Splunk Security Content Analytic Story

---

All the Analytic Stories shipped to different Splunk products. Below is a breakdown by Category.

Abuse

Brand monitoring

Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Email, Endpoint, Web
• ATT&CK:
• Last Updated: 2017-12-19

---

Dns amplification attacks

DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Network_Resolution
• ATT&CK: T1498.002
• Last Updated: 2016-09-13

---

Data protection

Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Resolution, Network_Traffic
• ATT&CK: T1189
• Last Updated: 2017-09-14

---

Netsh abuse

Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic
• ATT&CK: T1562.004
• Last Updated: 2017-01-05

---

Adversary Tactics

Active directory discovery

Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1087.002, T1201, T1087.001
• Last Updated: 2021-08-20

---

Active directory password spraying

Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1110.003
• Last Updated: 2021-04-07

---

Bits jobs

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1197, T1105
• Last Updated: 2021-03-26

---

Baron samedit cve-2021-3156

Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1068
• Last Updated: 2021-01-27

---

Cobalt strike

Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1560.001, T1059.003, T1543.003, T1055, T1071.002, T1218.010, T1218.005, T1569.002, T1027, T1218.011, T1053.005, T1548, T1203, T1505.003, T1127.001, T1036.003, T1127, T1071.001, T1018
• Last Updated: 2021-02-16

---

Collection and staging

Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic
• ATT&CK: T1560.001, T1114.001, T1114.002, T1036
• Last Updated: 2020-02-03

---

Command and control

Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate command and control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Resolution, Network_Traffic
• ATT&CK: T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001
• Last Updated: 2018-06-01

---

Credential dumping

Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication, Endpoint
• ATT&CK: T1003.001, T1055, T1068, T1078, T1098, T1134, T1543, T1547, T1548, T1554, T1556, T1558, T1555, T1087, T1201, T1552, T1003, T1003.002, T1003.003, T1558.003, T1059.001
• Last Updated: 2020-02-04

---

Dns hijacking

Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Network_Resolution
• ATT&CK: T1189
• Last Updated: 2020-02-04

---

Data exfiltration

The stealing of data by an adversary.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic
• ATT&CK: T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001
• Last Updated: 2020-10-21

---

Deobfuscate-decode files or information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1140
• Last Updated: 2021-03-24

---

Detect zerologon attack

Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1210, T1003.001, T1190
• Last Updated: 2020-09-18

---

Disabling security tools

Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic
• ATT&CK: T1553.004, T1562.001, T1562.004, T1543.003, T1112
• Last Updated: 2020-02-04

---

Domain trust discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1482, T1018
• Last Updated: 2021-03-25

---

F5 tmui rce cve-2020-5902

Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1190
• Last Updated: 2020-08-02

---

Hafnium group

HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic
• ATT&CK: T1059.001, T1505.003, T1136.001, T1021.002, T1569.002, T1003.001, T1114.002, T1003.003, T1190
• Last Updated: 2021-03-03

---

Ingress tool transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1059.001, T1197, T1105, T1003, T1021, T1113, T1123, T1563, T1053, T1134, T1548, T1055, T1106, T1569, T1027, T1027.005, T1546.015, T1140, T1592, T1562
• Last Updated: 2021-03-24

---

Lateral movement

Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication, Email, Endpoint, Network_Traffic
• ATT&CK: T1550.002, T1021.002, T1569.002, T1558.003, T1021.001, T1053.005
• Last Updated: 2020-02-04

---

Malicious powershell

Attackers are finding stealthy ways "live off the land," leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Email, Endpoint
• ATT&CK: T1059.001, T1197, T1105, T1003, T1021, T1113, T1123, T1563, T1053, T1134, T1548, T1055, T1106, T1569, T1027, T1027.005, T1546.015, T1140, T1592, T1562
• Last Updated: 2017-08-23

---

Masquerading - rename system utilities

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1036.003, T1127.001, T1218.011, T1127, T1036
• Last Updated: 2021-04-26

---

Meterpreter

Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1033
• Last Updated: 2021-06-08

---

Microsoft mshtml remote code execution cve-2021-40444

CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1218.002, T1566.001, T1218.011
• Last Updated: 2021-09-08

---

Nobelium group

Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic, Web
• ATT&CK: T1560.001, T1059.003, T1543.003, T1055, T1071.002, T1218.010, T1218.005, T1569.002, T1027, T1218.011, T1053.005, T1548, T1203, T1505.003, T1127.001, T1036.003, T1127, T1071.001, T1018
• Last Updated: 2020-12-14

---

Petitpotam ntlm relay on active directory certificate services

PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1187, T1003
• Last Updated: 2021-08-31

---

Possible backdoor activity associated with mudcarp espionage campaigns

Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Email, Endpoint
• ATT&CK: T1059.001, T1547.001
• Last Updated: 2020-01-22

---

Proxyshell

ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1505.003, T1190, T1059.001
• Last Updated: 2021-08-24

---

Sql injection

Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Web
• ATT&CK: T1190
• Last Updated: 2017-09-19

---

Silver sparrow

Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1105, T1543.001, T1074
• Last Updated: 2021-02-24

---

Spearphishing attachments

Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1566.001, T1003.002, T1566.002
• Last Updated: 2019-04-29

---

Suspicious command-line executions

Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1059.003, T1059, T1068, T1036.003
• Last Updated: 2020-02-03

---

Suspicious compiled html activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1218.001
• Last Updated: 2021-02-11

---

Suspicious dns traffic

Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Resolution, Network_Traffic
• ATT&CK: T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001
• Last Updated: 2017-09-18

---

Suspicious emails

Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Email
• ATT&CK: T1566.001
• Last Updated: 2020-01-27

---

Suspicious mshta activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1218.005, T1059.003, T1059, T1547.001
• Last Updated: 2021-01-20

---

Suspicious okta activity

Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1078.001
• Last Updated: 2020-04-02

---

Suspicious regsvcs regasm activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1218.009
• Last Updated: 2021-02-11

---

Suspicious regsvr32 activity

Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1218.010
• Last Updated: 2021-01-29

---

Suspicious rundll32 activity

Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1218.011, T1003.001, T1036.003
• Last Updated: 2021-02-03

---

Suspicious wmi use

Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1546.003, T1047
• Last Updated: 2018-10-23

---

Suspicious windows registry activities

Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1548.002, T1547.010, T1547.001, T1546.012, T1546.011
• Last Updated: 2018-05-31

---

Suspicious zoom child processes

Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1059.003, T1059, T1068, T1036.003
• Last Updated: 2020-04-13

---

Trusted developer utilities proxy execution

Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1127, T1036.003
• Last Updated: 2021-01-12

---

Trusted developer utilities proxy execution msbuild

Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1127.001, T1036.003
• Last Updated: 2021-01-21

---

Windows dns sigred cve-2020-1350

Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Network_Resolution
• ATT&CK: T1203
• Last Updated: 2020-07-28

---

Windows defense evasion tactics

Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1562.001, T1564.001, T1548.002, T1112, T1222.001, T1036
• Last Updated: 2018-05-31

---

Windows discovery techniques

Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.

• Product: Splunk Behavioral Analytics, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1078, T1087, T1484, T1199, T1482, T1590, T1591, T1595, T1592, T1007, T1012, T1046, T1047, T1057, T1083, T1518, T1592.002, T1021.002, T1135, T1039, T1053, T1068, T1543, T1547, T1574, T1589.001, T1590.001, T1590.003, T1098, T1595.002, T1055
• Last Updated: 2021-03-04

---

Windows log manipulation

Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1490, T1070, T1070.001
• Last Updated: 2017-09-12

---

Windows persistence techniques

Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1574.009, T1222.001, T1585, T1078, T1098, T1207, T1484, T1053, T1134, T1548, T1547.010, T1574.011, T1547.001, T1546.011, T1543.003, T1053.005, T1068
• Last Updated: 2018-05-31

---

Windows privilege escalation

Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1068, T1134, T1548, T1546.008, T1078, T1098, T1546.012
• Last Updated: 2020-02-04

---

Best Practices

Asset tracking

Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Network_Sessions
• ATT&CK:
• Last Updated: 2017-09-13

---

Monitor for updates

Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Updates
• ATT&CK:
• Last Updated: 2017-09-15

---

Prohibited traffic allowed or protocol mismatch

Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Resolution, Network_Traffic
• ATT&CK: T1021.001, T1189, T1021, T1048, T1048.003, T1071.001
• Last Updated: 2017-09-11

---

Router and infrastructure security

Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication, Network_Traffic
• ATT&CK: T1200, T1498, T1557.002, T1557, T1542.005, T1020.001
• Last Updated: 2017-09-12

---

Use of cleartext protocols

Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic
• ATT&CK:
• Last Updated: 2017-09-15

---

Cloud Security

Aws cross account activity

Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1078, T1550
• Last Updated: 2018-06-04

---

Aws iam privilege escalation

This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1078.004, T1136.003, T1580, T1110, T1098, T1069.003
• Last Updated: 2021-03-08

---

Aws network acl activity

Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic
• ATT&CK: T1562.007
• Last Updated: 2018-05-21

---

Aws security hub alerts

This story is focused around detecting Security Hub alerts generated from AWS

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK:
• Last Updated: 2020-08-04

---

Aws user monitoring

Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1526
• Last Updated: 2018-03-12

---

Cloud cryptomining

Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Change
• ATT&CK: T1078.004, T1535
• Last Updated: 2019-10-02

---

Cloud federated credential abuse

This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1078, T1003.001, T1136.003, T1556, T1546.012
• Last Updated: 2021-01-26

---

Container implantation monitoring and investigation

Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1525
• Last Updated: 2020-02-20

---

Dev sec ops

This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
• Datamodel:
• ATT&CK: T1204.003, T1554, T1195.001, T1212, T1526
• Last Updated: 2021-08-18

---

Gcp cross account activity

Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1078
• Last Updated: 2020-09-01

---

Kubernetes scanning activity

This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1526
• Last Updated: 2020-04-15

---

Kubernetes sensitive object access activity

This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK:
• Last Updated: 2020-05-20

---

Office 365 detections

This story is focused around detecting Office 365 Attacks.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1110.001, T1136.003, T1562.007, T1556, T1110, T1114, T1114.003, T1114.002
• Last Updated: 2020-12-16

---

Suspicious aws login activities

Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication
• ATT&CK: T1535
• Last Updated: 2019-05-01

---

Suspicious aws s3 activities

Use the searches in this Analytic Story to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1530
• Last Updated: 2018-07-24

---

Suspicious aws traffic

Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic
• ATT&CK:
• Last Updated: 2018-05-07

---

Suspicious cloud authentication activities

Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication
• ATT&CK: T1535
• Last Updated: 2020-06-04

---

Suspicious cloud instance activities

Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Change
• ATT&CK: T1078.004, T1537
• Last Updated: 2020-08-25

---

Suspicious cloud provisioning activities

Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Change
• ATT&CK: T1078
• Last Updated: 2018-08-20

---

Suspicious cloud user activities

Detect and investigate suspicious activities by users and roles in your cloud environments.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Change
• ATT&CK: T1580, T1078.004, T1078
• Last Updated: 2020-09-04

---

Suspicious gcp storage activities

Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1530
• Last Updated: 2020-08-05

---

Lateral Movement

Printnightmare cve-2021-34527

The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1547.012, T1218.011, T1068
• Last Updated: 2021-07-01

---

Malware

Blackmatter ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1552.002, T1490, T1491, T1486
• Last Updated: 2021-09-06

---

Clop ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1204, T1543, T1485, T1569.002, T1490, T1486, T1003.002, T1489, T1070.001
• Last Updated: 2021-03-17

---

Coldroot macos rat

Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Network_Traffic
• ATT&CK:
• Last Updated: 2019-01-09

---

Dhs report ta18-074a

Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic
• ATT&CK: T1136.001, T1071.002, T1021.002, T1569.002, T1059.001, T1562.004, T1547.001, T1543.003, T1053.005, T1204.002, T1112
• Last Updated: 2020-01-22

---

Darkside ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1003.002, T1197, T1105, T1218.003, T1055, T1490, T1003.001, T1021.002, T1020, T1569.002, T1486, T1548.002
• Last Updated: 2021-05-12

---

Dynamic dns

Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Resolution, Network_Traffic
• ATT&CK: T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001
• Last Updated: 2018-09-06

---

Emotet malware dhs report ta18-201a

Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Email, Endpoint, Network_Traffic
• ATT&CK: T1059.003, T1072, T1547.001, T1021.002, T1566.001
• Last Updated: 2020-01-27

---

Hidden cobra malware

Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication, Email, Endpoint, Network_Resolution, Network_Traffic
• ATT&CK: T1070.005, T1071.004, T1048.003, T1071.002, T1021.001, T1021.002
• Last Updated: 2020-01-22

---

Icedid

Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1087.002, T1562.001, T1059, T1055, T1204.002, T1548.002, T1112, T1560.001, T1218.005, T1482, T1566.001, T1547.001, T1218.011, T1053, T1005, T1218.010, T1590.005, T1027, T1053.005, T1021.002
• Last Updated: 2021-07-29

---

Orangeworm attack group

Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Email, Endpoint
• ATT&CK: T1569.002, T1055, T1106, T1569, T1574.011, T1543.003
• Last Updated: 2020-01-22

---

Ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Email, Endpoint, Network_Traffic
• ATT&CK: T1560.001, T1562.007, T1548, T1489, T1490, T1218.003, T1070.004, T1485, T1204, T1020, T1087.002, T1087.001, T1482, T1069.002, T1069.001, T1562.001, T1070.001, T1531, T1569.002, T1059.005, T1070, T1222, T1491, T1574.002, T1027.005, T1546.015, T1048, T1592, T1547.001, T1047, T1112, T1218.011, T1021.002, T1053.005, T1036.003, T1071.001, T1218.007
• Last Updated: 2020-02-04

---

Ransomware cloud

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.

• Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel:
• ATT&CK: T1486
• Last Updated: 2020-10-27

---

Revil ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1562.007, T1490, T1562.001, T1491, T1574.002, T1204, T1112, T1218.003
• Last Updated: 2021-06-04

---

Ryuk ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Network_Traffic
• ATT&CK: T1490, T1485, T1482, T1021.001, T1486, T1059.003, T1053.005, T1562.001, T1489
• Last Updated: 2020-11-06

---

Samsam ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication, Email, Endpoint, Network_Traffic, Web
• ATT&CK: T1036.005, T1595, T1003, T1489, T1204.002, T1485, T1531, T1490, T1222, T1021.002, T1569.002, T1082, T1016, T1562.001, T1105, T1087, T1036, T1059, T1117, T1202, T1053, T1203, T1072, T1021.001, T1218.011, T1486, T1543.003, T1543, T1036.003, T1190
• Last Updated: 2018-12-13

---

Trickbot

Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1087.002, T1562.001, T1059, T1055, T1204.002, T1548.002, T1112, T1560.001, T1218.005, T1482, T1566.001, T1547.001, T1218.011, T1053, T1005, T1218.010, T1590.005, T1027, T1053.005, T1021.002
• Last Updated: 2021-04-20

---

Unusual processes

Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1036.005, T1595, T1003, T1489, T1204.002, T1485, T1531, T1490, T1222, T1021.002, T1569.002, T1082, T1016, T1562.001, T1105, T1087, T1036, T1059, T1117, T1202, T1053, T1203, T1072, T1021.001, T1218.011, T1486, T1543.003, T1543, T1036.003, T1190
• Last Updated: 2020-02-04

---

Windows file extension and association abuse

Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1036.003, T1127.001, T1218.011, T1127, T1036
• Last Updated: 2018-01-26

---

Windows service abuse

Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1569.002, T1055, T1106, T1569, T1574.011, T1543.003
• Last Updated: 2017-11-02

---

Xmrig

Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of command and control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• ATT&CK: T1036.005, T1595, T1003, T1489, T1204.002, T1485, T1531, T1490, T1222, T1021.002, T1569.002, T1082, T1016, T1562.001, T1105, T1087, T1036, T1059, T1117, T1202, T1053, T1203, T1072, T1021.001, T1218.011, T1486, T1543.003, T1543, T1036.003, T1190
• Last Updated: 2021-05-07

---

Vulnerability

Apache struts vulnerability

Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Web
• ATT&CK: T1082
• Last Updated: 2018-12-06

---

Jboss vulnerability

In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Web
• ATT&CK: T1082
• Last Updated: 2017-09-14

---

#############
# Automatically generated by doc_gen.py in https://github.com/splunk/security_content
# On Date: 2021-09-09 22:39:05.387193 UTC
# Author: Splunk Security Research
# Contact: research@splunk.com
#############