Techniques
Sample rules
Windows Suspect Process With Authentication Traffic
- source: splunk
- technicques:
- T1087.002
- T1204.002
Description
The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("88","389","636") AND All_Traffic.app IN ("*\\users\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port
| `drop_dm_object_name(All_Traffic)`
| rex field=app ".*\\\(?<process_name>.*)$"
| rename app as process
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_suspect_process_with_authentication_traffic_filter`