Techniques
Sample rules
Windows Suspect Process With Authentication Traffic
- source: splunk
- technicques:
- T1087
- T1087.002
- T1204
- T1204.002
Description
This analytic identifies executables running from public or temporary locations that are communicating over windows domain authentication ports/protocol. The ports/protocols include LDAP(389), LDAPS(636), and Kerberos(88). Authentications from applications running from user controlled locations may not be malicious, however actors often attempt to access domain resources after initial compromise from executables in these locations. Most attacker toolkits offer some degree of interaction with AD/LDAP.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("88","389","636") AND All_Traffic.app IN ("*\\users\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port
| `drop_dm_object_name(All_Traffic)`
| rex field=app ".*\\\(?<process_name>.*)$"
| rename app as process
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_suspect_process_with_authentication_traffic_filter`