LoFP / none at this time

• T1055

Sample rules

TOR Traffic

• source: splunk
• technicques:
  • T1090
  • T1090.003

Description

The following analytic looks for allowed network traffic to The Onion Router(TOR), a benign anonymity network which can be abused for a variety of nefarious purposes. Detecting Tor traffic is paramount for upholding network security and mitigating potential threats. Tor’s capacity to provide users with anonymity has been exploited by cybercriminals for activities like hacking, data breaches, and illicit content dissemination. Additionally, organizations must monitor Tor usage within their networks to ensure compliance with policies and regulations, as it can bypass conventional monitoring and filtering measures. Lastly, the ability to identify Tor traffic empowers security teams to promptly investigate and address potential security incidents, fortifying the protection of sensitive data and preserving the integrity of the network environment.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.app=tor AND All_Traffic.action=allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `drop_dm_object_name("All_Traffic")` 
| `tor_traffic_filter`

Monitor Web Traffic For Brand Abuse

• source: splunk
• technicques:

Description

This search looks for Web requests to faux domains similar to the one that you want to have monitored for abuse.

Detection logic

| tstats `security_content_summariesonly` values(Web.url) as urls min(_time) as firstTime from datamodel=Web by Web.src 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `brand_abuse_web` 
| `monitor_web_traffic_for_brand_abuse_filter`

Monitor DNS For Brand Abuse

• source: splunk
• technicques:

Description

This search looks for DNS requests for faux domains similar to the domains that you want to have monitored for abuse.

Detection logic

| tstats `security_content_summariesonly` values(DNS.answer) as IPs min(_time) as firstTime from datamodel=Network_Resolution by DNS.src, DNS.query 
| `drop_dm_object_name("DNS")` 
| `security_content_ctime(firstTime)`
| `brand_abuse_dns` 
| `monitor_dns_for_brand_abuse_filter`

Email Attachments With Lots Of Spaces

• source: splunk
• technicques:

Description

Attackers often use spaces as a means to obfuscate an attachment’s file extension. This search looks for messages with email attachments that have many spaces within the file names.

Detection logic

| tstats `security_content_summariesonly` count values(All_Email.recipient) as recipient_address min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `drop_dm_object_name("All_Email")` 
| eval space_ratio = (mvcount(split(file_name," "))-1)/len(file_name) 
| search space_ratio >= 0.1 
|  rex field=recipient_address "(?<recipient_user>.*)@" 
| `email_attachments_with_lots_of_spaces_filter`

Splunk Digital Certificates Lack of Encryption

• source: splunk
• technicques:
  • T1587.003

Description

On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. In other circumstances, a client may be allowed to publish a forwarder bundle to other clients, which may allow for arbitrary code execution. The fixes for these require upgrading to at least Splunk 9.0 on the forwarder as well. This is a great opportunity to configure TLS across the environment. This search looks for forwarders that are not using TLS and adds risk to those entities.

Detection logic

`splunkd` group="tcpin_connections" ssl="false" 
| stats values(sourceIp) latest(fwdType) latest(version) by hostname 
| `splunk_digital_certificates_lack_of_encryption_filter`

Monitor Email For Brand Abuse

• source: splunk
• technicques:

Description

This search looks for emails claiming to be sent from a domain similar to one that you want to have monitored for abuse.

Detection logic

| tstats `security_content_summariesonly` values(All_Email.recipient) as recipients, min(_time) as firstTime, max(_time) as lastTime from datamodel=Email by All_Email.src_user, All_Email.message_id 
| `drop_dm_object_name("All_Email")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| eval temp=split(src_user, "@") 
| eval email_domain=mvindex(temp, 1) 
| lookup update=true brandMonitoring_lookup domain as email_domain OUTPUT domain_abuse 
| search domain_abuse=true 
| table message_id, src_user, email_domain, recipients, firstTime, lastTime 
| `monitor_email_for_brand_abuse_filter`

Splunk Process Injection Forwarder Bundle Downloads

• source: splunk
• technicques:
  • T1055

Description

On June 14th, 2022, Splunk released a security advisory relating to the authentication that happens between Universal Forwarders and Deployment Servers. In some circumstances, an unauthenticated client can download forwarder bundles from the Deployment Server. This hunting search pulls a full list of forwarder bundle downloads where the peer column is the forwarder, the host column is the Deployment Server, and then you have a list of the apps downloaded and the serverclasses in which the peer is a member of. You should look for apps or clients that you do not recognize as being part of your environment.

Detection logic

`splunkd` component="PackageDownloadRestHandler" 
| stats values(app) values(serverclass) by peer, host 
| `splunk_process_injection_forwarder_bundle_downloads_filter`