Sample rules
Protocol or Port Mismatch
- source: splunk
- technicques:
- T1048.003
- T1048
Description
This search looks for network traffic on common ports where a higher layer protocol does not match the port that is being used. For example, this search should identify cases where protocols other than HTTP are running on TCP port 80. This can be used by attackers to circumvent firewall restrictions, or as an attempt to hide malicious communications over ports and protocols that are typically allowed and not well inspected.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=dns NOT All_Traffic.dest_port=53) OR ((All_Traffic.app=web-browsing OR All_Traffic.app=http) NOT (All_Traffic.dest_port=80 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8000)) OR (All_Traffic.app=ssl NOT (All_Traffic.dest_port=443 OR All_Traffic.dest_port=8443)) OR (All_Traffic.app=smtp NOT All_Traffic.dest_port=25) by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.app, All_Traffic.dest_port
|`security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`
| `protocol_or_port_mismatch_filter`
Prohibited Network Traffic Allowed
- source: splunk
- technicques:
- T1048
Description
The following analytic detects instances where network traffic, specifically identified by port and transport layer protocol as prohibited in the “lookup_interesting_ports” table, is allowed according to the Network_Traffic data model. It operates by cross-referencing traffic data against predefined security policies to identify discrepancies indicative of potential misconfigurations or policy violations. This detection is crucial for a Security Operations Center (SOC) as it highlights potential security breaches or misconfigured network devices that could allow unauthorized access or data exfiltration, directly impacting the organization’s security posture.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where All_Traffic.action = allowed by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.action
| lookup update=true interesting_ports_lookup dest_port as All_Traffic.dest_port OUTPUT app is_prohibited note transport
| search is_prohibited=true
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Traffic")`
| `prohibited_network_traffic_allowed_filter`
Shim Database Installation With Suspicious Parameters
- source: splunk
- technicques:
- T1546.011
- T1546
Description
This search detects the process execution and arguments required to silently create a shim database. The sdbinst.exe application is used to install shim database files (.sdb). A shim is a small library which transparently intercepts an API, changes the parameters passed, handles the operation itself, or redirects the operation elsewhere.
Detection logic
| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name = sdbinst.exe by Processes.process_name Processes.parent_process_name Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `shim_database_installation_with_suspicious_parameters_filter`
USN Journal Deletion
- source: splunk
- technicques:
- T1070
Description
The fsutil.exe application is a legitimate Windows utility used to perform tasks related to the file allocation table (FAT) and NTFS file systems. The update sequence number (USN) change journal provides a log of all changes made to the files on the disk. This search looks for fsutil.exe deleting the USN journal.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=fsutil.exe by Processes.user Processes.process_name Processes.parent_process_name Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search process="*deletejournal*" AND process="*usn*"
| `usn_journal_deletion_filter`
Prohibited Software On Endpoint
- source: splunk
- technicques:
Description
This search looks for applications on the endpoint that you have marked as prohibited.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| `prohibited_processes`
| `prohibited_software_on_endpoint_filter`
Open Redirect in Splunk Web
- source: splunk
- technicques:
Description
This search allows you to look for evidence of exploitation for CVE-2016-4859, the Splunk Open Redirect Vulnerability.
Detection logic
index=_internal sourcetype=splunk_web_access return_to="/%09/*"
| `open_redirect_in_splunk_web_filter`
Unsuccessful Netbackup backups
- source: splunk
- technicques:
Description
This search gives you the hosts where a backup was attempted and then failed.
Detection logic
`netbackup`
| stats latest(_time) as latestTime by COMPUTERNAME, MESSAGE
| search MESSAGE="An error occurred, failed to backup."
| `security_content_ctime(latestTime)`
| rename COMPUTERNAME as dest, MESSAGE as signature
| table latestTime, dest, signature
| `unsuccessful_netbackup_backups_filter`
Uncommon Processes On Endpoint
- source: splunk
- technicques:
- T1204.002
Description
This search looks for applications on the endpoint that you have marked as uncommon.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.user Processes.process Processes.process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| `uncommon_processes`
|`uncommon_processes_on_endpoint_filter`
Extended Period Without Successful Netbackup Backups
- source: splunk
- technicques:
Description
This search returns a list of hosts that have not successfully completed a backup in over a week. Deprecated because it’s a infrastructure monitoring.
Detection logic
`netbackup` MESSAGE="Disk/Partition backup completed successfully."
| stats latest(_time) as latestTime by COMPUTERNAME
| `security_content_ctime(latestTime)`
| rename COMPUTERNAME as dest
| eval isOutlier=if(latestTime <= relative_time(now(), "-7d@d"), 1, 0)
| search isOutlier=1
| table latestTime, dest
| `extended_period_without_successful_netbackup_backups_filter`
Suspicious Email Attachment Extensions
- source: splunk
- technicques:
- T1566.001
- T1566
Description
The following analytic detects emails that contain attachments with suspicious file extensions. Detecting and responding to emails with suspicious attachments can mitigate the risks associated with phishing and malware attacks, thereby protecting the organization’s data and systems from potential harm. The detection is made by using a Splunk query that searches for emails in the datamodel=Email where the filename of the attachment is not empty. The analytic uses the tstats command to summarize the count, first time, and last time of the emails that meet the criteria. It groups the results by the source user, file name, and message ID of the email. The detection is important because it indicates potential phishing or malware delivery attempts in which an attacker attempts to deliver malicious content through email attachments, which can lead to data breaches, malware infections, or unauthorized access to sensitive information. Next steps include reviewing the identified emails and attachments and analyzing the source user, file name, and message ID to determine if they are legitimate or malicious. Additionally, you must inspect any relevant on-disk artifacts associated with the attachments and investigate any concurrent processes to identify the source of the attack.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Email where All_Email.file_name="*" by All_Email.src_user, All_Email.file_name All_Email.message_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("All_Email")`
| `suspicious_email_attachments`
| `suspicious_email_attachment_extensions_filter`
No Windows Updates in a time frame
- source: splunk
- technicques:
Description
This search looks for Windows endpoints that have not generated an event indicating a successful Windows update in the last 60 days. Windows updates are typically released monthly and applied shortly thereafter. An endpoint that has not successfully applied an update in this time frame indicates the endpoint is not regularly being patched for some reason.
Detection logic
| tstats `security_content_summariesonly` max(_time) as lastTime from datamodel=Updates where Updates.status=Installed Updates.vendor_product="Microsoft Windows" by Updates.dest Updates.status Updates.vendor_product
| rename Updates.dest as Host
| rename Updates.status as "Update Status"
| rename Updates.vendor_product as Product
| eval isOutlier=if(lastTime <= relative_time(now(), "-60d@d"), 1, 0)
| `security_content_ctime(lastTime)`
| search isOutlier=1
| rename lastTime as "Last Update Time",
| table Host, "Update Status", Product, "Last Update Time"
| `no_windows_updates_in_a_time_frame_filter`
Dump LSASS via procdump
- source: splunk
- technicques:
- T1003.001
- T1003
Description
Detect procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. This query does not monitor for the internal name (original_file_name=procdump) of the PE or look for procdump64.exe. Modify the query as needed. During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_procdump` (Processes.process=*-ma* OR Processes.process=*-mm*) Processes.process=*lsass* by Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.original_file_name Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `dump_lsass_via_procdump_filter`
MacOS LOLbin
- source: splunk
- technicques:
- T1059.004
- T1059
Description
Detect multiple executions of Living off the Land (LOLbin) binaries in a short period of time.
Detection logic
`osquery` name=es_process_events columns.cmdline IN ("find*", "crontab*", "screencapture*", "openssl*", "curl*", "wget*", "killall*", "funzip*")
| rename columns.* as *
| stats min(_time) as firstTime max(_time) as lastTime values(cmdline) as cmdline, values(pid) as pid, values(parent) as parent, values(path) as path, values(signing_id) as signing_id, dc(path) as dc_path by username host
| rename username as user, cmdline as process, path as process_path, host as dest
| where dc_path > 3
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `macos_lolbin_filter`
Dump LSASS via comsvcs DLL
- source: splunk
- technicques:
- T1003.001
- T1003
Description
The following analytic detects the behavior of dumping credentials from memory, a tactic commonly used by adversaries to exploit the Local Security Authority Subsystem Service (LSASS) in Windows, which manages system-level authentication. The detection is made by monitoring logs with process information from endpoints and identifying instances where the rundll32 process is used in conjunction with the comsvcs.dll and MiniDump. This indicates potential LSASS dumping attempts used by threat actors to obtain valuable credentials. The detection is important because credential theft can lead to broader system compromise, persistence, lateral movement, and escalated privileges. No legitimate use of this technique has been identified yet. This behavior is often part of more extensive attack campaigns and is associated with numerous threat groups that use the stolen credentials to access sensitive information or systems, leading to data theft, ransomware attacks, or other damaging outcomes. False positives can occur since legitimate uses of the LSASS process can cause benign activities to be flagged. Next steps include reviewing the processes involved in the LSASS dumping attempt after triage and inspecting any relevant on-disk artifacts and concurrent processes to identify the attack source.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` Processes.process=*comsvcs.dll* Processes.process=*MiniDump* by Processes.user Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `dump_lsass_via_comsvcs_dll_filter`
Attempted Credential Dump From Registry via Reg exe
- source: splunk
- technicques:
- T1003.002
- T1003
Description
Monitor for execution of reg.exe with parameters specifying an export of keys that contain hashed credentials that attackers may try to crack offline.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name=reg* OR Processes.process_name=cmd* Processes.process=*save* (Processes.process=*HKEY_LOCAL_MACHINE\\Security* OR Processes.process=*HKEY_LOCAL_MACHINE\\SAM* OR Processes.process=*HKEY_LOCAL_MACHINE\\System* OR Processes.process=*HKLM\\Security* OR Processes.process=*HKLM\\System* OR Processes.process=*HKLM\\SAM*) by Processes.dest Processes.user Processes.parent_process Processes.parent_process_name Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `attempted_credential_dump_from_registry_via_reg_exe_filter`
Execution of File with Multiple Extensions
- source: splunk
- technicques:
- T1036
- T1036.003
Description
This search looks for processes launched from files that have double extensions in the file name. This is typically done to obscure the “real” file extension and make it appear as though the file being accessed is a data file, as opposed to executable content.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.doc.exe", "*.xls.exe","*.ppt.exe", "*.htm.exe", "*.html.exe", "*.txt.exe", "*.pdf.exe", "*.docx.exe", "*.xlsx.exe", "*.pptx.exe","*.one.exe", "*.bat.exe", "*rtf.exe") by Processes.dest Processes.user Processes.process Processes.process_name Processes.parent_process
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| `execution_of_file_with_multiple_extensions_filter`
Execution of File With Spaces Before Extension
- source: splunk
- technicques:
- T1036.003
Description
This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process_path) as process_path min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process = "* .*" by Processes.dest Processes.user Processes.process Processes.process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| `execution_of_file_with_spaces_before_extension_filter`
Dump LSASS via procdump Rename
- source: splunk
- technicques:
- T1003.001
Description
Detect a renamed instance of procdump.exe dumping the lsass process. This query looks for both -mm and -ma usage. -mm will produce a mini dump file and -ma will write a dump file with all process memory. Both are highly suspect and should be reviewed. Modify the query as needed. During triage, confirm this is procdump.exe executing. If it is the first time a Sysinternals utility has been ran, it is possible there will be a -accepteula on the command line. Review other endpoint data sources for cross process (injection) into lsass.exe.
Detection logic
`sysmon` OriginalFileName=procdump process_name!=procdump*.exe EventID=1 (CommandLine=*-ma* OR CommandLine=*-mm*) CommandLine=*lsass*
| stats count min(_time) as firstTime max(_time) as lastTime by dest, parent_process_name, process_name, OriginalFileName, CommandLine
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `dump_lsass_via_procdump_rename_filter`