershell

This following analytic detects PowerShell command to delete shadow copy using the WMIC PowerShell module. This technique was seen used by a recent adversary to deploy DarkSide Ransomware where it executed a child process of PowerShell to execute a hex encoded command to delete shadow copy. This hex encoded command was able to be decrypted by PowerShell log.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1490
  • Last Updated: 2021-05-12

Search

`powershell` EventCode=4104 Message= "*ShadowCopy*" Message = "*Delete*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode Message ComputerName User | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `delete_shadowcopy_with_powershell_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the powershell logs from your endpoints. make sure you enable needed registry to monitor this event.

Required field

  • _time
  • EventCode
  • Message
  • ComputerName
  • User


ATT&CK

ID Technique Tactic
T1490 Inhibit System Recovery Impact


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset


version: 1


Deleting of net users

This analytic will detect a suspicious net.exe/net1.exe command-line to delete a user on a system. This technique may be use by an administrator for legitimate purposes, however this behavior has been used in the wild to impair some user or deleting adversaries tracks created during its lateral movement additional systems. During triage, review parallel processes for additional behavior. Identify any other user accounts created before or after.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1531
  • Last Updated: 2021-05-04

Search

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="net.exe" OR Processes.process_name="net1.exe" AND Processes.process="*user*" AND Processes.process="*/delete*" by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_of_net_users_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed net.exe may be used.

Required field

  • _time
  • Processes.process_name
  • Processes.dest
  • Processes.user
  • Processes.parent_process_name
  • Processes.process_id
  • Processes.parent_process


ATT&CK

ID Technique Tactic
T1531 Account Access Removal Impact


Kill Chain Phase

  • Exploitation


Known False Positives

System administrators or scripts may delete user accounts via this technique. Filter as needed.

Reference


Test Dataset


version: 1


Deleting shadow copies

The vssadmin.exe utility is used to interact with the Volume Shadow Copy Service. Wmic is an interface to the Windows Management Instrumentation. This search looks for either of these tools being used to delete shadow copies.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1490
  • Last Updated: 2020-11-09

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=vssadmin.exe OR Processes.process_name=wmic.exe) Processes.process=*delete* Processes.process=*shadow* by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `deleting_shadow_copies_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.process
  • Processes.parent_process
  • Processes.process_name
  • Processes.user
  • Processes.parent_process_name
  • Processes.dest


ATT&CK

ID Technique Tactic
T1490 Inhibit System Recovery Impact


Kill Chain Phase

  • Actions on Objectives


Known False Positives

vssadmin.exe and wmic.exe are standard applications shipped with modern versions of windows. They may be used by administrators to legitimately delete old backup copies, although this is typically rare.

Reference

Test Dataset


version: 4


Deny permission using cacls utility

This analytic identifies a potential adversary that changes the security permission of a specific file or directory. This technique is commonly seen in APT tradecraft, ransomware or coinminer scripts. This behavior is meant to evade detection and prevent access to their component files.

  • Product: Splunk Behavioral Analytics
  • Datamodel: Endpoint
  • ATT&CK: T1222
  • Last Updated: 2021-06-14

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), process_path=ucast(map_get(input_event, "process_path"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null) | where cmd_line IS NOT NULL AND match_regex(cmd_line, /(?i)deny/)=true AND (process_name="cacls.exe" OR process_name="xcacls.exe" OR process_name="icacls.exe") | eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name, "process_path", process_path]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed icacls.exe may be used.

Required field

  • _time
  • dest_device_id
  • process_name
  • parent_process_name
  • process_path
  • dest_user_id
  • process


ATT&CK

ID Technique Tactic
T1222 File and Directory Permissions Modification Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

network administrator may use this windows utility but this is not a common practice.

Reference


Test Dataset


version: 1


Detect activity related to pass the hash attacks

This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts at using the Pass-the-Hash technique.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1550.002
  • Last Updated: 2020-10-15

Search

`wineventlog_security` EventCode=4624 (Logon_Type=3 Logon_Process=NtLmSsp WorkstationName=WORKSTATION NOT AccountName="ANONYMOUS LOGON") OR (Logon_Type=9 Logon_Process=seclogo) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by EventCode, Logon_Type, WorkstationName, user, dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_activity_related_to_pass_the_hash_attacks_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must ingest your Windows Security Event logs and leverage the latest TA for Windows.

Required field

  • _time
  • EventCode
  • Logon_Type
  • Logon_Process
  • WorkstationName
  • user
  • dest


ATT&CK

ID Technique Tactic
T1550.002 Pass the Hash Defense Evasion, Lateral Movement


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.

Reference

Test Dataset


version: 5


Detect azurehound command-line arguments

The following analytic identifies the common command-line argument used by AzureHound `Invoke-AzureHound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*invoke-azurehound*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_command_line_arguments_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1087.002 Domain Account Discovery
T1087.001 Local Account Discovery
T1482 Domain Trust Discovery Discovery
T1069.002 Domain Groups Discovery
T1069.001 Local Groups Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

Unknown.

Reference


Test Dataset


version: 1


Detect azurehound file modifications

The following analytic is similar to SharpHound file modifications, but this instance covers the use of Invoke-AzureHound. AzureHound is the SharpHound equivilent but for Azure. It's possible this may never be seen in an environment as most attackers may execute this tool remotely. Once execution is complete, a zip file with a similar name will drop `20210601090751-azurecollection.zip`. In addition to the zip, multiple .json files will be written to disk, which are in the zip.

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*-azurecollection.zip", "*-azprivroleadminrights.json", "*-azglobaladminrights.json", "*-azcloudappadmins.json", "*-azapplicationadmins.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_azurehound_file_modifications_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.

Required field

  • _time
  • file_path
  • dest
  • file_name
  • process_id
  • file_create_time


ATT&CK

ID Technique Tactic
T1087.002 Domain Account Discovery
T1087.001 Local Account Discovery
T1482 Domain Trust Discovery Discovery
T1069.002 Domain Groups Discovery
T1069.001 Local Groups Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.

Reference


Test Dataset


version: 1


Detect baron samedit cve-2021-3156

This search detects the heap-based buffer overflow of sudoedit

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1068
  • Last Updated: 2021-01-27

Search

`linux_hosts` | search "sudoedit -s \\" | `detect_baron_samedit_cve_2021_3156_filter`

Associated Analytic Story


How To Implement

Splunk Universal Forwarder running on Linux systems, capturing logs from the /var/log directory. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags.

Required field

  • _time


ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset

version: 1


Detect baron samedit cve-2021-3156 segfault

This search detects the heap-based buffer overflow of sudoedit

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1068
  • Last Updated: 2021-01-29

Search

`linux_hosts` | search sudoedit segfault | stats count min(_time) as firstTime max(_time) as lastTime by host | search count > 5 | `detect_baron_samedit_cve_2021_3156_segfault_filter`

Associated Analytic Story


How To Implement

Splunk Universal Forwarder running on Linux systems (tested on Centos and Ubuntu), where segfaults are being logged. This also captures instances where the exploit has been compiled into a binary. The detection looks for greater than 5 instances of sudoedit combined with segfault over your search time period on a single host

Required field

  • _time
  • host


ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation


Kill Chain Phase

  • Exploitation


Known False Positives

If sudoedit is throwing segfaults for other reasons this will pick those up too.

Reference


Test Dataset

version: 1


Detect baron samedit cve-2021-3156 via osquery

This search detects the heap-based buffer overflow of sudoedit

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1068
  • Last Updated: 2021-01-28

Search

`osquery_process` | search "columns.cmdline"="sudoedit -s \\*" | `detect_baron_samedit_cve_2021_3156_via_osquery_filter`

Associated Analytic Story


How To Implement

OSQuery installed and configured to pick up process events (info at https://osquery.io) as well as using the Splunk OSQuery Add-on https://splunkbase.splunk.com/app/4402. The vulnerability is exposed when a non privledged user tries passing in a single \ character at the end of the command while using the shell and edit flags.

Required field

  • _time
  • columns.cmdline


ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset

version: 1


Detect computer changed with anonymous account

This search looks for Event Code 4742 (Computer Change) or EventCode 4624 (An account was successfully logged on) with an anonymous account.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1210
  • Last Updated: 2020-09-18

Search

`wineventlog_security` EventCode=4624 OR EventCode=4742 TargetUserName="ANONYMOUS LOGON" LogonType=3 | stats count values(host) as host, values(TargetDomainName) as Domain, values(user) as user | `detect_computer_changed_with_anonymous_account_filter`

Associated Analytic Story


How To Implement

This search requires audit computer account management to be enabled on the system in order to generate Event ID 4742. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Event Logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

  • _time
  • EventCode
  • TargetUserName
  • LogonType
  • TargetDomainName
  • user


ATT&CK

ID Technique Tactic
T1210 Exploitation of Remote Services Lateral Movement


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None thus far found

Reference


Test Dataset

version: 1


Detect credential dumping through lsass access

This search looks for reading lsass memory consistent with credential dumping.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2019-12-03

Search

`sysmon` EventCode=10 TargetImage=*lsass.exe (GrantedAccess=0x1010 OR GrantedAccess=0x1410) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, SourceImage, SourceProcessId, TargetImage, TargetProcessId, EventCode, GrantedAccess | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_credential_dumping_through_lsass_access_filter`

Associated Analytic Story


How To Implement

This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 10 with lsass.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

  • _time
  • EventCode
  • TargetImage
  • GrantedAccess
  • Computer
  • SourceImage
  • SourceProcessId
  • TargetImage
  • TargetProcessId


ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

The activity may be legitimate. Other tools can access lsass for legitimate reasons, and it's possible this event could be generated in those cases. In these cases, false positives should be fairly obvious and you may need to tweak the search to eliminate noise.

Reference

Test Dataset


version: 3


Detect dump lsass memory using comsvcs

This search detects the memory of lsass.exe being dumped for offline credential theft attack.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1003.003
  • Last Updated: 2020-09-15

Search

| from read_ssa_enriched_events() | eval tenant=ucast(map_get(input_event, "_tenant"), "string", null), machine=ucast(map_get(input_event, "dest_device_id"), "string", null), process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), process=lower(ucast(map_get(input_event, "process"), "string", null)) | where process_name LIKE "%rundll32.exe%" AND match_regex(process, /(?i)comsvcs.dll[,\s]+MiniDump/)=true | eval start_time = timestamp, end_time = timestamp, entities = mvappend(machine), body=create_map(["process_name", process_name]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including Windows command line logging. You can see how we test this with [Event Code 4688](https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4688a) on the [attack_range](https://github.com/splunk/attack_range/blob/develop/ansible/roles/windows_common/tasks/windows-enable-4688-cmd-line-audit.yml).

Required field

  • process_name
  • _tenant
  • _time
  • dest_device_id
  • process


ATT&CK

ID Technique Tactic
T1003.003 NTDS Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset

version: 1


Detect empire with powershell script block logging

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies the common PowerShell stager used by PowerShell-Empire. Each stager that may use PowerShell all uses the same pattern. The initial HTTP will be base64 encoded and use `system.net.webclient`. Note that some obfuscation may evade the analytic. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1059.001
  • Last Updated: 2021-06-09

Search

`powershell` EventCode=4104 (Message=*system.net.webclient* AND Message=*frombase64string*) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode ComputerName User EventCode Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_empire_with_powershell_script_block_logging_filter`

Associated Analytic Story


How To Implement

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.

Required field

  • _time
  • Message
  • OpCode
  • ComputerName
  • User
  • EventCode


ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution


Kill Chain Phase

  • Exploitation


Known False Positives

False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern.

Reference


Test Dataset


version: 1


Detect excessive account lockouts from endpoint

This search identifies endpoints that have caused a relatively high number of account lockouts in a short period.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.002
  • Last Updated: 2020-11-09

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Changes.user) as user from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.dest All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_account_lockouts_from_endpoint_filter`

Associated Analytic Story


How To Implement

You must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment. \

**Splunk>Phantom Playbook Integration**\

If Splunk>Phantom is also configured in your environment, a Playbook called "Excessive Account Lockouts Enrichment and Response" can be configured to run when any results are found by this detection search. The Playbook executes the Contextual and Investigative searches in this Story, conducts additional information gathering on Windows endpoints, and takes a response action to shut down the affected endpoint. To use this integration, install the Phantom App for Splunk `https://splunkbase.splunk.com/app/3411/`, add the correct hostname to the "Phantom Instance" field in the Adaptive Response Actions when configuring this detection search, and set the corresponding Playbook to active. \ (Playbook Link:`https://my.phantom.us/4.1/playbook/excessive-account-lockouts-enrichment-and-response/`).\


Required field

  • _time
  • All_Changes.user
  • nodename
  • All_Changes.result
  • All_Changes.dest


ATT&CK

ID Technique Tactic
T1078.002 Domain Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

It's possible that a widely used system, such as a kiosk, could cause a large number of account lockouts.

Reference

Test Dataset


version: 5


Detect excessive user account lockouts

This search detects user accounts that have been locked out a relatively high number of times in a short period.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.003
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes where nodename=All_Changes.Account_Management All_Changes.result="lockout" by All_Changes.user All_Changes.result |`drop_dm_object_name("All_Changes")` |`drop_dm_object_name("Account_Management")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search count > 5 | `detect_excessive_user_account_lockouts_filter`

Associated Analytic Story


How To Implement

ou must ingest your Windows security event logs in the `Change` datamodel under the nodename is `Account_Management`, for this search to execute successfully. Please consider updating the cron schedule and the count of lockouts you want to monitor, according to your environment.

Required field

  • _time
  • All_Changes.result
  • nodename
  • All_Changes.user


ATT&CK

ID Technique Tactic
T1078.003 Local Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

Known False Positives

It is possible that a legitimate user is experiencing an issue causing multiple account login failures leading to lockouts.

Reference

Test Dataset


version: 3


Detect exchange web shell

The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group. Paths include: `\HttpProxy\owa\auth\`, `\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1505.003
  • Last Updated: 2021-03-09

Search

| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest | `drop_dm_object_name(Processes)` | join process_guid, _time [ | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name="*.aspx" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)` | fields _time dest file_create_time file_name file_path process_name process_path process] | dedup file_create_time | table dest file_create_time, file_name, file_path, process_name | `detect_exchange_web_shell_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem` node.

Required field

  • _time
  • Filesystem.file_path
  • Filesystem.process_id
  • Filesystem.file_name
  • Filesystem.file_hash
  • Filesystem.user


ATT&CK

ID Technique Tactic
T1505.003 Web Shell Persistence


Kill Chain Phase

  • Exploitation


Known False Positives

The query is structured in a way that `action` (read, create) is not defined. Review the results of this query, filter, and tune as necessary. It may be necessary to generate this query specific to your endpoint product.

Reference


Test Dataset


version: 2


Detect html help renamed

The following analytic identifies a renamed instance of hh.exe (HTML Help) executing a Compiled HTML Help (CHM). This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Validate it is the legitimate version of hh.exe by reviewing the PE metadata. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1218.001
  • Last Updated: 2021-02-11

Search

`sysmon` EventID=1 OriginalFileName=HH.exe NOT process_name=hh.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_renamed_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed hh.exe may be used.

Required field

  • _time
  • EventID
  • OriginalFileName
  • process_name
  • Computer
  • User
  • parent_process_name
  • process_path
  • CommandLine


ATT&CK

ID Technique Tactic
T1218.001 Compiled HTML File Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely a renamed instance of hh.exe will be used legitimately, filter as needed.

Reference


Test Dataset


version: 1


Detect html help spawn child process

The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) that spawns a child process. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review child process events and investigate further. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.001
  • Last Updated: 2021-02-11

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=hh.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_spawn_child_process_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.parent_process_name
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1218.001 Compiled HTML File Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, some legitimate applications (ex. web browsers) may spawn a child process. Filter as needed.

Reference


Test Dataset


version: 1


Detect html help url in command line

The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file from a remote url. This particular technique will load Windows script code from a compiled help file. CHM files may contain nearly any file type embedded, but only execute html/htm. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. Review reputation of remote IP and domain. Some instances, it is worth decompiling the .chm file to review its original contents. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.001
  • Last Updated: 2021-02-11

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=hh.exe Processes.process=*http* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_url_in_command_line_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1218.001 Compiled HTML File Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, some legitimate applications may retrieve a CHM remotely, filter as needed.

Reference


Test Dataset


version: 1


Detect html help using infotech storage handlers

The following analytic identifies hh.exe (HTML Help) execution of a Compiled HTML Help (CHM) file using InfoTech Storage Handlers. This particular technique will load Windows script code from a compiled help file, using InfoTech Storage Handlers. itss.dll will load upon execution. Three InfoTech Storage handlers are supported - ms-its, its, mk:@MSITStore. ITSS may be used to launch a specific html/htm file from within a CHM file. CHM files may contain nearly any file type embedded. Upon a successful execution, the following script engines may be used for execution - JScript, VBScript, VBScript.Encode, JScript.Encode, JScript.Compact. Analyst may identify vbscript.dll or jscript.dll loading into hh.exe upon execution. The "htm" and "html" file extensions were the only extensions observed to be supported for the execution of Shortcut commands or WSH script code. During investigation, identify script content origination. hh.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.001
  • Last Updated: 2021-02-11

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=hh.exe Processes.process IN ("*its:*", "*mk:@MSITStore:*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_html_help_using_infotech_storage_handlers_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_id


ATT&CK

ID Technique Tactic
T1218.001 Compiled HTML File Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

It is rare to see instances of InfoTech Storage Handlers being used, but it does happen in some legitimate instances. Filter as needed.

Reference


Test Dataset


version: 1


Detect kerberoasting

This search detects a potential kerberoasting attack via service principal name requests

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1558.003
  • Last Updated: 2020-10-21

Search

| from read_ssa_enriched_events() | eval _time=map_get(input_event, "_time"), EventCode=map_get(input_event, "event_code"), TicketOptions=map_get(input_event, "ticket_options"), TicketEncryptionType=map_get(input_event, "ticket_encryption_type"), ServiceName=map_get(input_event, "service_name"), ServiceID=map_get(input_event, "service_id"), dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null), dest_device_id=ucast(map_get(input_event, "dest_device_id") | where EventCode="4769" AND TicketOptions="0x40810000" AND TicketEncryptionType="0x17" | first_time_event input_columns=["EventCode","TicketOptions","TicketEncryptionType","ServiceName","ServiceID"] | where first_time_EventCode_TicketOptions_TicketEncryptionType_ServiceName_ServiceID | eval start_time=_time, end_time=_time, body=create_map(["EventCode", EventCode, "ServiceName", ServiceName, "TicketOptions", TicketOptions, "TicketEncryptionType", TicketEncryptionType]), entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)) | select start_time, end_time, entities, body | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

The test data is converted from Windows Security Event logs generated from Attach Range simulation and used in SPL search and extended to SPL2

Required field

  • service_name
  • _time
  • event_code
  • ticket_encryption_type
  • service_id
  • ticket_options


ATT&CK

ID Technique Tactic
T1558.003 Kerberoasting Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Older systems that support kerberos RC4 by default NetApp may generate false positives

Reference

  • Initial ESCU implementation by Jose Hernandez and Patrick Bareiss


Test Dataset

version: 1


Detect mshta url in command line

This analytic identifies when Microsoft HTML Application Host (mshta.exe) utility is used to make remote http connections. Adversaries may use mshta.exe to proxy the download and execution of remote .hta files. The analytic identifies command line arguments of http and https being used. This technique is commonly used by malicious software to bypass preventative controls. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.005
  • Last Updated: 2021-01-20

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mshta.exe (Processes.process="*http://*" OR Processes.process="*https://*") by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_url_in_command_line_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process
  • Processes.parent_process
  • Processes.process_name
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1218.005 Mshta Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

It is possible legitimate applications may perform this behavior and will need to be filtered.

Reference


Test Dataset


version: 1


Detect mimikatz using loaded images

This search looks for reading loaded Images unique to credential dumping with Mimikatz. Deprecated because mimikatz libraries changed and very noisy sysmon Event Code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2019-12-03

Search

`sysmon` EventCode=7 | stats values(ImageLoaded) as ImageLoaded values(ProcessId) as ProcessId by Computer, Image | search ImageLoaded=*WinSCard.dll ImageLoaded=*cryptdll.dll ImageLoaded=*hid.dll ImageLoaded=*samlib.dll ImageLoaded=*vaultcli.dll | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_using_loaded_images_filter`

Associated Analytic Story


How To Implement

This search needs Sysmon Logs and a sysmon configuration, which includes EventCode 7 with powershell.exe. This search uses an input macro named `sysmon`. We strongly recommend that you specify your environment-specific configurations (index, source, sourcetype, etc.) for Windows Sysmon logs. Replace the macro definition with configurations for your Splunk environment. The search also uses a post-filter macro designed to filter out known false positives.

Required field

  • _time
  • EventCode
  • ImageLoaded
  • ProcessId
  • Computer
  • Image


ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Other tools can import the same DLLs. These tools should be part of a whitelist. False positives may be present with any process that authenticates or uses credentials, PowerShell included. Filter based on parent process.

Reference


Test Dataset


version: 1


Detect mimikatz with powershell script block logging

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. Script Block Logging captures the command sent to PowerShell, the full command to be executed. Upon enabling, logs will output to Windows event logs. Dependent upon volume, enable no critical endpoints or all. \ This analytic identifies common Mimikatz functions that may be identified in the script block, including `mimikatz`. This will catch the most basic use cases for Pass the Ticket, Pass the Hash and `-DumprCreds`. \ During triage, review parallel processes using an EDR product or 4688 events. It will be important to understand the timeline of events around this activity. Review the entire logged PowerShell script block.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003
  • Last Updated: 2021-06-09

Search

`powershell` EventCode=4104 Message IN (*mimikatz*, *-dumpcr*, *sekurlsa::pth*, *kerberos::ptt*, *kerberos::golden*) | stats count min(_time) as firstTime max(_time) as lastTime by OpCode ComputerName User EventCode Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mimikatz_with_powershell_script_block_logging_filter`

Associated Analytic Story


How To Implement

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.

Required field

  • _time
  • Message
  • OpCode
  • ComputerName
  • User
  • EventCode


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access


Kill Chain Phase

  • Exploitation


Known False Positives

False positives should be limited as the commands being identifies are quite specific to EventCode 4104 and Mimikatz. Filter as needed.

Reference


Test Dataset


version: 1


Detect new local admin account

This search looks for newly created accounts that have been elevated to local administrators.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1136.001
  • Last Updated: 2020-07-08

Search

`wineventlog_security` EventCode=4720 OR (EventCode=4732 Group_Name=Administrators) | transaction member_id connected=false maxspan=180m | rename member_id as user | stats count min(_time) as firstTime max(_time) as lastTime by user dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_new_local_admin_account_filter`

Associated Analytic Story


How To Implement

You must be ingesting Windows event logs using the Splunk Windows TA and collecting event code 4720 and 4732

Required field

  • _time
  • EventCode
  • Group_Name
  • member_id
  • dest


ATT&CK

ID Technique Tactic
T1136.001 Local Account Persistence


Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Known False Positives

The activity may be legitimate. For this reason, it's best to verify the account with an administrator and ask whether there was a valid service request for the account creation. If your local administrator group name is not "Administrators", this search may generate an excessive number of false positives

Reference

Test Dataset


version: 2


Detect outlook exe writing a zip file

This search looks for execution of process `outlook.exe` where the process is writing a `.zip` file to the disk.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1566.001
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where Processes.process_name=outlook.exe OR Processes.process_name=explorer.exe by _time span=5m Processes.parent_process_id Processes.process_id Processes.dest Processes.process_name Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id | rename parent_process_id as outlook_id | join malicious_id type=inner[ | tstats `security_content_summariesonly` count values(Filesystem.file_path) as file_path values(Filesystem.file_name) as file_name FROM datamodel=Endpoint.Filesystem where (Filesystem.file_path=*zip* OR Filesystem.file_name=*.lnk ) AND (Filesystem.file_path=C:\\Users* OR Filesystem.file_path=*Local\\Temp*) by _time span=5m Filesystem.process_id Filesystem.file_hash Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | rename process_id as malicious_id | fields malicious_id outlook_id dest file_path file_name file_hash count file_id] | table firstTime lastTime user malicious_id outlook_id process_name parent_process_name file_name file_path | where file_name != "" | `detect_outlook_exe_writing_a_zip_file_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records filesystem and process activity from your hosts to populate the Endpoint data model. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon.

Required field

  • _time
  • Processes.process_name
  • Processes.parent_process_id
  • Processes.process_id
  • Processes.dest
  • Processes.parent_process_name
  • Processes.user


ATT&CK

ID Technique Tactic
T1566.001 Spearphishing Attachment Initial Access


Kill Chain Phase

  • Installation
  • Actions on Objectives


Known False Positives

It is not uncommon for outlook to write legitimate zip files to the disk.

Reference

Test Dataset

version: 3


Detect pass the hash

This search looks for specific authentication events from the Windows Security Event logs to detect potential attempts using Pass-the-Hash technique.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1550.002
  • Last Updated: 2020-10-21

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)) | eval signature_id=map_get(input_event, "signature_id"), authentication_type=map_get(input_event, "authentication_type"), authentication_method=map_get(input_event, "authentication_method"), origin_device_domain=map_get(input_event, "origin_device_domain"), dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null), dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null) | where (authentication_type="3" AND authentication_method="NtLmSsp") OR (authentication_type="9" AND authentication_method="seclogo") | eval start_time=timestamp, end_time=timestamp, entities=mvappend(dest_device_id, dest_user_id), body=create_map(["authentication_type", authentication_type, "authentication_method", authentication_method]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

The test data is converted from Windows Security Event logs generated from Attach Range simulation and used in SPL search and extended to SPL2

Required field

  • signature_id
  • authentication_type
  • _time
  • authentication_method
  • origin_device_domain
  • dest_user_id
  • dest_device_id


ATT&CK

ID Technique Tactic
T1550.002 Pass the Hash Defense Evasion, Lateral Movement


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Legitimate logon activity by authorized NTLM systems may be detected by this search. Please investigate as appropriate.

Reference

  • Initial ESCU implementation by Bhavin Patel and Patrick Bareiss


Test Dataset

version: 1


Detect path interception by creation of program exe

The detection Detect Path Interception By Creation Of program exe is detecting the abuse of unquoted service paths, which is a popular technique for privilege escalation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1574.009
  • Last Updated: 2020-07-03

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=services.exe by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | rex field=process "^.*?\\\\(?<service_process>[^\\\\]*\.(?:exe |bat |com |ps1))" | eval process_name = lower(process_name) | eval service_process = lower(service_process) | where process_name != service_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_path_interception_by_creation_of_program_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.parent_process_name
  • Processes.user
  • Processes.process_name
  • Processes.process
  • Processes.dest


ATT&CK

ID Technique Tactic
T1574.009 Path Interception by Unquoted Path Persistence, Privilege Escalation, Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

unknown

Reference


Test Dataset


version: 3


Detect prohibited applications spawning cmd exe

This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.003
  • Last Updated: 2020-11-10

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=cmd.exe by Processes.parent_process_name Processes.process_name Processes.dest Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` |search [`prohibited_apps_launching_cmd`] | `detect_prohibited_applications_spawning_cmd_exe_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts and populates the Endpoint data model with the resultant dataset. This search includes a lookup file, `prohibited_apps_launching_cmd.csv`, that contains a list of processes that should not be spawning cmd.exe. You can modify this lookup to better suit your environment.

Required field

  • _time
  • Processes.process
  • Processes.process_name
  • Processes.parent_process_name
  • Processes.dest
  • Processes.user


ATT&CK

ID Technique Tactic
T1059.003 Windows Command Shell Execution


Kill Chain Phase

  • Exploitation


Known False Positives

There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.

Reference

Test Dataset


version: 5


Detect prohibited applications spawning cmd exe

This search looks for executions of cmd.exe spawned by a process that is often abused by attackers and that does not typically launch cmd.exe. This is a SPL2 implementation of the rule `Detect Prohibited Applications Spawning cmd.exe` by @bpatel.

  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • ATT&CK: T1059
  • Last Updated: 2020-7-13

Search

| from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)) | eval process_name=ucast(map_get(input_event, "process_name"), "string", null), parent_process=lower(ucast(map_get(input_event, "parent_process_name"), "string", null)), dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null), dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null) | where process_name="cmd.exe" | rex field=parent_process "(?<field0>[^\\\\]+)$" | where field0="winword.exe" OR field0="excel.exe" OR field0="outlook.exe" OR field0="powerpnt.exe" OR field0="visio.exe" OR field0="mspub.exe" OR field0="acrobat.exe" OR field0="acrord32.exe" OR field0="chrome.exe" OR field0="iexplore.exe" OR field0="opera.exe" OR field0="firefox.exe" OR field0="java.exe" OR field0="powershell.exe" | eval start_time=timestamp, end_time=timestamp, entities=mvappend(dest_device_id, dest_user_id), body=create_map([ "process_name", process_name, "parent_process_name", parent_process]) | into write_ssa_detected_events();

Associated Analytic Story


How To Implement

You must be ingesting sysmon logs. This search has been modified to process raw sysmon data from attack_range's nxlogs on DSP.

Required field

  • process_name
  • parent_process_name
  • _time
  • dest_device_id
  • dest_user_id


ATT&CK

ID Technique Tactic
T1059 Command and Scripting Interpreter Execution


Kill Chain Phase

  • Exploitation


Known False Positives

There are circumstances where an application may legitimately execute and interact with the Windows command-line interface. Investigate and modify the lookup file, as appropriate.

Reference

Test Dataset

version: 1


Detect psexec with accepteula flag

This search looks for events where `PsExec.exe` is run with the `accepteula` flag in the command line. PsExec is a built-in Windows utility that enables you to execute processes on other systems. It is fully interactive for console applications. This tool is widely used for launching interactive command prompts on remote systems. Threat actors leverage this extensively for executing code on compromised systems. If an attacker is running PsExec for the first time, they will be prompted to accept the end-user license agreement (EULA), which can be passed as the argument `accepteula` within the command line.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1021.002
  • Last Updated: 2020-11-10

Search

| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process=*psexec* Processes.process=*accepteula* by Processes.process_name Processes.dest Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_psexec_with_accepteula_flag_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.process
  • Processes.process_name
  • Processes.dest
  • Processes.parent_process_name


ATT&CK

ID Technique Tactic
T1021.002 SMB/Windows Admin Shares Lateral Movement


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Administrators can leverage PsExec for accessing remote systems and might pass `accepteula` as an argument if they are running this tool for the first time. However, it is not likely that you'd see multiple occurrences of this event on a machine

Reference

Test Dataset


version: 3


Detect rclone command-line usage

This analytic identifies commonly used command-line arguments used by `rclone.exe` to initiate a file transfer. Some arguments were negated as they are specific to the configuration used by adversaries. In particular, an adversary may list the files or directories of the remote file share using `ls` or `lsd`, which is not indicative of malicious behavior. During triage, at this stage of a ransomware event, exfiltration is about to occur or has already. Isolate the endpoint and continue investigating by review file modifications and parallel processes.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1020
  • Last Updated: 2021-05-13

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*copy*", "*mega*", "*pcloud*", "*ftp*", "*--config*", "*--progress*", "*--no-check-certificate*", "*--ignore-existing*", "*--auto-confirm*", "*--transfers*", "*--multi-thread-streams*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rclone_command_line_usage_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1020 Automated Exfiltration Exfiltration


Kill Chain Phase

  • Exfiltration


Known False Positives

There is potential for false positives as these arguments may be used by other applications. Filter or tune the analytic as needed.

Reference


Test Dataset


version: 1


Detect rare executables

This search will return a table of rare processes, the names of the systems running them, and the users who initiated each process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK:
  • Last Updated: 2020-03-16

Search

| tstats `security_content_summariesonly` count values(Processes.dest) as dest values(Processes.user) as user min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.process_name | rename Processes.process_name as process | rex field=user "(?<user_domain>.*)\\\\(?<user_name>.*)" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | search [ | tstats count from datamodel=Endpoint.Processes by Processes.process_name | rare Processes.process_name limit=30 | rename Processes.process_name as process | `filter_rare_process_allow_list` | table process ] | `detect_rare_executables_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records process activity from your hosts and populating the endpoint data model with the resultant dataset. The macro `filter_rare_process_allow_list` searches two lookup files for allowed processes. These consist of `rare_process_allow_list_default.csv` and `rare_process_allow_list_local.csv`. To add your own processes to the allow list, add them to `rare_process_allow_list_local.csv`. If you wish to remove an entry from the default lookup file, you will have to modify the macro itself to set the allow_list value for that process to false. You can modify the limit parameter and search scheduling to better suit your environment.

Required field

  • _time
  • Processes.dest
  • Processes.user
  • Processes.process_name



Kill Chain Phase

  • Installation
  • Command and Control
  • Actions on Objectives


Known False Positives

Some legitimate processes may be only rarely executed in your environment. As these are identified, update `rare_process_allow_list_local.csv` to filter them out of your search results.

Reference

Test Dataset

version: 5


Detect regasm spawning a process

The following analytic identifies regasm.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-12

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regasm.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_spawning_a_process_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.parent_process_name
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1218.009 Regsvcs/Regasm Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.

Reference


Test Dataset


version: 1


Detect regasm with network connection

The following analytic identifies regasm.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote command and control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-16

Search

`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regasm.exe | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, User, process_name, src_ip, dest_host, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_network_connection_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • EventID
  • dest_ip
  • process_name
  • Computer
  • User
  • src_ip
  • dest_host
  • dest_ip


ATT&CK

ID Technique Tactic
T1218.009 Regsvcs/Regasm Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, limited instances of regasm.exe with a network connection may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.

Reference


Test Dataset


version: 1


Detect regasm with no command line arguments

The following analytic identifies regasm.exe with no command line arguments. This particular behavior occurs when another process injects into regasm.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-12

Search

`sysmon` EventID=1 (process_name=regasm.exe OR OriginalFileName=RegAsm.exe) | regex CommandLine="(regasm\.exe.{0,4}$)" | stats count min(_time) as firstTime max(_time) as lastTime by dest, User, ParentImage,ParentCommandLine, process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regasm_with_no_command_line_arguments_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • EventID
  • process_name
  • OriginalFileName
  • CommandLine
  • dest
  • User
  • ParentImage
  • ParentCommandLine
  • process_path
  • Computer


ATT&CK

ID Technique Tactic
T1218.009 Regsvcs/Regasm Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, limited instances of regasm.exe or may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.

Reference


Test Dataset


version: 1


Detect regsvcs spawning a process

The following analytic identifies regsvcs.exe spawning a process. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. Spawning of a child process is rare from either process and should be investigated further. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-12

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=regsvcs.exe by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_spawning_a_process_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.parent_process_name
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1218.009 Regsvcs/Regasm Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, limited instances of regasm.exe or regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.

Reference


Test Dataset


version: 1


Detect regsvcs with network connection

The following analytic identifies Regsvcs.exe with a network connection to a public IP address, exluding private IP space. This particular technique has been used in the wild to bypass application control products. Regasm.exe and Regsvcs.exe are signed by Microsoft. By contacting a remote command and control server, the adversary will have the ability to escalate privileges and complete the objectives. During investigation, identify and retrieve the content being loaded. Review parallel processes for additional suspicious behavior. Gather any other file modifications and review accordingly. Review the reputation of the remote IP or domain and block as needed. regsvcs.exe and regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-16

Search

`sysmon` EventID=3 dest_ip!=10.0.0.0/12 dest_ip!=172.16.0.0/12 dest_ip!=192.168.0.0/16 process_name=regsvcs.exe | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, User, process_name, src_ip, dest_host, dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_network_connection_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • EventID
  • dest_ip
  • process_name
  • Computer
  • User
  • src_ip
  • dest_host


ATT&CK

ID Technique Tactic
T1218.009 Regsvcs/Regasm Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.

Reference


Test Dataset


version: 1


Detect regsvcs with no command line arguments

The following analytic identifies regsvcs.exe with no command line arguments. This particular behavior occurs when another process injects into regsvcs.exe, no command line arguments will be present. During investigation, identify any network connections and parallel processes. Identify any suspicious module loads related to credential dumping or file writes. Regasm.exe are natively found in C:\Windows\Microsoft.NET\Framework\v*\regasm|regsvcs.exe and C:\Windows\Microsoft.NET\Framework64\v*\regasm|regsvcs.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-12

Search

`sysmon` EventID=1 (process_name=regsvcs.exe OR OriginalFileName=RegSvcs.exe) | regex CommandLine="(regsvcs\.exe.{0,4}$)" | stats count min(_time) as firstTime max(_time) as lastTime by dest, User, ParentImage,ParentCommandLine, process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvcs_with_no_command_line_arguments_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • EventID
  • process_name
  • OriginalFileName
  • CommandLine
  • dest
  • User
  • ParentImage
  • ParentCommandLine
  • OriginalFileName
  • process_path
  • Computer


ATT&CK

ID Technique Tactic
T1218.009 Regsvcs/Regasm Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, limited instances of regsvcs.exe may cause a false positive. Filter based endpoint usage, command line arguments, or process lineage.

Reference


Test Dataset


version: 1


Detect regsvr32 application control bypass

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.This variation of the technique is often referred to as a "Squiblydoo" attack. \ Upon investigating, look for network connections to remote destinations (internal or external). Be cautious to modify the query to look for "scrobj.dll", the ".dll" is not required to load scrobj. "scrobj.dll" will be loaded by "regsvr32.exe" upon execution.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.010
  • Last Updated: 2021-01-28

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=regsvr32.exe OR Processes.process_name!=regsvr32.exe) Processes.process=*scrobj* by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_regsvr32_application_control_bypass_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model. Tune the query by modifying/removing the !=regsv32.exe.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1218.010 Regsvr32 Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Limited false positives related to third party software registering .DLL's.

Reference


Test Dataset


version: 1


Detect renamed 7-zip

The following analytic identifies renamed 7-Zip usage using Sysmon. At this stage of an attack, review parallel processes and file modifications for data that is staged or potentially have been exfiltrated. This analytic utilizes the OriginalFileName to capture the renamed process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1560.001
  • Last Updated: 2021-05-19

Search

`sysmon` EventID=1 (OriginalFileName=7z*.exe AND process_name!=7z*.exe) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_7_zip_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • dest
  • User
  • parent_process_name
  • process_name
  • OriginalFileName
  • process_path
  • CommandLine
  • Product


ATT&CK

ID Technique Tactic
T1560.001 Archive via Utility Collection


Kill Chain Phase

  • Exfiltration


Known False Positives

Limited false positives, however this analytic will need to be modified for each environment if Sysmon is not used.

Reference


Test Dataset


version: 1


Detect renamed psexec

The following analytic identifies renamed instances of `PsExec.exe` being utilized on an endpoint. Most instances, it is highly probable to capture `Psexec.exe` or other SysInternal utility usage with the command-line argument of `-accepteula`. In this instance, we are using `OriginalFileName` from Sysmon to identify `PsExec` usage. During triage, validate this is the legitimate version of `PsExec` by review the PE metadata. In addition, review parallel processes for further suspicious behavior.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1569.002
  • Last Updated: 2021-05-19

Search

`sysmon` EventID=1 (OriginalFileName=psexec.c process_name!=psexec.exe) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, process_name, OriginalFileName, process_path, CommandLine Product | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_psexec_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.

Required field

  • _time
  • dest
  • User
  • parent_process_name
  • process_name
  • OriginalFileName
  • process_path
  • CommandLine
  • Product


ATT&CK

ID Technique Tactic
T1569.002 Service Execution Execution


Kill Chain Phase

  • Exploitation
  • Lateral Movement
  • Execution


Known False Positives

Limited false positives should be present. It is possible some third party applications may use older versions of PsExec, filter as needed.

Reference


Test Dataset


version: 1


Detect renamed rclone

The following analytic identifies the usage of `rclone.exe`, renamed, being used to exfiltrate data to a remote destination. RClone has been used by multiple ransomware groups to exfiltrate data. In many instances, it will be downloaded from the legitimate site and executed accordingly. During triage, isolate the endpoint and begin to review parallel processes for additional behavior. At this stage, the adversary may have staged data to be exfiltrated.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1020
  • Last Updated: 2021-05-13

Search

`sysmon` EventID=1 OriginalFileName=rclone.exe NOT process_name=rclone.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_rclone_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • OriginalFileName
  • process_name
  • process_path
  • CommandLine
  • dest


ATT&CK

ID Technique Tactic
T1020 Automated Exfiltration Exfiltration


Kill Chain Phase

  • Exfiltration


Known False Positives

False positives should be limited as this analytic identifies renamed instances of `rclone.exe`. Filter as needed if there is a legitimate business use case.

Reference


Test Dataset


version: 1


Detect renamed winrar

The following analtyic identifies renamed instances of `WinRAR.exe`. In most cases, it is not common for WinRAR to be used renamed, however it is common to be installed by a third party application and executed from a non-standard path. In this instance, we are using `OriginalFileName` from Sysmon to determine if the process is WinRAR. During triage, validate additional metadata from the binary that this is `WinRAR`. Review parallel processes and file modifications.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1560.001
  • Last Updated: 2021-05-19

Search

`sysmon` EventID=1 (Product=WinRAR OR OriginalFileName=WinRAR.exe) process_name!=rar.exe | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, process_name, OriginalFileName, process_path, CommandLine Product | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_renamed_winrar_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Modify query for specific EDR products as needed.

Required field

  • _time
  • dest
  • User
  • parent_process_name
  • process_name
  • OriginalFileName
  • process_path
  • CommandLine
  • Product


ATT&CK

ID Technique Tactic
T1560.001 Archive via Utility Collection


Kill Chain Phase

  • Exploitation
  • Exfiltration


Known False Positives

Unknown. It is possible third party applications use renamed instances of WinRAR.

Reference


Test Dataset


version: 1


Detect rundll32 application control bypass - advpack

The following analytic identifies rundll32.exe loading advpack.dll and ieadvpack.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.011
  • Last Updated: 2021-02-04

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process=*advpack* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___advpack_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1218.011 Rundll32 Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, some legitimate applications may use advpack.dll or ieadvpack.dll, triggering a false positive.

Reference


Test Dataset


version: 1


Detect rundll32 application control bypass - setupapi

The following analytic identifies rundll32.exe loading setupapi.dll and iesetupapi.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.011
  • Last Updated: 2021-02-04

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process=*setupapi* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___setupapi_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process
  • Processes.process_name
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1218.011 Rundll32 Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, some legitimate applications may use setupapi triggering a false positive.

Reference


Test Dataset


version: 1


Detect rundll32 application control bypass - syssetup

The following analytic identifies rundll32.exe loading syssetup.dll by calling the LaunchINFSection function on the command line. This particular technique will load script code from a file. Upon a successful execution, the following module loads may occur - clr.dll, jscript.dll and scrobj.dll. During investigation, identify script content origination. Generally, a child process will spawn from rundll32.exe, but that may be bypassed based on script code contents. Rundll32.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. During investigation, review any network connections and obtain the script content executed. It's possible other files are on disk.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.011
  • Last Updated: 2021-02-04

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process=*syssetup* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_application_control_bypass___syssetup_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process
  • Processes.process_name
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1218.011 Rundll32 Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

Although unlikely, some legitimate applications may use syssetup.dll, triggering a false positive.

Reference


Test Dataset


version: 1


Detect rundll32 inline hta execution

The following analytic identifies "rundll32.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "rundll32.exe" and its parent process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.005
  • Last Updated: 2021-01-20

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_rundll32_inline_hta_execution_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process
  • Processes.process_name
  • Processes.user
  • Processes.dest
  • Processes.parent_process_name
  • Processes.parent_process


ATT&CK

ID Technique Tactic
T1218.005 Mshta Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.

Reference


Test Dataset


version: 1


Detect sharphound command-line arguments

The following analytic identifies common command-line arguments used by SharpHound `-collectionMethod` and `invoke-bloodhound`. Being the script is FOSS, function names may be modified, but these changes are dependent upon the operator. In most instances the defaults are used. This analytic works to identify the common command-line attributes used. It does not cover the entirety of every argument in order to avoid false positives.

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*-collectionMethod*","*invoke-bloodhound*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_command_line_arguments_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1087.002 Domain Account Discovery
T1087.001 Local Account Discovery
T1482 Domain Trust Discovery Discovery
T1069.002 Domain Groups Discovery
T1069.001 Local Groups Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

False positives should be limited as the arguments used are specific to SharpHound. Filter as needed or add more command-line arguments as needed.

Reference


Test Dataset


version: 1


Detect sharphound file modifications

SharpHound is used as a reconnaissance collector, ingestor, for BloodHound. SharpHound will query the domain controller and begin gathering all the data related to the domain and trusts. For output, it will drop a .zip file upon completion following a typical pattern that is often not changed. This analytic focuses on the default file name scheme. Note that this may be evaded with different parameters within SharpHound, but that depends on the operator. `-randomizefilenames` and `-encryptzip` are two examples. In addition, executing SharpHound via .exe or .ps1 without any command-line arguments will still perform activity and dump output to the default filename. Example default filename `20210601181553_BloodHound.zip`. SharpHound creates multiple temp files following the same pattern `20210601182121_computers.json`, `domains.json`, `gpos.json`, `ous.json` and `users.json`. Tuning may be required, or remove these json's entirely if it is too noisy. During traige, review parallel processes for further suspicious behavior. Typically, the process executing the `.ps1` ingestor will be PowerShell.

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*bloodhound.zip", "*_computers.json", "*_gpos.json", "*_domains.json", "*_users.json", "*_groups.json") by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.file_path Filesystem.dest | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_file_modifications_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on file modifications that include the name of the process, and file, responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.

Required field

  • _time
  • file_path
  • dest
  • file_name
  • process_id
  • file_create_time


ATT&CK

ID Technique Tactic
T1087.002 Domain Account Discovery
T1087.001 Local Account Discovery
T1482 Domain Trust Discovery Discovery
T1069.002 Domain Groups Discovery
T1069.001 Local Groups Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

False positives should be limited as the analytic is specific to a filename with extension .zip. Filter as needed.

Reference


Test Dataset


version: 1


Detect sharphound usage

The following analytic identifies SharpHound binary usage by using the `OriginalFileName` from Sysmon. In addition to renaming the PE, other coverage is available to detect command-line arguments. This particular analytic only looks for the OriginalFileName of `SharpHound.exe`. It is possible older instances of SharpHound.exe have different original filenames. Dependent upon the operator, the code may be re-compiled and the attributes removed or changed to anything else. During triage, review the metadata of the binary in question. Review parallel processes for suspicious behavior. Identify the source of this binary.

Search

`sysmon` EventID=1 (OriginalFileName=SharpHound.exe process_name!=sharphound.exe) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, process_name, OriginalFileName, process_path, CommandLine Product | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_sharphound_usage_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • dest
  • User
  • parent_process_name
  • process_name
  • OriginalFileName
  • process_path
  • CommandLine
  • Product


ATT&CK

ID Technique Tactic
T1087.002 Domain Account Discovery
T1087.001 Local Account Discovery
T1482 Domain Trust Discovery Discovery
T1069.002 Domain Groups Discovery
T1069.001 Local Groups Discovery


Kill Chain Phase

  • Reconnaissance


Known False Positives

False positives should be limited as this is specific to a file attribute not used by anything else. Filter as needed.

Reference


Test Dataset


version: 1


Detect use of cmd exe to launch script interpreters

This search looks for the execution of the cscript.exe or wscript.exe processes, with a parent of cmd.exe. The search will return the count, the first and last time this execution was seen on a machine, the user, and the destination of the machine

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.003
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="cmd.exe" (Processes.process_name=cscript.exe OR Processes.process_name =wscript.exe) by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • Processes.process
  • Processes.parent_process_name
  • Processes.process_name
  • Processes.parent_process
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1059.003 Windows Command Shell Execution


Kill Chain Phase

  • Exploitation


Known False Positives

Some legitimate applications may exhibit this behavior.

Reference

Test Dataset


version: 4


Detect wmi event subscription persistence

The following analytic identifies the use of WMI Event Subscription to establish persistence or perform privilege escalation. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges. This analytic is restricted by commonly added process execution and a path. If the volume is low enough, remove the values and flag on any new subscriptions. All event subscriptions have three components \ 1. Filter - WQL Query for the events we want. EventID = 19 \ 1. Consumer - An action to take upon triggering the filter. EventID = 20 \ 1. Binding - Registers a filter to a consumer. EventID = 21 \ Monitor for the creation of new WMI EventFilter, EventConsumer, and FilterToConsumerBinding. It may be pertinent to review all 3 to identify the flow of execution. In addition, EventCode 4104 may assist with any other PowerShell script usage that registered the subscription.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1546.003
  • Last Updated: 2021-06-16

Search

`sysmon` EventID=20 | stats count min(_time) as firstTime max(_time) as lastTime by Computer User Destination | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_wmi_event_subscription_persistence_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with that provide WMI Event Subscription from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA and have enabled EventID 19, 20 and 21. Tune and filter known good to limit the volume.

Required field

  • _time
  • Destination
  • Computer
  • User


ATT&CK

ID Technique Tactic
T1546.003 Windows Management Instrumentation Event Subscription Privilege Escalation, Persistence


Kill Chain Phase

  • Exploitation


Known False Positives

It is possible some applications will create a consumer and may be required to be filtered. For tuning, add any additional LOLBin's for further depth of coverage.

Reference


Test Dataset


version: 1


Detect mshta inline hta execution

The following analytic identifies "mshta.exe" execution with inline protocol handlers. "JavaScript", "VBScript", and "About" are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.005
  • Last Updated: 2021-01-20

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=mshta.exe (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_inline_hta_execution_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process
  • Processes.parent_process
  • Processes.user
  • Processes.process_name
  • Processes.parent_process_name
  • Processes.dest


ATT&CK

ID Technique Tactic
T1218.005 Mshta Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

Although unlikely, some legitimate applications may exhibit this behavior, triggering a false positive.

Reference


Test Dataset


version: 5


Detect mshta renamed

The following analytic identifies renamed instances of mshta.exe executing. Mshta.exe is natively found in C:\Windows\system32 and C:\Windows\syswow64. This analytic utilizes the internal name of the PE to identify if is the legitimate mshta binary. Further analysis should be performed to review the executed content and validation it is the real mshta.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1218.005
  • Last Updated: 2021-01-20

Search

`sysmon` EventID=1 (OriginalFileName=mshta.exe AND process_name!=mshta.exe) | stats count min(_time) as firstTime max(_time) as lastTime by Computer, User, parent_process_name, process_name, OriginalFileName, process_path, CommandLine | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_mshta_renamed_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • EventID
  • OriginalFileName
  • process_name
  • Computer
  • User
  • parent_process_name
  • process_path
  • CommandLine


ATT&CK

ID Technique Tactic
T1218.005 Mshta Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

Although unlikely, some legitimate applications may use a moved copy of mshta.exe, but never renamed, triggering a false positive.

Reference


Test Dataset


version: 1


Detect processes used for system network configuration discovery

This search looks for fast execution of processes used for system network configuration discovery on the endpoint.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1016
  • Last Updated: 2020-11-10

Search

| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.process_name Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools` | transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime lastTime dest user process_name process parent_process eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records registry activity from your hosts to populate the Endpoint data model in the processes node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or endpoint data sources, such as Sysmon. The data used for this search is usually generated via logs that report reads and writes to the registry or that are populated via Windows event logs, after enabling process tracking in your Windows audit settings.

Required field

  • _time
  • Processes.process
  • Processes.parent_process
  • Processes.dest
  • Processes.process_name
  • Processes.user


ATT&CK

ID Technique Tactic
T1016 System Network Configuration Discovery Discovery


Kill Chain Phase

  • Installation
  • Command and Control
  • Actions on Objectives


Known False Positives

It is uncommon for normal users to execute a series of commands used for network discovery. System administrators often use scripts to execute these commands. These can generate false positives.

Reference

Test Dataset


version: 2


Detection of tools built by nirsoft

This search looks for specific command-line arguments that may indicate the execution of tools made by Nirsoft, which are legitimate, but may be abused by attackers.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1072
  • Last Updated: 2020-07-21

Search

| tstats `security_content_summariesonly` count min(_time) values(Processes.process) as process max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process="* /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process Processes.process_name Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `detection_of_tools_built_by_nirsoft_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.process
  • Processes.parent_process
  • Processes.process_name
  • Processes.user


ATT&CK

ID Technique Tactic
T1072 Software Deployment Tools Execution, Lateral Movement


Kill Chain Phase

  • Installation
  • Actions on Objectives


Known False Positives

While legitimate, these NirSoft tools are prone to abuse. You should verfiy that the tool was used for a legitimate purpose.

Reference

Test Dataset

version: 3


Disable logs using wevtutil

This search is to detect execution of wevtutil.exe to disable logs. This technique was seen in several ransomware to disable the event logs to evade alerts and detections.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1070.001
  • Last Updated: 2021-06-10

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "wevtutil.exe" Processes.process = "*sl*" Processes.process = "*/e:false*" by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.dest Processes.user Processes.process_id Processes.process_guid | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disable_logs_using_wevtutil_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • Processes.parent_process_name
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user
  • Processes.process_id
  • Processes.process_guid


ATT&CK

ID Technique Tactic
T1070.001 Clear Windows Event Logs Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

network operator may disable audit event logs for debugging purposes.

Reference


Test Dataset


version: 1


Disable registry tool

This search is to identifies modification of registry to disable the regedit or registry tools of windows operating system. Since registry tool is a swiss knife in analyzing registry, malware such as RAT or trojan Spy disable this application to prevent the removal of their registry entry such as persistence, file less components and defense evasion.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-03-31

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableRegistryTools" Registry.registry_value_name = "DWORD (0x00000001)" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `disable_registry_tool_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.user
  • Registry.dest
  • Registry.registry_value_name


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

admin may disable this application for non technical user.

Reference


Test Dataset


version: 1


Disable show hidden files

The following search is to idetifies a modification in registry to prevent the user seeing all the files with hidden attributes. This event or techniques are known on some worm and trojan spy malware that will drop hidden files on the infected machine.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1564.001, T1562.001
  • Last Updated: 2021-03-31

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt" Registry.registry_value_name = "DWORD (0x00000001)") OR (Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden" Registry.registry_value_name = "DWORD (0x00000000)") by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `disable_show_hidden_files_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.user
  • Registry.dest
  • Registry.registry_value_nam


ATT&CK

ID Technique Tactic
T1564.001 Hidden Files and Directories Defense Evasion
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset


version: 1


Disable windows app hotkeys

This analytic detects a suspicious registry modification to disable Windows hotkey (shortcut keys) for native Windows applications. This technique is commonly used to disable certain or several Windows applications like `taskmgr.exe` and `cmd.exe`. This technique is used to impair the analyst in analyzing and removing the attacker implant in compromised systems.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-05-05

Search

| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*\\Windows NT\\CurrentVersion\\Image File Execution Options\\*" AND Registry.registry_value_name = "HotKey Disabled" AND Registry.registry_key_name = "Debugger" by Registry.dest Registry.user Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `disable_windows_app_hotkeys_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as CarbonBlack or endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report reads and writes to the registry.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.registry_value_name
  • Registry.dest Registry.user


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset


version: 1


Disable windows behavior monitoring

This search is to identifies a modification in registry to disable the windows denfender real time behavior monitoring. This event or technique is commonly seen in RAT, bot, or Trojan to disable AV to evade detections.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-03-31

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableBehaviorMonitoring" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableOnAccessProtection" OR Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection\\DisableScanOnRealtimeEnable" Registry.registry_value_name = "DWORD (0x00000001)" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `disable_windows_behavior_monitoring_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.user
  • Registry.dest
  • Registry.registry_value_name


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

admin or user may choose to disable this windows features.

Reference


Test Dataset


version: 1


Disable windows smartscreen protection

The following search identifies a modification of registry to disable the smartscreen protection of windows machine. This is windows feature provide an early warning system against website that might engage in phishing attack or malware distribution. This modification are seen in RAT malware to cover their tracks upon downloading other of its component or other payload.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-03-31

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SmartScreenEnabled" Registry.registry_value_name = "Off" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `disable_windows_smartscreen_protection_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.user
  • Registry.dest
  • Registry.registry_value_nam


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

admin or user may choose to disable this windows features.

Reference


Test Dataset


version: 1


Disabling cmd application

this search is to identify modification in registry to disable cmd prompt application. This technique is commonly seen in RAT, Trojan or WORM to prevent triaging or deleting there samples through cmd application which is one of the tool of analyst to traverse on directory and files.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-03-31

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Policies\\Microsoft\\Windows\\System\\DisableCMD" Registry.registry_value_name = "DWORD (0x00000001)" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `disabling_cmd_application_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.user
  • Registry.dest
  • Registry.registry_value_name


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

admin may disable this application for non technical user.

Reference


Test Dataset


version: 1


Disabling controlpanel

this search is to identify registry modification to disable control panel window. This technique is commonly seen in malware to prevent their artifacts , persistence removed on the infected machine.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-03-31

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel" Registry.registry_value_name = "DWORD (0x00000001)" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_controlpanel_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.user
  • Registry.dest
  • Registry.registry_value_name


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

admin may disable this application for non technical user.

Reference


Test Dataset


version: 1


Disabling firewall with netsh

This search is to identifies suspicious firewall disabling using netsh application. this technique is commonly seen in malware that tries to communicate or download its component or other payload to its C2 server.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-03-31

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=netsh.exe Processes.process= "*firewall*" (Processes.process= "*off*" OR Processes.process= "*disable*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_firewall_with_netsh_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records the filesystem activity from your hosts to populate the Endpoint file-system data model node. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

admin may disable firewall during testing or fixing network problem.

Reference


Test Dataset


version: 1


Disabling folderoptions windows feature

This search is to identify registry modification to disable folder options feature of windows to show hidden files, file extension and etc. This technique used by malware in combination if disabling show hidden files feature to hide their files and also to hide the file extension to lure the user base on file icons or fake file extensions.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-03-31

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoFolderOptions" Registry.registry_value_name = "DWORD (0x00000001)" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_folderoptions_windows_feature_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.user
  • Registry.dest
  • Registry.registry_value_name


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

admin may disable this application for non technical user.

Reference


Test Dataset


version: 1


Disabling net user account

This analytic will identify a suspicious command-line that disables a user account using the `net.exe` utility native to Windows. This technique may used by the adversaries to interrupt availability of such users to do their malicious act.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1531
  • Last Updated: 2021-05-04

Search

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.parent_process) as parent_process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name="net.exe" OR Processes.process_name="net1.exe" AND Processes.process="*user*" AND Processes.process="*/active:no*" by Processes.process_name Processes.dest Processes.user Processes.parent_process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_net_user_account_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed net.exe/net1.exe may be used.

Required field

  • _time
  • Processes.process_name
  • Processes.dest
  • Processes.user
  • Processes.parent_process_name
  • Processes.process_id
  • Processes.parent_process


ATT&CK

ID Technique Tactic
T1531 Account Access Removal Impact


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset


version: 1


Disabling norun windows app

This search is to identify modification of registry to disable run application in window start menu. this application is known to be a helpful shortcut to windows OS user to run known application and also to execute some reg or batch script. This technique is used malware to make cleaning of its infection more harder by preventing known application run easily through run shortcut.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-03-31

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoRun" Registry.registry_value_name = "DWORD (0x00000001)" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_norun_windows_app_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.user
  • Registry.dest
  • Registry.registry_value_name


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

admin may disable this application for non technical user.

Reference


Test Dataset


version: 1


Disabling remote user account control

The search looks for modifications to registry keys that control the enforcement of Windows User Account Control (UAC).

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1548.002
  • Last Updated: 2020-11-18

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path=*HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA* Registry.registry_value_name="DWORD (0x00000000)" by Registry.dest, Registry.registry_key_name Registry.user Registry.registry_path Registry.registry_value_name Registry.action | `drop_dm_object_name(Registry)` | `disabling_remote_user_account_control_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you must be ingesting data that records registry activity from your hosts to populate the endpoint data model in the registry node. This is typically populated via endpoint detection-and-response product, such as Carbon Black, or via other endpoint data sources, such as Sysmon. The data used for this search is typically generated via logs that report registry modifications.

Required field

  • _time
  • Registry.registry_path
  • Registry.registry_value_name
  • Registry.dest
  • Registry.registry_key_name
  • Registry.user
  • Registry.action


ATT&CK

ID Technique Tactic
T1548.002 Bypass User Account Control Privilege Escalation, Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Known False Positives

This registry key may be modified via administrators to implement a change in system policy. This type of change should be a very rare occurrence.

Reference

Test Dataset


version: 4


Disabling systemrestore in registry

The following search identifies the modification of registry related in disabling the system restore of a machine. This event or behavior are seen in some RAT malware to make the restore of the infected machine difficult and keep their infection on the box.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-03-31

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableSR" OR Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SystemRestore\\DisableConfig" Registry.registry_value_name = "DWORD (0x00000001)" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `disabling_systemrestore_in_registry_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.user
  • Registry.dest
  • Registry.registry_value_name


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

in some cases admin can disable systemrestore on a machine.

Reference


Test Dataset


version: 1


Disabling task manager

This search is to identifies modification of registry to disable the task manager of windows operating system. this event or technique are commonly seen in malware such as RAT, Trojan, TrojanSpy or worm to prevent the user to terminate their process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-03-31

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where Registry.registry_path= "*\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\DisableTaskMgr" Registry.registry_value_name = "DWORD (0x00000001)" by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.dest | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `disabling_task_manager_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node. Also make sure that this registry was included in your config files ex. sysmon config to be monitored.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.user
  • Registry.dest
  • Registry.registry_value_name


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

admin may disable this application for non technical user.

Reference


Test Dataset


version: 1


Download files using telegram

The following analytic will identify a suspicious download by the Telegram application on a Windows system. This behavior was identified on a honeypot where the adversary gained access, installed Telegram and followed through with downloading different network scanners (port, bruteforcer, masscan) to the system and later used to mapped the whole network and further move laterally.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1105
  • Last Updated: 2021-05-06

Search

`sysmon` EventCode= 15 process_name = "telegram.exe" TargetFilename = "*:Zone.Identifier" |stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode Image process_id TargetFilename Hash | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `download_files_using_telegram_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name and TargetFilename from your endpoints or Events that monitor filestream events which is happened when process download something. (EventCode 15) If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

Required field

  • _time
  • Computer
  • EventCode
  • Image
  • process_id
  • TargetFilename
  • Hash


ATT&CK

ID Technique Tactic
T1105 Ingress Tool Transfer Command And Control


Kill Chain Phase

  • Exploitation


Known False Positives

normal download of file in telegram app. (if it was a common app in network)

Reference


Test Dataset


version: 1


Dump lsass via comsvcs dll

Detect the usage of comsvcs.dll for dumping the lsass process.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.001
  • Last Updated: 2020-02-21

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=rundll32.exe Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_comsvcs_dll_filter`

Associated Analytic Story


How To Implement

You must be ingesting endpoint data that tracks process activity, including parent-child relationships from your endpoints, to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset


version: 1


Dump lsass via procdump

Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (OriginalFileName=procdump) of the PE or look for procdump64.exe. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.001
  • Last Updated: 2021-02-01

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=procdump.exe OR Processes.process_name=procdump64.exe (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.process_name Processes.process Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process_name
  • Processes.process
  • Processes.user
  • Processes.dest


ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset


version: 1


Dump lsass via procdump rename

Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed.\ During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1003.001
  • Last Updated: 2021-02-01

Search

`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass* | rename Computer as dest | stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `dump_lsass_via_procdump_rename_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • OriginalFileName
  • process_name
  • EventID
  • CommandLine
  • Computer
  • parent_process_name


ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access


Kill Chain Phase

  • Actions on Objectives


Known False Positives

None identified.

Reference


Test Dataset


version: 1


Enable rdp in other port number

This search is to detect a modification to registry to enable rdp to a machine with different port number. This technique was seen in some atttacker tries to do lateral movement and remote access to a compromised machine to gain control of it.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1021
  • Last Updated: 2021-05-19

Search

| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp*" Registry.registry_key_name = "PortNumber" by Registry.dest Registry.user Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `enable_rdp_in_other_port_number_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used.

Required field

  • _time
  • Registry.registry_path
  • Registry.dest
  • Registry.user
  • Registry.registry_value_name


ATT&CK

ID Technique Tactic
T1021 Remote Services Lateral Movement


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset


version: 1


Enumerate users local group using telegram

This analytic will detect a suspicious Telegram process enumerating all network users in a local group. This technique was seen in a Monero infected honeypot to mapped all the users on the compromised system. EventCode 4798 is generated when a process enumerates a user's security-enabled local groups on a computer or device.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1087
  • Last Updated: 2021-05-06

Search

`wineventlog_security` EventCode=4798 Process_Name = "*\\telegram.exe" | stats count min(_time) as firstTime max(_time) as lastTime by ComputerName EventCode Process_Name Process_ID Account_Name Account_Domain Logon_ID Security_ID Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `enumerate_users_local_group_using_telegram_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the Task Schedule (Exa. Security Log EventCode 4798) endpoints. Tune and filter known instances of process like logonUI used in your environment.

Required field

  • _time
  • ComputerName
  • EventCode
  • Process_Name
  • Process_ID
  • Account_Name
  • Account_Domain
  • Logon_ID
  • Security_ID
  • Message


ATT&CK

ID Technique Tactic
T1087 Account Discovery Discovery


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset


version: 1


Eventvwr uac bypass

The following search identifies Eventvwr bypass by identifying the registry modification into a specific path that eventvwr.msc looks to (but is not valid) upon execution. A successful attack will include a suspicious command to be executed upon eventvwr.msc loading. Upon triage, review the parallel processes that have executed. Identify any additional registry modifications on the endpoint that may look suspicious. Remediate as necessary.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1548.002
  • Last Updated: 2021-03-01

Search

| tstats `security_content_summariesonly` count values(Registry.registry_key_name) as registry_key_name values(Registry.registry_path) as registry_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where Registry.registry_path="*mscfile\\shell\\open\\command\\*" by Registry.user, Registry.dest , Registry.registry_value_name | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `eventvwr_uac_bypass_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Registry` node.

Required field

  • _time
  • Registry.registry_key_name
  • Registry.registry_path
  • Registry.user
  • Registry.dest
  • Registry.registry_value_name


ATT&CK

ID Technique Tactic
T1548.002 Bypass User Account Control Privilege Escalation, Defense Evasion


Kill Chain Phase

  • Exploitation
  • Privilege Escalation


Known False Positives

Some false positives may be present and will need to be filtered.

Reference


Test Dataset


version: 1


Excel spawning powershell

The following detection identifies Microsoft Excel spawning PowerShell. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). PowerShell spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command executed will most likely be encoded and captured via another detection. During triage, review parallel processes and identify any files that may have been written.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.002
  • Last Updated: 2021-04-12

Search

| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="excel.exe" Processes.process_name IN ("powershell.exe", "pwsh.exe") by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `excel_spawning_powershell_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • process_name
  • process_id
  • parent_process_name
  • dest
  • user
  • parent_process_id


ATT&CK

ID Technique Tactic
T1003.002 Security Account Manager Credential Access


Kill Chain Phase

  • Exploitation


Known False Positives

False positives should be limited, but if any are present, filter as needed.

Reference


Test Dataset


version: 1


Excel spawning windows script host

The following detection identifies Microsoft Excel spawning Windows Script Host - `cscript.exe` or `wscript.exe`. Typically, this is not common behavior and not default with Excel.exe. Excel.exe will generally be found in the following path `C:\Program Files\Microsoft Office\root\Office16` (version will vary). `cscript.exe` or `wscript.exe` default location is `c:\windows\system32\` or c:windows\syswow64`. `cscript.exe` or `wscript.exe` spawning from Excel.exe is common for a spearphishing attachment and is actively used. Albeit, the command-line executed will most likely be obfuscated and captured via another detection. During triage, review parallel processes and identify any files that may have been written. Review the reputation of the remote destination and block accordingly.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1003.002
  • Last Updated: 2021-04-12

Search

| tstats `security_content_summariesonly` count values(Processes.process) min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name="excel.exe" Processes.process_name IN ("cscript.exe", "wscript.exe") by Processes.parent_process Processes.process_name Processes.user Processes.dest | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)` | `excel_spawning_windows_script_host_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • process_name
  • process_id
  • parent_process_name
  • dest
  • user
  • parent_process_id


ATT&CK

ID Technique Tactic
T1003.002 Security Account Manager Credential Access


Kill Chain Phase

  • Exploitation


Known False Positives

False positives should be limited, but if any are present, filter as needed. In some instances, `cscript.exe` is used for legitimate business practices.

Reference


Test Dataset


version: 1


Excessive attempt to disable services

This analytic will identify suspicious series of command-line to disable several services. This technique is seen where the adversary attempts to disable security app services or other malware services to complete the objective on the compromised system.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1489
  • Last Updated: 2021-05-04

Search

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "sc.exe" AND Processes.process="*config*" OR Processes.process="*Disabled*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_attempt_to_disable_services_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed sc.exe may be used.

Required field

  • _time
  • Processes.process
  • Processes.process_id
  • Processes.process_name
  • Processes.parent_process_name
  • Processes.dest
  • Processes.user


ATT&CK

ID Technique Tactic
T1489 Service Stop Impact


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset


version: 1


Excessive service stop attempt

This analytic identifies suspicious series of attempt to kill multiple services on a system using either `net.exe` or `sc.exe`. This technique is use by adversaries to terminate security services or other related services to continue there objective and evade detections.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1489
  • Last Updated: 2021-05-04

Search

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "net.exe" OR Processes.process_name = "sc.exe" OR Processes.process_name = "net1.exe" AND Processes.process="*stop*" OR Processes.process="*/delete*" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=5 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_service_stop_attempt_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed sc.exe may be used.

Required field

  • _time
  • Processes.process
  • Processes.process_id
  • Processes.process_name
  • Processes.parent_process_name
  • Processes.dest
  • Processes.user


ATT&CK

ID Technique Tactic
T1489 Service Stop Impact


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset


version: 1


Excessive usage of cacls app

The following analytic identifies excessive usage of `cacls.exe`, `xcacls.exe` or `icacls.exe` application to change file or folder permission. This behavior is commonly seen where the adversary attempts to impair some users from deleting or accessing its malware components or artifact from the compromised system.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1222
  • Last Updated: 2021-05-07

Search

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id values(Processes.process_name) as process_name count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "cacls.exe" OR Processes.process_name = "icacls.exe" OR Processes.process_name = "XCACLS.exe" by Processes.parent_process_name Processes.parent_process Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_cacls_app_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process
  • Processes.process_id
  • Processes.process_name
  • Processes.parent_process_name
  • Processes.dest
  • Processes.user


ATT&CK

ID Technique Tactic
T1222 File and Directory Permissions Modification Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

Administrators or administrative scripts may use this application. Filter as needed.

Reference


Test Dataset


version: 1


Excessive usage of net app

This analytic identifies excessive usage of `net.exe` or `net1.exe` within a bucket of time (1 minute). This behavior was seen in a Monero incident where the adversary attempts to create many users, delete and disable users as part of its malicious behavior.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1531
  • Last Updated: 2021-05-06

Search

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "net.exe" OR Processes.process_name = "net1.exe" by Processes.process_name Processes.parent_process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_net_app_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed net.exe may be used.

Required field

  • _time
  • Processes.process
  • Processes.process_id
  • Processes.process_name
  • Processes.parent_process_name
  • Processes.dest
  • Processes.user


ATT&CK

ID Technique Tactic
T1531 Account Access Removal Impact


Kill Chain Phase

  • Exploitation


Known False Positives

unknown. Filter as needed. Modify the time span as needed.

Reference


Test Dataset


version: 1


Excessive usage of taskkill

This analytic identifies excessive usage of `taskkill.exe` application. This application is commonly used by adversaries to evade detections by killing security product processes or even other processes to evade detection.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-05-04

Search

| tstats `security_content_summariesonly` values(Processes.process) as process values(Processes.process_id) as process_id count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = "taskkill.exe" by Processes.parent_process_name Processes.process_name Processes.dest Processes.user _time span=1m | where count >=10 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_taskkill_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed taskkill.exe may be used.

Required field

  • _time
  • Processes.parent_process_name
  • Processes.process_name
  • Processes.dest
  • Processes.user
  • Processes.process
  • Processes.process_id


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

Unknown. Filter as needed.

Reference


Test Dataset


version: 1


Excessive usage of nslookup app

this search is to detect potential DNS exfiltration using nslookup application. This technique are seen in couple of malware and APT group to exfiltrated collected data in a infected machine or infected network. This detection is looking for unique use of nslookup where it tries to use specific record type (TXT, A, AAAA) that are commonly used by attacker and also the retry parameter which is designed to query C2 DNS multiple tries.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1048
  • Last Updated: 2021-04-21

Search

`sysmon` EventCode = 1 process_name = "nslookup.exe" | bucket _time span=15m | stats count as numNsLookup by Computer, _time | eventstats avg(numNsLookup) as avgNsLookup, stdev(numNsLookup) as stdNsLookup, count as numSlots by Computer | eval upperThreshold=(avgNsLookup + stdNsLookup *3) | eval isOutlier=if(avgNsLookup > 20 and avgNsLookup >= upperThreshold, 1, 0) | search isOutlier=1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_usage_of_nslookup_app_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances of nslookup.exe may be used.

Required field

  • _time
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.process_id


ATT&CK

ID Technique Tactic
T1048 Exfiltration Over Alternative Protocol Exfiltration


Kill Chain Phase

  • Exploitation


Known False Positives

unknown

Reference


Test Dataset


version: 1


Excessive number of distinct processes created in windows temp folder

This analytic will identify suspicious series of process executions. We have observed that post exploit framework tools like Koadic and Meterpreter will launch an excessive number of processes with distinct file paths from Windows\Temp to execute actions on objective. This behavior is extremely anomalous compared to typical application behaviors that use Windows\Temp.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059
  • Last Updated: 2021-06-03

Search

| tstats `security_content_summariesonly` values(Processes.process) as process distinct_count(Processes.process) as distinct_process_count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "*\\Windows\\Temp\\*" by Processes.dest Processes.user _time span=20m | where distinct_process_count > 37 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_distinct_processes_created_in_windows_temp_folder_filter`

Associated Analytic Story


How To Implement

To successfully implement this search, you need to be ingesting logs with the full process path in the process field of CIM's Process data model. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed sc.exe may be used.

Required field

  • _time
  • Processes.process
  • Processes.dest
  • Processes.user


ATT&CK

ID Technique Tactic
T1059 Command and Scripting Interpreter Execution


Kill Chain Phase

  • Exploitation


Known False Positives

Many benign applications will create processes from executables in Windows\Temp, although unlikely to exceed the given threshold. Filter as needed.

Reference


Test Dataset


version: 1


Excessive number of service control start as disabled

This detection targets behaviors observed when threat actors have used sc.exe to modify services. We observed malware in a honey pot spawning numerous sc.exe processes in a short period of time, presumably to impair defenses, possibly to block others from compromising the same machine. This detection will alert when we see both an excessive number of sc.exe processes launched with specific commandline arguments to disable the start of certain services.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.001
  • Last Updated: 2021-06-25

Search

| tstats `security_content_summariesonly` distinct_count(Processes.process) as distinct_cmdlines values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = "sc.exe" AND Processes.process="*start= disabled*" by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.parent_process_id, _time span=30m | where distinct_cmdlines >= 8 | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_service_control_start_as_disabled_filter`

Associated Analytic Story


How To Implement

You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must be ingesting logs with both the process name and command line from your endpoints. The complete process name with command-line arguments are mapped to the "process" field in the Endpoint data model.

Required field

  • _time
  • Processes.dest
  • Processes.user
  • Processes.parent_process
  • Processes.process_name
  • Processes.process
  • Processes.process_id
  • Processes.parent_process_id


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

Legitimate programs and administrators will execute sc.exe with the start disabled flag. It is possible, but unlikely from the telemetry of normal Windows operation we observed, that sc.exe will be called more than seven times in a short period of time.

Reference


Test Dataset


version: 1


Excessive number of taskhost processes

This detection targets behaviors observed in post exploit kits like Meterpreter and Koadic that are run in memory. We have observed that these tools must invoke an excessive number of taskhost.exe and taskhostex.exe processes to complete various actions (discovery, lateral movement, etc.). It is extremely uncommon in the course of normal operations to see so many distinct taskhost and taskhostex processes running concurrently in a short time frame.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1033
  • Last Updated: 2021-06-07

Search

| tstats `security_content_summariesonly` values(Processes.process_id) as process_ids min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name = "taskhost.exe" OR Processes.process_name = "taskhostex.exe" BY Processes.dest Processes.process_name _time span=1h | `drop_dm_object_name(Processes)` | eval pid_count=mvcount(process_ids) | eval taskhost_count_=if(process_name == "taskhost.exe", pid_count, 0) | eval taskhostex_count_=if(process_name == "taskhostex.exe", pid_count, 0) | stats sum(taskhost_count_) as taskhost_count, sum(taskhostex_count_) as taskhostex_count by _time, dest, firstTime, lastTime | where taskhost_count > 10 and taskhostex_count > 10 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `excessive_number_of_taskhost_processes_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting events related to processes on the endpoints that include the name of the process and process id into the `Endpoint` datamodel in the `Processes` node.

Required field

  • _time
  • Processes.process_id
  • Processes.process_name
  • Processes.dest
  • Processes.user


ATT&CK

ID Technique Tactic
T1033 System Owner/User Discovery Discovery


Kill Chain Phase

  • Exploitation


Known False Positives

Administrators, administrative actions or certain applications may run many instances of taskhost and taskhostex concurrently. Filter as needed.

Reference


Test Dataset


version: 1


Executables or script creation in suspicious path

This analytic will identify suspicious executable or scripts (known file extensions) in list of suspicious file path in Windows. This technique is used by adversaries to evade detection. The suspicious file path are known paths used in the wild and are not common to have executable or scripts.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1036
  • Last Updated: 2021-05-06

Search

|tstats `security_content_summariesonly` values(Filesystem.file_path) as file_path count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_name = *.exe OR Filesystem.file_name = *.dll OR Filesystem.file_name = *.sys OR Filesystem.file_name = *.com OR Filesystem.file_name = *.vbs OR Filesystem.file_name = *.vbe OR Filesystem.file_name = *.js OR Filesystem.file_name = *.ps1 OR Filesystem.file_name = *.bat OR Filesystem.file_name = *.cmd OR Filesystem.file_name = *.pif) AND ( Filesystem.file_path = *\\windows\\fonts\\* OR Filesystem.file_path = *\\windows\\temp\\* OR Filesystem.file_path = *\\users\\public\\* OR Filesystem.file_path = *\\windows\\debug\\* OR Filesystem.file_path = *\\Users\\Administrator\\Music\\* OR Filesystem.file_path = *\\Windows\\servicing\\* OR Filesystem.file_path = *\\Users\\Default\\* OR Filesystem.file_path = *Recycle.bin* OR Filesystem.file_path = *\\Windows\\Media\\* OR Filesystem.file_path = *\\Windows\\repair\\* OR Filesystem.file_path = *\\AppData\\Local\\Temp*) by Filesystem.file_create_time Filesystem.process_id Filesystem.file_name Filesystem.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `executables_or_script_creation_in_suspicious_path_filter`

Associated Analytic Story


How To Implement

To successfully implement this search you need to be ingesting information on process that include the name of the Filesystem responsible for the changes from your endpoints into the `Endpoint` datamodel in the `Filesystem` node.

Required field

  • _time
  • Filesystem.file_path
  • Filesystem.file_create_time
  • Filesystem.process_id
  • Filesystem.file_name
  • Filesystem.user


ATT&CK

ID Technique Tactic
T1036 Masquerading Defense Evasion


Kill Chain Phase

  • Exploitation


Known False Positives

Administrators may allow creation of script or exe in the paths specified. Filter as needed.

Reference


Test Dataset


version: 1


Execution of file with multiple extensions

This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1036.003
  • Last Updated: 2020-11-18

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = *.doc.exe OR Processes.process = *.htm.exe OR Processes.process = *.html.exe OR Processes.process = *.txt.exe OR Processes.process = *.pdf.exe OR Processes.process = *.doc.exe by Processes.dest Processes.user Processes.process Processes.parent_process | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `drop_dm_object_name(Processes)` | `execution_of_file_with_multiple_extensions_filter`

Associated Analytic Story