Sample rules
Unsuccessful Netbackup backups
- source: splunk
- technicques:
Description
This search gives you the hosts where a backup was attempted and then failed.
Detection logic
`netbackup`
| stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE
| search MESSAGE="An error occurred, failed to backup."
| `security_content_ctime(latestTime)`
| rename COMPUTERNAME as dest, MESSAGE as signature
| table latestTime, dest, signature
| `unsuccessful_netbackup_backups_filter`
Extended Period Without Successful Netbackup Backups
- source: splunk
- technicques:
Description
This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it’s a infrastructure monitoring.
Detection logic
`netbackup` MESSAGE="Disk/Partition backup completed successfully."
| stats latest(_time) as latestTime by COMPUTERNAME
| `security_content_ctime(latestTime)`
| rename COMPUTERNAME as dest
| eval isOutlier=if(latestTime <= relative_time(now(), "-7d@d"), 1, 0)
| search isOutlier=1
| table latestTime, dest
| `extended_period_without_successful_netbackup_backups_filter`
Prohibited Software On Endpoint
- source: splunk
- technicques:
Description
This search looks for applications on the endpoint that you have marked as prohibited.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| `prohibited_softwares`
| `prohibited_software_on_endpoint_filter`
Uncommon Processes On Endpoint
- source: splunk
- technicques:
- T1204.002
Description
This search looks for applications on the endpoint that you have marked as uncommon.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| `uncommon_processes`
|`uncommon_processes_on_endpoint_filter`
Prohibited Network Traffic Allowed
- source: splunk
- technicques:
- T1048
Description
The following analytic detects instances where network traffic, identified by port and transport layer protocol as prohibited in the “lookup_interesting_ports” table, is allowed. It uses the Network_Traffic data model to cross-reference traffic data against predefined security policies. This activity is significant for a SOC as it highlights potential misconfigurations or policy violations that could lead to unauthorized access or data exfiltration. If confirmed malicious, this could allow attackers to bypass network defenses, leading to potential data breaches and compromising the organization’s security posture.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action
| lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport
| search is_prohibited=true
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`
| `prohibited_network_traffic_allowed_filter`
Protocol or Port Mismatch
- source: splunk
- technicques:
- T1048.003
- T1048
Description
The following analytic identifies network traffic where the higher layer protocol does not match the expected port, such as non-HTTP traffic on TCP port 80. It leverages data from network traffic inspection technologies like Bro or Palo Alto Networks firewalls. This activity is significant because it may indicate attempts to bypass firewall restrictions or conceal malicious communications. If confirmed malicious, this behavior could allow attackers to evade detection, maintain persistence, or exfiltrate data through commonly allowed ports, posing a significant threat to network security.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port
|`security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`
| `protocol_or_port_mismatch_filter`
Suspicious Email Attachment Extensions
- source: splunk
- technicques:
- T1566.001
- T1566
Description
The following analytic detects emails containing attachments with suspicious file extensions. It leverages the Email data model in Splunk, using the tstats command to identify emails where the attachment filename is not empty. This detection is significant for SOC analysts as it highlights potential phishing or malware delivery attempts, which are common vectors for data breaches and malware infections. If confirmed malicious, this activity could lead to unauthorized access to sensitive information, system compromise, or data exfiltration. Immediate review and analysis of the identified emails and attachments are crucial to mitigate these risks.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Email")`
| `suspicious_email_attachments`
| `suspicious_email_attachment_extensions_filter`
No Windows Updates in a time frame
- source: splunk
- technicques:
Description
The following analytic identifies Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. It leverages the ‘Update’ data model in Splunk, specifically looking for the latest ‘Installed’ status events from Microsoft Windows. This activity is significant for a SOC because endpoints that are not regularly patched are vulnerable to known exploits and security vulnerabilities. If confirmed malicious, this could indicate a compromised endpoint that is intentionally being kept unpatched, potentially allowing attackers to exploit unpatched vulnerabilities and gain unauthorized access or control.
Detection logic
| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest Updates.status Updates.vendor_product
| rename Updates.dest as Host
| rename Updates.status as "Update Status"
| rename Updates.vendor_product as Product
| eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0)
| `security_content_ctime(lastTime)`
| search isOutlier=1
| rename lastTime as "Last Update Time",
| table Host, "Update Status", Product, "Last Update Time"
| `no_windows_updates_in_a_time_frame_filter`
Shim Database Installation With Suspicious Parameters
- source: splunk
- technicques:
- T1546.011
- T1546
Description
The following analytic detects the execution of sdbinst.exe with parameters indicative of silently creating a shim database. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line arguments. This activity is significant because shim databases can be used to intercept and manipulate API calls, potentially allowing attackers to bypass security controls or achieve persistence. If confirmed malicious, this could enable unauthorized code execution, privilege escalation, or persistent access to the compromised system.
Detection logic
| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe NOT Processes.process IN ("\"C:\\Windows\\System32\\sdbinst.exe\"", "C:\\Windows\\System32\\sdbinst.exe", "*-mm", "*-?") by Processes.process_name Processes.parent_process_name Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `shim_database_installation_with_suspicious_parameters_filter`
USN Journal Deletion
- source: splunk
- technicques:
- T1070
Description
The following analytic detects the deletion of the USN Journal using the fsutil.exe utility. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs that include command-line details. This activity is significant because the USN Journal maintains a log of all changes made to files on the disk, and its deletion can be an indicator of an attempt to cover tracks or hinder forensic investigations. If confirmed malicious, this action could allow an attacker to obscure their activities, making it difficult to trace file modifications and potentially compromising incident response efforts.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search process="*deletejournal*" AND process="*usn*"
| `usn_journal_deletion_filter`
Dump LSASS via procdump Rename
- source: splunk
- technicques:
- T1003.001
Description
Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed. During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.
Detection logic
`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass*
| stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `dump_lsass_via_procdump_rename_filter`
Execution of File With Spaces Before Extension
- source: splunk
- technicques:
- T1036.003
Description
This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "* .*" by Processes.dest Processes.user Processes.process Processes.process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| `execution_of_file_with_spaces_before_extension_filter`
MacOS LOLbin
- source: splunk
- technicques:
- T1059.004
- T1059
Description
The following analytic detects multiple executions of Living off the Land (LOLbin) binaries on macOS within a short period. It leverages osquery to monitor process events and identifies commands such as “find”, “crontab”, “screencapture”, “openssl”, “curl”, “wget”, “killall”, and “funzip”. This activity is significant as LOLbins are often used by attackers to perform malicious actions while evading detection. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.
Detection logic
`osquery_macro` name=es_process_events columns.cmdline IN ("find*", "crontab*", "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*")
| rename columns.* as *
| stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path by username host
| rename username as user, cmdline as process, path as process_path, host as dest
| where dc_path > 3
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_lolbin_filter`
Dump LSASS via comsvcs DLL
- source: splunk
- technicques:
- T1003.001
- T1003
Description
The following analytic detects the behavior of dumping credentials from memory by exploiting the Local Security Authority Subsystem Service (LSASS) using the comsvcs.dll and MiniDump via rundll32. This detection leverages process information from Endpoint Detection and Response (EDR) logs, focusing on specific command-line executions. This activity is significant because it indicates potential credential theft, which can lead to broader system compromise, persistence, lateral movement, and privilege escalation. If confirmed malicious, attackers could gain unauthorized access to sensitive information, leading to data theft, ransomware attacks, or other damaging outcomes.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process IN ("*MiniDump*", "*#24*") by Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `dump_lsass_via_comsvcs_dll_filter`
Dump LSASS via procdump
- source: splunk
- technicques:
- T1003.001
- T1003
Description
The following analytic detects the use of procdump.exe to dump the LSASS process, specifically looking for the -mm and -ma command-line arguments. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line executions, and parent processes. This activity is significant because dumping LSASS can expose sensitive credentials, posing a severe security risk. If confirmed malicious, an attacker could obtain credentials, escalate privileges, and move laterally within the network, leading to potential data breaches and further compromise of the environment.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `dump_lsass_via_procdump_filter`
Attempted Credential Dump From Registry via Reg exe
- source: splunk
- technicques:
- T1003.002
- T1003
Description
The following analytic detects the execution of reg.exe with parameters that export registry keys containing hashed credentials. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving reg.exe or cmd.exe with specific registry paths. This activity is significant because exporting these keys can allow attackers to obtain hashed credentials, which they may attempt to crack offline. If confirmed malicious, this could lead to unauthorized access to sensitive accounts, enabling further compromise and lateral movement within the network.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\System* OR Processes.process=*HKLM\\Security* OR Processes.process=*HKLM\\System* OR Processes.process=*HKLM\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `attempted_credential_dump_from_registry_via_reg_exe_filter`
Execution of File with Multiple Extensions
- source: splunk
- technicques:
- T1036
- T1036.003
Description
The following analytic detects the execution of files with multiple extensions, such as “.doc.exe” or “.pdf.exe”. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process creation events where the file name contains double extensions. This activity is significant because attackers often use double extensions to disguise malicious executables as benign documents, increasing the likelihood of user execution. If confirmed malicious, this technique can lead to unauthorized code execution, potentially compromising the endpoint and allowing further malicious activities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.doc.exe", "*.xls.exe","*.ppt.exe", "*.htm.exe", "*.html.exe", "*.txt.exe", "*.pdf.exe", "*.docx.exe", "*.xlsx.exe", "*.pptx.exe","*.one.exe", "*.bat.exe", "*rtf.exe") by Processes.dest Processes.user Processes.process Processes.process_name Processes.parent_process
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| `execution_of_file_with_multiple_extensions_filter`