Techniques
Sample rules
Detect processes used for System Network Configuration Discovery
- source: splunk
- technicques:
- T1016
Description
This search looks for fast execution of processes used for system network configuration discovery on the endpoint.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT Processes.user IN ("","unknown") by Processes.dest Processes.process_name Processes.parent_process_name Processes.user _time
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| search `system_network_configuration_discovery_tools`
| transaction dest connected=false maxpause=5m
|where eventcount>=5
| table firstTime lastTime dest user process_name process parent_process parent_process_name eventcount
| `detect_processes_used_for_system_network_configuration_discovery_filter`