Splunk® Security Content

Analytic Stories

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ESSOC. Click here for the latest version.
Acrobat logo Download topic as PDF

Splunk Security Content Analytic Story


All the Analytic Stories shipped to different Splunk products. Below is a breakdown by Category.

Abuse

Brand monitoring

Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email, Web
  • ATT&CK:
  • Last Updated: 2017-12-19

Dns amplification attacks

DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK: T1498.002
  • Last Updated: 2016-09-13

Detection Profile


ATT&CK

ID Technique Tactic
T1498.002 Reflection Amplification Impact


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Data protection

Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK: T1189
  • Last Updated: 2017-09-14

Netsh abuse

Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1562.004
  • Last Updated: 2017-01-05


Adversary Tactics

Active directory password spraying

Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1110.003
  • Last Updated: 2021-04-07

Bits jobs

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1197, T1105
  • Last Updated: 2021-03-26

Detection Profile


ATT&CK

ID Technique Tactic
T1197 BITS Jobs Defense Evasion, Persistence
T1105 Ingress Tool Transfer Command And Control


Kill Chain Phase

  • Exploitation


Reference


version: 1


Baron samedit cve-2021-3156

Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1068
  • Last Updated: 2021-01-27

Detection Profile


ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation


Kill Chain Phase

  • Exploitation


Reference


version: 1


Cobalt strike

Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.

Detection Profile


ATT&CK

ID Technique Tactic
T1560.001 Archive via Utility Collection
T1059.003 Windows Command Shell Execution
T1543.003 Windows Service Persistence, Privilege Escalation
T1055 Process Injection Defense Evasion, Privilege Escalation
T1071.002 File Transfer Protocols Command And Control
T1218.010 Regsvr32 Defense Evasion
T1218.005 Mshta Defense Evasion
T1569.002 Service Execution Execution
T1027 Obfuscated Files or Information Defense Evasion
T1218.011 Rundll32 Defense Evasion
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
T1203 Exploitation for Client Execution Execution
T1505.003 Web Shell Persistence
T1127.001 MSBuild Defense Evasion
T1036.003 Rename System Utilities Defense Evasion
T1127 Trusted Developer Utilities Proxy Execution Defense Evasion
T1071.001 Web Protocols Command And Control
T1018 Remote System Discovery Discovery


Kill Chain Phase

  • Actions on Objective
  • Actions on Objectives
  • Exploitation
  • Privilege Escalation


Reference


version: 1


Collection and staging

Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic
  • ATT&CK: T1560.001, T1114.001, T1114.002, T1036
  • Last Updated: 2020-02-03

Detection Profile


ATT&CK

ID Technique Tactic
T1560.001 Archive via Utility Collection
T1114.001 Local Email Collection Collection
T1114.002 Remote Email Collection Collection
T1036 Masquerading Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Exfiltration
  • Exploitation


Reference


version: 1


Command and control

Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate command and control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.

Detection Profile


ATT&CK

ID Technique Tactic
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1071.004 DNS Command And Control
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1095 Non-Application Layer Protocol Command And Control
T1041 Exfiltration Over C2 Channel Exfiltration
T1189 Drive-by Compromise Initial Access
T1114.001 Local Email Collection Collection
T1114 Email Collection Collection
T1114.003 Email Forwarding Rule Collection
T1071.001 Web Protocols Command And Control


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery
  • Exfiltration
  • Exploitation


Reference


version: 1


Credential dumping

Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.

Detection Profile


ATT&CK

ID Technique Tactic
T1003.001 LSASS Memory Credential Access
T1055 Process Injection Defense Evasion, Privilege Escalation
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1098 Account Manipulation Persistence
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1547 Boot or Logon Autostart Execution Persistence, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
T1554 Compromise Client Software Binary Persistence
T1556 Modify Authentication Process Credential Access, Defense Evasion, Persistence
T1558 Steal or Forge Kerberos Tickets Credential Access
T1555 Credentials from Password Stores Credential Access
T1087 Account Discovery Discovery
T1201 Password Policy Discovery Discovery
T1552 Unsecured Credentials Credential Access
T1003.002 Security Account Manager Credential Access
T1003 OS Credential Dumping Credential Access
T1003.003 NTDS Credential Access
T1558.003 Kerberoasting Credential Access
T1059.001 PowerShell Execution


Kill Chain Phase

  • Actions on Objectives
  • Exploitation
  • Installation


Reference


version: 3


Dns hijacking

Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK: T1189
  • Last Updated: 2020-02-04

Data exfiltration

The stealing of data by an adversary.

Detection Profile


ATT&CK

ID Technique Tactic
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1071.004 DNS Command And Control
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1095 Non-Application Layer Protocol Command And Control
T1041 Exfiltration Over C2 Channel Exfiltration
T1189 Drive-by Compromise Initial Access
T1114.001 Local Email Collection Collection
T1114 Email Collection Collection
T1114.003 Email Forwarding Rule Collection
T1071.001 Web Protocols Command And Control


Kill Chain Phase

  • Actions on Objective
  • Actions on Objectives
  • Exfiltration
  • Exploitation


Reference


version: 1


Deobfuscate-decode files or information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1140
  • Last Updated: 2021-03-24

Detection Profile


ATT&CK

ID Technique Tactic
T1140 Deobfuscate/Decode Files or Information Defense Evasion


Kill Chain Phase

  • Exploitation


Reference


version: 1


Detect zerologon attack

Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1210, T1003.001, T1190
  • Last Updated: 2020-09-18

Detection Profile


ATT&CK

ID Technique Tactic
T1210 Exploitation of Remote Services Lateral Movement
T1003.001 LSASS Memory Credential Access
T1190 Exploit Public-Facing Application Initial Access


Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1


Disabling security tools

Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.

Detection Profile


ATT&CK

ID Technique Tactic
T1553.004 Install Root Certificate Defense Evasion
T1562.001 Disable or Modify Tools Defense Evasion
T1562.004 Disable or Modify System Firewall Defense Evasion
T1543.003 Windows Service Persistence, Privilege Escalation
T1112 Modify Registry Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Installation


Reference


version: 2


Domain trust discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1482, T1018
  • Last Updated: 2021-03-25

Detection Profile


ATT&CK

ID Technique Tactic
T1482 Domain Trust Discovery Discovery
T1018 Remote System Discovery Discovery


Kill Chain Phase

  • Exploitation


Reference


version: 1


F5 tmui rce cve-2020-5902

Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1190
  • Last Updated: 2020-08-02

Hafnium group

HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

Detection Profile


ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution
T1505.003 Web Shell Persistence
T1136.001 Local Account Persistence
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1569.002 Service Execution Execution
T1003.001 LSASS Memory Credential Access
T1114.002 Remote Email Collection Collection
T1003.003 NTDS Credential Access
T1190 Exploit Public-Facing Application Initial Access


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Execution
  • Exploitation
  • Installation
  • Lateral Movement


Reference


version: 1


Ingress tool transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.

Detection Profile


ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution
T1197 BITS Jobs Defense Evasion, Persistence
T1105 Ingress Tool Transfer Command And Control
T1003 OS Credential Dumping Credential Access
T1021 Remote Services Lateral Movement
T1113 Screen Capture Collection
T1123 Audio Capture Collection
T1563 Remote Service Session Hijacking Lateral Movement
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
T1055 Process Injection Defense Evasion, Privilege Escalation
T1106 Native API Execution
T1569 System Services Execution
T1027 Obfuscated Files or Information Defense Evasion
T1027.005 Indicator Removal from Tools Defense Evasion
T1140 Deobfuscate/Decode Files or Information Defense Evasion
T1592 Gather Victim Host Information Reconnaissance
T1562 Impair Defenses Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1


Lateral movement

Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.

Detection Profile


ATT&CK

ID Technique Tactic
T1550.002 Pass the Hash Defense Evasion, Lateral Movement
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1569.002 Service Execution Execution
T1558.003 Kerberoasting Credential Access
T1021.001 Remote Desktop Protocol Lateral Movement
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives
  • Execution
  • Exploitation
  • Lateral Movement


Reference


version: 2


Malicious powershell

Attackers are finding stealthy ways "live off the land," leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.

Detection Profile


ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution
T1197 BITS Jobs Defense Evasion, Persistence
T1105 Ingress Tool Transfer Command And Control
T1003 OS Credential Dumping Credential Access
T1021 Remote Services Lateral Movement
T1113 Screen Capture Collection
T1123 Audio Capture Collection
T1563 Remote Service Session Hijacking Lateral Movement
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
T1055 Process Injection Defense Evasion, Privilege Escalation
T1106 Native API Execution
T1569 System Services Execution
T1027 Obfuscated Files or Information Defense Evasion
T1027.005 Indicator Removal from Tools Defense Evasion
T1140 Deobfuscate/Decode Files or Information Defense Evasion
T1592 Gather Victim Host Information Reconnaissance
T1562 Impair Defenses Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Exploitation
  • Installation
  • Privilege Escalation
  • Reconnaissance


Reference


version: 5


Masquerading - rename system utilities

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.

Detection Profile


ATT&CK

ID Technique Tactic
T1036.003 Rename System Utilities Defense Evasion
T1127.001 MSBuild Defense Evasion
T1218.011 Rundll32 Defense Evasion
T1127 Trusted Developer Utilities Proxy Execution Defense Evasion
T1036 Masquerading Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1


Meterpreter

Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1033
  • Last Updated: 2021-06-08

Nobelium group

Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world.

Detection Profile


ATT&CK

ID Technique Tactic
T1560.001 Archive via Utility Collection
T1059.003 Windows Command Shell Execution
T1543.003 Windows Service Persistence, Privilege Escalation
T1055 Process Injection Defense Evasion, Privilege Escalation
T1071.002 File Transfer Protocols Command And Control
T1218.010 Regsvr32 Defense Evasion
T1218.005 Mshta Defense Evasion
T1569.002 Service Execution Execution
T1027 Obfuscated Files or Information Defense Evasion
T1218.011 Rundll32 Defense Evasion
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
T1203 Exploitation for Client Execution Execution
T1505.003 Web Shell Persistence
T1127.001 MSBuild Defense Evasion
T1036.003 Rename System Utilities Defense Evasion
T1127 Trusted Developer Utilities Proxy Execution Defense Evasion
T1071.001 Web Protocols Command And Control
T1018 Remote System Discovery Discovery


Kill Chain Phase

  • Actions on Objective
  • Actions on Objectives
  • Command and Control
  • Exfiltration
  • Exploitation
  • Installation


Reference


version: 2


Possible backdoor activity associated with mudcarp espionage campaigns

Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.001, T1547.001
  • Last Updated: 2020-01-22

Detection Profile


ATT&CK

ID Technique Tactic
T1059.001 PowerShell Execution
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 1


Sql injection

Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • ATT&CK: T1190
  • Last Updated: 2017-09-19

Detection Profile


ATT&CK

ID Technique Tactic
T1190 Exploit Public-Facing Application Initial Access


Kill Chain Phase

  • Delivery


Reference


version: 1


Silver sparrow

Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1105, T1543.001, T1074
  • Last Updated: 2021-02-24

Detection Profile


ATT&CK

ID Technique Tactic
T1105 Ingress Tool Transfer Command And Control
T1543.001 Launch Agent Persistence, Privilege Escalation
T1074 Data Staged Collection


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Spearphishing attachments

Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1566.001, T1003.002, T1566.002
  • Last Updated: 2019-04-29

Suspicious command-line executions

Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.003, T1059, T1068, T1036.003
  • Last Updated: 2020-02-03

Detection Profile


ATT&CK

ID Technique Tactic
T1059.003 Windows Command Shell Execution
T1059 Command and Scripting Interpreter Execution
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1036.003 Rename System Utilities Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 2


Suspicious compiled html activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.001
  • Last Updated: 2021-02-11

Suspicious dns traffic

Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.

Detection Profile


ATT&CK

ID Technique Tactic
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1071.004 DNS Command And Control
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1095 Non-Application Layer Protocol Command And Control
T1041 Exfiltration Over C2 Channel Exfiltration
T1189 Drive-by Compromise Initial Access
T1114.001 Local Email Collection Collection
T1114 Email Collection Collection
T1114.003 Email Forwarding Rule Collection
T1071.001 Web Protocols Command And Control


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Exploitation


Reference


version: 1


Suspicious emails

Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email
  • ATT&CK: T1566.001
  • Last Updated: 2020-01-27

Detection Profile


ATT&CK

ID Technique Tactic
T1566.001 Spearphishing Attachment Initial Access


Kill Chain Phase

  • Delivery


Reference


version: 1


Suspicious mshta activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.005, T1059.003, T1059, T1547.001
  • Last Updated: 2021-01-20

Detection Profile


ATT&CK

ID Technique Tactic
T1218.005 Mshta Defense Evasion
T1059.003 Windows Command Shell Execution
T1059 Command and Scripting Interpreter Execution
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 2


Suspicious okta activity

Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078.001
  • Last Updated: 2020-04-02

Suspicious regsvcs regasm activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.009
  • Last Updated: 2021-02-11

Suspicious regsvr32 activity

Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.010
  • Last Updated: 2021-01-29

Suspicious rundll32 activity

Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1218.011, T1003.001, T1036.003
  • Last Updated: 2021-02-03

Suspicious wmi use

Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1546.003, T1047
  • Last Updated: 2018-10-23

Suspicious windows registry activities

Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.

Detection Profile


ATT&CK

ID Technique Tactic
T1548.002 Bypass User Account Control Privilege Escalation, Defense Evasion
T1547.010 Port Monitors Persistence, Privilege Escalation
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1546.012 Image File Execution Options Injection Privilege Escalation, Persistence
T1546.011 Application Shimming Privilege Escalation, Persistence


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious zoom child processes

Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1059.003, T1059, T1068, T1036.003
  • Last Updated: 2020-04-13

Detection Profile


ATT&CK

ID Technique Tactic
T1059.003 Windows Command Shell Execution
T1059 Command and Scripting Interpreter Execution
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1036.003 Rename System Utilities Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1


Trusted developer utilities proxy execution

Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1127, T1036.003
  • Last Updated: 2021-01-12

Detection Profile


ATT&CK

ID Technique Tactic
T1127 Trusted Developer Utilities Proxy Execution Defense Evasion
T1036.003 Rename System Utilities Defense Evasion


Kill Chain Phase

  • Exploitation


Reference


version: 1


Trusted developer utilities proxy execution msbuild

Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1127.001, T1036.003
  • Last Updated: 2021-01-21

Windows dns sigred cve-2020-1350

Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution
  • ATT&CK: T1203
  • Last Updated: 2020-07-28

Windows defense evasion tactics

Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others

Detection Profile


ATT&CK

ID Technique Tactic
T1562.001 Disable or Modify Tools Defense Evasion
T1564.001 Hidden Files and Directories Defense Evasion
T1548.002 Bypass User Account Control Privilege Escalation, Defense Evasion
T1112 Modify Registry Defense Evasion
T1222.001 Windows File and Directory Permissions Modification Defense Evasion
T1036 Masquerading Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Exploitation
  • Privilege Escalation


Reference


version: 1


Windows discovery techniques

Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.

Detection Profile


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1087 Account Discovery Discovery
T1484 Domain Policy Modification Defense Evasion, Privilege Escalation
T1199 Trusted Relationship Initial Access
T1482 Domain Trust Discovery Discovery
T1590 Gather Victim Network Information Reconnaissance
T1591 Gather Victim Org Information Reconnaissance
T1595 Active Scanning Reconnaissance
T1592 Gather Victim Host Information Reconnaissance
T1007 System Service Discovery Discovery
T1012 Query Registry Discovery
T1046 Network Service Scanning Discovery
T1047 Windows Management Instrumentation Execution
T1057 Process Discovery Discovery
T1083 File and Directory Discovery Discovery
T1518 Software Discovery Discovery
T1592.002 Software Reconnaissance
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1135 Network Share Discovery Discovery
T1039 Data from Network Shared Drive Collection
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1547 Boot or Logon Autostart Execution Persistence, Privilege Escalation
T1574 Hijack Execution Flow Persistence, Privilege Escalation, Defense Evasion
T1589.001 Credentials Reconnaissance
T1590.001 Domain Properties Reconnaissance
T1590.003 Network Trust Dependencies Reconnaissance
T1098 Account Manipulation Persistence
T1595.002 Vulnerability Scanning Reconnaissance
T1055 Process Injection Defense Evasion, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Windows log manipulation

Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1490, T1070, T1070.001
  • Last Updated: 2017-09-12

Windows persistence techniques

Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.

Detection Profile


ATT&CK

ID Technique Tactic
T1574.009 Path Interception by Unquoted Path Persistence, Privilege Escalation, Defense Evasion
T1222.001 Windows File and Directory Permissions Modification Defense Evasion
T1585 Establish Accounts Resource Development
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1098 Account Manipulation Persistence
T1207 Rogue Domain Controller Defense Evasion
T1484 Domain Policy Modification Defense Evasion, Privilege Escalation
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
T1547.010 Port Monitors Persistence, Privilege Escalation
T1574.011 Services Registry Permissions Weakness Persistence, Privilege Escalation, Defense Evasion
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1546.011 Application Shimming Privilege Escalation, Persistence
T1543.003 Windows Service Persistence, Privilege Escalation
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1068 Exploitation for Privilege Escalation Privilege Escalation


Kill Chain Phase

  • Actions on Objectives
  • Exploitation
  • Installation
  • Privilege Escalation


Reference


version: 2


Windows privilege escalation

Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.

Detection Profile


ATT&CK

ID Technique Tactic
T1068 Exploitation for Privilege Escalation Privilege Escalation
T1134 Access Token Manipulation Defense Evasion, Privilege Escalation
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
T1546.008 Accessibility Features Privilege Escalation, Persistence
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1098 Account Manipulation Persistence
T1546.012 Image File Execution Options Injection Privilege Escalation, Persistence


Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 2



Best Practices

Asset tracking

Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Sessions
  • ATT&CK:
  • Last Updated: 2017-09-13

Detection Profile



Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Reconnaissance


Reference


version: 1


Monitor for updates

Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Updates
  • ATT&CK:
  • Last Updated: 2017-09-15

Detection Profile



Kill Chain Phase

Reference


version: 1


Prohibited traffic allowed or protocol mismatch

Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Resolution, Network_Traffic
  • ATT&CK: T1021.001, T1189, T1021, T1048, T1048.003, T1071.001
  • Last Updated: 2017-09-11

Detection Profile


ATT&CK

ID Technique Tactic
T1021.001 Remote Desktop Protocol Lateral Movement
T1189 Drive-by Compromise Initial Access
T1021 Remote Services Lateral Movement
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1071.001 Web Protocols Command And Control


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery
  • Exploitation


Reference


version: 1


Router and infrastructure security

Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.

Detection Profile


ATT&CK

ID Technique Tactic
T1200 Hardware Additions Initial Access
T1498 Network Denial of Service Impact
T1557.002 ARP Cache Poisoning Credential Access, Collection
T1557 Man-in-the-Middle Credential Access, Collection
T1542.005 TFTP Boot Defense Evasion, Persistence
T1020.001 Traffic Duplication Exfiltration


Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Exploitation
  • Reconnaissance


Reference


version: 1


Use of cleartext protocols

Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Traffic
  • ATT&CK:
  • Last Updated: 2017-09-15

Detection Profile



Kill Chain Phase

  • Actions on Objectives
  • Reconnaissance


Reference


version: 1



Cloud Security

Aws cross account activity

Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078, T1550
  • Last Updated: 2018-06-04

Detection Profile


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1550 Use Alternate Authentication Material Defense Evasion, Lateral Movement


Kill Chain Phase

  • Lateral Movement


Reference


version: 1


Aws iam privilege escalation

This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.

Detection Profile


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1136.003 Cloud Account Persistence
T1580 Cloud Infrastructure Discovery Discovery
T1110 Brute Force Credential Access
T1098 Account Manipulation Persistence
T1069.003 Cloud Groups Discovery


Kill Chain Phase

  • Actions on Objectives
  • Reconnaissance


Reference


version: 1


Aws network acl activity

Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1562.007
  • Last Updated: 2018-05-21

Aws security hub alerts

This story is focused around detecting Security Hub alerts generated from AWS

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-08-04

Aws user monitoring

Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1526
  • Last Updated: 2018-03-12

Detection Profile


ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Cloud cryptomining

Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004, T1535
  • Last Updated: 2019-10-02

Detection Profile


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Cloud federated credential abuse

This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1078, T1003.001, T1136.003, T1556, T1546.012
  • Last Updated: 2021-01-26

Detection Profile


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1003.001 LSASS Memory Credential Access
T1136.003 Cloud Account Persistence
T1556 Modify Authentication Process Credential Access, Defense Evasion, Persistence
T1546.012 Image File Execution Options Injection Privilege Escalation, Persistence


Kill Chain Phase

  • Actions on Objective
  • Actions on Objectives
  • Command and Control
  • Installation


Reference


version: 1


Container implantation monitoring and investigation

Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1525
  • Last Updated: 2020-02-20

Detection Profile


ATT&CK

ID Technique Tactic
T1525 Implant Internal Image Persistence


Kill Chain Phase

Reference


version: 1


Gcp cross account activity

Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1078
  • Last Updated: 2020-09-01

Detection Profile


ATT&CK

ID Technique Tactic
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Lateral Movement


Reference


version: 1


Kubernetes scanning activity

This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1526
  • Last Updated: 2020-04-15

Detection Profile


ATT&CK

ID Technique Tactic
T1526 Cloud Service Discovery Discovery


Kill Chain Phase

  • Reconnaissance


Reference


version: 1


Kubernetes sensitive object access activity

This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2020-05-20

Office 365 detections

This story is focused around detecting Office 365 Attacks.

Detection Profile


ATT&CK

ID Technique Tactic
T1110.001 Password Guessing Credential Access
T1136.003 Cloud Account Persistence
T1562.007 Disable or Modify Cloud Firewall Defense Evasion
T1556 Modify Authentication Process Credential Access, Defense Evasion, Persistence
T1110 Brute Force Credential Access
T1114 Email Collection Collection
T1114.003 Email Forwarding Rule Collection
T1114.002 Remote Email Collection Collection


Kill Chain Phase

  • Actions on Objective
  • Actions on Objectives
  • Not Applicable


Reference


version: 1


Suspicious aws login activities

Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK: T1535
  • Last Updated: 2019-05-01

Detection Profile


ATT&CK

ID Technique Tactic
T1535 Unused/Unsupported Cloud Regions Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious aws s3 activities

Use the searches in this Analytic Story to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2018-07-24

Suspicious aws traffic

Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2018-05-07

Detection Profile



Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 1


Suspicious cloud authentication activities

Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication
  • ATT&CK: T1535
  • Last Updated: 2020-06-04

Suspicious cloud instance activities

Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078.004
  • Last Updated: 2020-08-25

Detection Profile


ATT&CK

ID Technique Tactic
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious cloud provisioning activities

Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1078
  • Last Updated: 2018-08-20

Suspicious cloud user activities

Detect and investigate suspicious activities by users and roles in your cloud environments.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Change
  • ATT&CK: T1580, T1078.004, T1078
  • Last Updated: 2020-09-04

Detection Profile


ATT&CK

ID Technique Tactic
T1580 Cloud Infrastructure Discovery Discovery
T1078.004 Cloud Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access


Kill Chain Phase

  • Actions on Objectives
  • Reconnaissance


Reference


version: 1


Suspicious gcp storage activities

Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1530
  • Last Updated: 2020-08-05


Lateral Movement

Printnightmare cve-2021-34527

The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1547.012, T1218.011, T1068
  • Last Updated: 2021-07-01


Malware

Clop ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.

Detection Profile


ATT&CK

ID Technique Tactic
T1204 User Execution Execution
T1543 Create or Modify System Process Persistence, Privilege Escalation
T1485 Data Destruction Impact
T1569.001 Launchctl Execution
T1569.002 Service Execution Execution
T1490 Inhibit System Recovery Impact
T1486 Data Encrypted for Impact Impact
T1003.002 Security Account Manager Credential Access
T1070.001 Clear Windows Event Logs Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Exploitation
  • Obfuscation
  • Privilege Escalation


Reference


version: 1


Coldroot macos rat

Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK:
  • Last Updated: 2019-01-09

Dhs report ta18-074a

Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.

Detection Profile


ATT&CK

ID Technique Tactic
T1136.001 Local Account Persistence
T1071.002 File Transfer Protocols Command And Control
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1569.002 Service Execution Execution
T1059.001 PowerShell Execution
T1562.004 Disable or Modify System Firewall Defense Evasion
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1543.003 Windows Service Persistence, Privilege Escalation
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1204.002 Malicious File Execution
T1112 Modify Registry Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Execution
  • Exploitation
  • Installation
  • Lateral Movement


Reference


version: 2


Darkside ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware

Detection Profile


ATT&CK

ID Technique Tactic
T1003.002 Security Account Manager Credential Access
T1197 BITS Jobs Defense Evasion, Persistence
T1105 Ingress Tool Transfer Command And Control
T1218.003 CMSTP Defense Evasion
T1055 Process Injection Defense Evasion, Privilege Escalation
T1490 Inhibit System Recovery Impact
T1003.001 LSASS Memory Credential Access
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1020 Automated Exfiltration Exfiltration
T1569.002 Service Execution Execution
T1486 Data Encrypted for Impact Impact
T1548.002 Bypass User Account Control Privilege Escalation, Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Execution
  • Exfiltration
  • Exploitation
  • Lateral Movement
  • Obfuscation


Reference


version: 1


Dynamic dns

Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.

Detection Profile


ATT&CK

ID Technique Tactic
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1071.004 DNS Command And Control
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1095 Non-Application Layer Protocol Command And Control
T1041 Exfiltration Over C2 Channel Exfiltration
T1189 Drive-by Compromise Initial Access
T1114.001 Local Email Collection Collection
T1114 Email Collection Collection
T1114.003 Email Forwarding Rule Collection
T1071.001 Web Protocols Command And Control


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Exploitation


Reference


version: 2


Emotet malware dhs report ta18-201a

Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.

Detection Profile


ATT&CK

ID Technique Tactic
T1059.003 Windows Command Shell Execution
T1072 Software Deployment Tools Execution, Lateral Movement
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1566.001 Spearphishing Attachment Initial Access


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery
  • Exploitation
  • Installation


Reference


version: 1


Hidden cobra malware

Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.

Detection Profile


ATT&CK

ID Technique Tactic
T1070.005 Network Share Connection Removal Defense Evasion
T1071.004 DNS Command And Control
T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration
T1071.002 File Transfer Protocols Command And Control
T1021.001 Remote Desktop Protocol Lateral Movement
T1021.002 SMB/Windows Admin Shares Lateral Movement


Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 2


Orangeworm attack group

Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.

Detection Profile


ATT&CK

ID Technique Tactic
T1569.002 Service Execution Execution
T1055 Process Injection Defense Evasion, Privilege Escalation
T1106 Native API Execution
T1569 System Services Execution
T1574.011 Services Registry Permissions Weakness Persistence, Privilege Escalation, Defense Evasion
T1543.003 Windows Service Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives
  • Installation


Reference


version: 2


Ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.

Detection Profile


ATT&CK

ID Technique Tactic
T1548 Abuse Elevation Control Mechanism Privilege Escalation, Defense Evasion
T1490 Inhibit System Recovery Impact
T1218.003 CMSTP Defense Evasion
T1070.004 File Deletion Defense Evasion
T1485 Data Destruction Impact
T1204 User Execution Execution
T1020 Automated Exfiltration Exfiltration
T1087.002 Domain Account Discovery
T1087.001 Local Account Discovery
T1482 Domain Trust Discovery Discovery
T1069.002 Domain Groups Discovery
T1069.001 Local Groups Discovery
T1070.001 Clear Windows Event Logs Defense Evasion
T1491 Defacement Impact
T1222 File and Directory Permissions Modification Defense Evasion
T1048 Exfiltration Over Alternative Protocol Exfiltration
T1592 Gather Victim Host Information Reconnaissance
T1547.001 Registry Run Keys / Startup Folder Persistence, Privilege Escalation
T1047 Windows Management Instrumentation Execution
T1112 Modify Registry Defense Evasion
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1036.003 Rename System Utilities Defense Evasion
T1071.001 Web Protocols Command And Control
T1070 Indicator Removal on Host Defense Evasion


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery
  • Exfiltration
  • Exploitation
  • Privilege Escalation
  • Reconnaissance


Reference


version: 1


Ransomware cloud

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • ATT&CK: T1486
  • Last Updated: 2020-10-27

Revil ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1490, T1491, T1204, T1112, T1218.003
  • Last Updated: 2021-06-04

Detection Profile


ATT&CK

ID Technique Tactic
T1490 Inhibit System Recovery Impact
T1491 Defacement Impact
T1204 User Execution Execution
T1112 Modify Registry Defense Evasion
T1218.003 CMSTP Defense Evasion


Kill Chain Phase

  • Exploitation


Reference


version: 1


Ryuk ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.

Detection Profile


ATT&CK

ID Technique Tactic
T1490 Inhibit System Recovery Impact
T1485 Data Destruction Impact
T1482 Domain Trust Discovery Discovery
T1021.001 Remote Desktop Protocol Lateral Movement
T1486 Data Encrypted for Impact Impact
T1059.003 Windows Command Shell Execution
T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
T1562.001 Disable or Modify Tools Defense Evasion
T1489 Service Stop Impact


Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Exploitation
  • Lateral Movement
  • Privilege Escalation
  • Reconnaissance


Reference


version: 1


Samsam ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.

Detection Profile


ATT&CK

ID Technique Tactic
T1204.002 Malicious File Execution
T1485 Data Destruction Impact
T1490 Inhibit System Recovery Impact
T1021.002 SMB/Windows Admin Shares Lateral Movement
T1569.002 Service Execution Execution
T1082 System Information Discovery Discovery
T1021.001 Remote Desktop Protocol Lateral Movement
T1486 Data Encrypted for Impact Impact


Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Execution
  • Exploitation
  • Installation
  • Lateral Movement
  • Reconnaissance


Reference


version: 1


Trickbot

Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.

Detection Profile


ATT&CK

ID Technique Tactic
T1087.002 Domain Account Discovery
T1562.001 Disable or Modify Tools Defense Evasion
T1055 Process Injection Defense Evasion, Privilege Escalation
T1566.001 Spearphishing Attachment Initial Access
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1218.011 Rundll32 Defense Evasion
T1590.005 IP Addresses Reconnaissance
T1027 Obfuscated Files or Information Defense Evasion
T1059 Command and Scripting Interpreter Execution
T1021.002 SMB/Windows Admin Shares Lateral Movement


Kill Chain Phase

  • Actions on Objectives
  • Exploitation
  • Installation
  • Lateral Movement


Reference


version: 1


Unusual processes

Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.

Detection Profile


ATT&CK

ID Technique Tactic
T1003 OS Credential Dumping Credential Access
T1016 System Network Configuration Discovery Discovery
T1059 Command and Scripting Interpreter Execution
T1117 Regsvr32
T1202 Indirect Command Execution Defense Evasion
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1203 Exploitation for Client Execution Execution
T1072 Software Deployment Tools Execution, Lateral Movement
T1218.011 Rundll32 Defense Evasion
T1036.003 Rename System Utilities Defense Evasion
T1190 Exploit Public-Facing Application Initial Access


Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Denial of Service
  • Exploitation
  • Installation
  • Privilege Escalation


Reference


version: 2


Windows file extension and association abuse

Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.

Detection Profile


ATT&CK

ID Technique Tactic
T1036.003 Rename System Utilities Defense Evasion
T1127.001 MSBuild Defense Evasion
T1218.011 Rundll32 Defense Evasion
T1127 Trusted Developer Utilities Proxy Execution Defense Evasion
T1036 Masquerading Defense Evasion


Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Windows service abuse

Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.

Detection Profile


ATT&CK

ID Technique Tactic
T1569.002 Service Execution Execution
T1055 Process Injection Defense Evasion, Privilege Escalation
T1106 Native API Execution
T1569 System Services Execution
T1574.011 Services Registry Permissions Weakness Persistence, Privilege Escalation, Defense Evasion
T1543.003 Windows Service Persistence, Privilege Escalation


Kill Chain Phase

  • Actions on Objectives
  • Installation


Reference


version: 3


Xmrig

Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of command and control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.

Detection Profile


ATT&CK

ID Technique Tactic
T1531 Account Access Removal Impact
T1222 File and Directory Permissions Modification Defense Evasion
T1562.001 Disable or Modify Tools Defense Evasion
T1105 Ingress Tool Transfer Command And Control
T1087 Account Discovery Discovery
T1489 Service Stop Impact
T1036 Masquerading Defense Evasion
T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
T1543.003 Windows Service Persistence, Privilege Escalation
T1543 Create or Modify System Process Persistence, Privilege Escalation


Kill Chain Phase

  • Exploitation


Reference


version: 1



Vulnerability

Apache struts vulnerability

Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • ATT&CK: T1082
  • Last Updated: 2018-12-06

Detection Profile


ATT&CK

ID Technique Tactic
T1082 System Information Discovery Discovery


Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Exploitation


Reference


version: 1


Jboss vulnerability

In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Web
  • ATT&CK: T1082
  • Last Updated: 2017-09-14

Detection Profile


ATT&CK

ID Technique Tactic
T1082 System Information Discovery Discovery


Kill Chain Phase

  • Delivery
  • Reconnaissance


Reference


version: 1




#############
# Automatically generated by doc_gen.py in https://github.com/splunk/security_content
# On Date: 2021-07-02 15:57:11.500371 UTC
# Author: Splunk Security Research
# Contact: research@splunk.com
#############
Last modified on 30 July, 2021
  NEXT
Introduction to Splunk Analytic Stories

This documentation applies to the following versions of Splunk® Security Content: 3.25.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters