Skip to content

Commit

Permalink
Merge pull request #3024 from splunk/dlux_1
Browse files Browse the repository at this point in the history
DLUX 1 - Adding Misc New Detections
  • Loading branch information
patel-bhavin authored Jul 17, 2024
2 parents 6bc0bce + 8d42322 commit 16885f0
Show file tree
Hide file tree
Showing 13 changed files with 806 additions and 0 deletions.
66 changes: 66 additions & 0 deletions data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
name: AWS CloudWatchLogs VPCflow
id: 38a34fc4-e128-4478-a8f4-7835d51d5135
author: Bhavin Patel, Splunk
source: aws_cloudwatchlogs_vpcflow
sourcetype: aws:cloudwatchlogs:vpcflow
separator: eventName
supported_TA:
name: Splunk Add-on for Amazon Web Services (AWS)
version: 7.4.1
url: https://splunkbase.splunk.com/app/1876
event_names: []
fields:
- _raw
- _time
- account_id
- action
- app
- aws_account_id
- bytes
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dest_ip
- dest_port
- duration
- dvc
- end_time
- eventtype
- host
- index
- interface_id
- linecount
- log_status
- packets
- protocol
- protocol_code
- protocol_full_name
- protocol_version
- punct
- region
- source
- sourcetype
- splunk_server
- splunk_server_group
- src
- src_ip
- src_port
- start_time
- tag
- tag::action
- tag::eventtype
- timeendpos
- timestartpos
- transport
- user_id
- vendor_account
- vendor_product
- version
- vpcflow_action
example_log: '2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK'
2 changes: 2 additions & 0 deletions data_sources/endpoint/Windows_Event_Log_Security.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,8 @@ event_names:
data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml
- event_name: Windows Event Log Security 4726
data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml
- event_name: Windows Event Log Security 4728
data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4728.yml
- event_name: Windows Event Log Security 4732
data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml
- event_name: Windows Event Log Security 4738
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
event_name: Windows Event Log System 4728
fields:
- _time
- Account_Domain
- Account_Name
- CategoryString
- ComputerName
- Error_Code
- EventCode
- EventType
- Keywords
- LogName
- Logon_ID
- Message
- OpCode
- RecordNumber
- Security_ID
- SourceName
- Subject_Account_Domain
- Subject_Account_Name
- Subject_Logon_ID
- Subject_Security_ID
- Target_Account_Domain
- Target_Account_Name
- Target_Security_ID
- TaskCategory
- Type
- action
- app
- body
- category
- change_type
- date_hour
- date_mday
- date_minute
- date_month
- date_second
- date_wday
- date_year
- date_zone
- dest
- dest_nt_domain
- dest_nt_host
- dvc
- dvc_nt_host
- event_id
- eventtype
- host
- id
- index
- linecount
- member_dn
- member_id
- member_nt_domain
- msad_action
- name
- object
- object_attrs
- object_category
- object_id
- product
- punct
- result
- session_id
- severity
- severity_id
- signature
- signature_id
- source
- sourcetype
- splunk_server
- src_nt_domain
- src_user
- src_user_name
- status
- subject
- ta_windows_action
- ta_windows_security_CategoryString
- tag
- tag::eventtype
- timeendpos
- timestartpos
- user
- user_group
- user_name
- vendor
- vendor_product
example_log: 10/09/2020 10:41:29 AM
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
name: Detect Distributed Password Spray Attempts
id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
version: 1
date: '2023-11-01'
author: Dean Luxton
status: production
type: Hunting
data_source:
- Azure Active Directory Sign-in activity
description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A
distributed password spray attack is a type of brute force attack where the attacker attempts a few
common passwords against many different accounts, connecting from multiple IP addresses to avoid detection.
By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication
events, providing comprehensive coverage and enhancing security against these attacks.
search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m
| `drop_dm_object_name("Authentication")`
```fill out time buckets for 0-count events during entire search length```
| appendpipe [| timechart limit=0 span=5m count | table _time]
| fillnull value=0 unique_accounts, unique_src
``` remove duplicate & empty time buckets```
| sort - total_failures
| dedup _time
``` Create aggregation field & apply to all null events```
| eval counter=sourcetype+"__"+signature_id
| eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter)
``` 3-sigma detection logic ```
| eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter
| eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3)
| eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0)
| replace "::ffff:*" with * in src
| where isOutlier=1
| foreach *
[ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)]
| table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id
| sort - total_failures | `detect_distributed_password_spray_attempts_filter`'
how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM)
and that the src field is populated with the source device information. Additionally, ensure that
fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from
log sources that do not feature the signature_id field in the results.
known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings.
references:
- https://attack.mitre.org/techniques/T1110/003/
tags:
analytic_story:
- Compromised User Account
- Active Directory Password Spraying
asset_type: Endpoint
atomic_guid:
- 90bc2e54-6c84-47a5-9439-0a2a92b4b175
confidence: 70
impact: 70
message: Distributed Password Spray Attempt Detected from $src$
mitre_attack_id:
- T1110.003
- T1110
observable:
- name: src
type: IP Address
role:
- Attacker
- name: unique_accounts
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 49
required_fields:
- Authentication.action
- Authentication.user
- Authentication.src
security_domain: access
manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion.
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log
source: azure:monitor:aad
sourcetype: azure:monitor:aad
75 changes: 75 additions & 0 deletions detections/application/detect_password_spray_attempts.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
name: Detect Password Spray Attempts
id: 086ab581-8877-42b3-9aee-4a7ecb0923af
version: 1
date: '2023-11-01'
author: Dean Luxton
status: production
type: TTP
data_source:
- Windows Event Log Security 4625
description: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts
from a single source. A password spray attack is a type of brute force attack where an attacker tries a few
common passwords across many different accounts to avoid detection and account lockouts. By utilizing the
Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing
comprehensive coverage and enhancing security against these attacks.
search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time span=2m
| `drop_dm_object_name("Authentication")`
```fill out time buckets for 0-count events during entire search length```
| appendpipe [| timechart limit=0 span=5m count | table _time]
| fillnull value=0 unique_accounts, unique_src
``` remove duplicate & empty time buckets```
| sort - total_failures
| dedup _time
``` Create aggregation field & apply to all null events```
| eval counter=src+"__"+sourcetype+"__"+signature_id
| eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter)
| eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter
| eval upperBound=(comp_avg+comp_std*3)
| eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0)
| replace "::ffff:*" with * in src
| where isOutlier=1
| foreach * [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)]
| table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id
| `detect_password_spray_attempts_filter`'
how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly.
known_false_positives: Unknown
references:
- https://attack.mitre.org/techniques/T1110/003/
tags:
analytic_story:
- Compromised User Account
- Active Directory Password Spraying
asset_type: Endpoint
atomic_guid:
- 90bc2e54-6c84-47a5-9439-0a2a92b4b175
confidence: 70
impact: 70
message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts.
mitre_attack_id:
- T1110.003
- T1110
observable:
- name: src
type: Endpoint
role:
- Attacker
- name: sourcetype
type: Other
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 49
required_fields:
- Authentication.action
- Authentication.user
- Authentication.src
security_domain: access
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
54 changes: 54 additions & 0 deletions detections/application/windows_ad_add_self_to_group.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Windows AD add Self to Group
id: 065f2701-b7ea-42f5-9ec4-fbc2261165f9
version: 1
date: '2023-12-18'
author: Dean Luxton
status: production
type: TTP
data_source:
- Windows Event Log Security 4728
description: This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity
is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher
privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior,
which could be part of a larger attack strategy aimed at compromising critical systems and data.
search: '`wineventlog_security` EventCode IN (4728)
| where user=src_user
| stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name, src_user
| `windows_ad_add_self_to_group_filter`'
how_to_implement: This analytic requires eventCode 4728 to be ingested.
known_false_positives: Unknown
references: []
tags:
analytic_story:
- Active Directory Privilege Escalation
- Sneaky Active Directory Persistence Tricks
asset_type: Endpoint
confidence: 100
impact: 50
message: $user$ added themselves to AD Group $Group_Name$
mitre_attack_id:
- T1098
observable:
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 50
required_fields:
- EventCode
- user
- src_user
- signature
- Group_Name
security_domain: audit
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log
source: XmlWinEventLog:Security
sourcetype: XmlWinEventLog
update_timestamp: true
Loading

0 comments on commit 16885f0

Please sign in to comment.