From 9cb3d6cc34068540db94116eff67e837408779b9 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 2 Jul 2024 09:50:34 +1000 Subject: [PATCH 1/8] Adding pwd spray detection --- ...ct_distributed_password_spray_attempts.yml | 69 +++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 detections/application/detect_distributed_password_spray_attempts.yml diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml new file mode 100644 index 0000000000..be4c070da1 --- /dev/null +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -0,0 +1,69 @@ +name: Detect Distributed Password Spray Attempts +id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57 +version: 1 +date: '2023-11-01' +author: Dean Luxton +status: production +type: Hunting +data_source: +- Authentication Datamodel +description: This analytic uses the 3-sigma approach to detect a distributed password spray attack. Utilising the authentication datamodel this detection is affective for all CIM mapped authication events. +search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m + | `drop_dm_object_name("Authentication")` + ```fill out time buckets for 0-count events during entire search length``` + | appendpipe [| timechart limit=0 span=5m count | table _time] + | fillnull value=0 unique_accounts, unique_src + ``` remove duplicate & empty time buckets``` + | sort - total_failures + | dedup _time + ``` Create aggregation field & apply to all null events``` + | eval counter=sourcetype+"__"+signature_id + | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) + ``` 3-sigma detection logic ``` + | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter + | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3) + | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0) + | replace "::ffff:*" with * in src + | where isOutlier=1 + | foreach * + [ eval <> = if(<>="null",null(),<>)] + | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id + | sort - total_failures | `detect_distributed_password_spray_attempts_filter`' +how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. +known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings. +references: +- https://attack.mitre.org/techniques/T1110/003/ +tags: + analytic_story: + - Compromised User Account + - Active Directory Password Spraying + asset_type: Endpoint + atomic_guid: + - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 + confidence: 70 + impact: 70 + message: Distributed Password Spray Attempt Detected + mitre_attack_id: + - T1110.003 + - T1110 + observable: + - name: src + type: Endpoint + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 49 + required_fields: + - Authentication.action + - Authentication.user + - Authentication.src + security_domain: access +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techni[…]ure_ad_distributed_spray/azure_ad_distributed_spray.log + source: azure:monitor:aad + sourcetype: azure:monitor:aad \ No newline at end of file From a10332f69a766cf4f514d3d480185c5a5a38c6db Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 2 Jul 2024 10:43:29 +1000 Subject: [PATCH 2/8] Adding new detections --- .../detect_password_spray_attempts.yml | 67 +++++++++++++++++++ .../windows_ad_add_self_to_group.yml | 51 ++++++++++++++ ..._group_or_object_modification_activity.yml | 52 ++++++++++++++ ...increase_in_user_modification_activity.yml | 53 +++++++++++++++ ...ndows_network_share_discovery_with_net.yml | 59 ++++++++++++++++ .../windows_vulnerable_driver_installed.yml | 0 .../network/internal_horizontal_port_scan.yml | 57 ++++++++++++++++ .../network/internal_vertical_port_scan.yml | 0 .../network/internal_vulnerability_scan.yml | 56 ++++++++++++++++ 9 files changed, 395 insertions(+) create mode 100644 detections/application/detect_password_spray_attempts.yml create mode 100644 detections/application/windows_ad_add_self_to_group.yml create mode 100644 detections/application/windows_increase_in_group_or_object_modification_activity.yml create mode 100644 detections/application/windows_increase_in_user_modification_activity.yml create mode 100644 detections/endpoint/windows_network_share_discovery_with_net.yml create mode 100644 detections/endpoint/windows_vulnerable_driver_installed.yml create mode 100644 detections/network/internal_horizontal_port_scan.yml create mode 100644 detections/network/internal_vertical_port_scan.yml create mode 100644 detections/network/internal_vulnerability_scan.yml diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml new file mode 100644 index 0000000000..9c0ea37da0 --- /dev/null +++ b/detections/application/detect_password_spray_attempts.yml @@ -0,0 +1,67 @@ +name: Detect Password Spray Attempts +id: 086ab581-8877-42b3-9aee-4a7ecb0923af +version: 1 +date: '2023-11-01' +author: Dean Luxton +status: production +type: TTP +data_source: +- Authentication Datamodel +description: This analytic uses the 3-sigma approach to detect an unusual volume of failed authentication from a single source. Utilising the authentication datamodel this detection is affective for all CIM mapped authication events. +search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time span=2m + | `drop_dm_object_name("Authentication")` + ```fill out time buckets for 0-count events during entire search length``` + | appendpipe [| timechart limit=0 span=5m count | table _time] + | fillnull value=0 unique_accounts, unique_src + ``` remove duplicate & empty time buckets``` + | sort - total_failures + | dedup _time + ``` Create aggregation field & apply to all null events``` + | eval counter=src+"__"+sourcetype+"__"+signature_id + | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) + | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter + | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0) + | replace "::ffff:*" with * in src + | where isOutlier=1 + | foreach * [ eval <> = if(<>="null",null(),<>)] + | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id + | `detect_password_spray_attempts_filter`' +how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1110/003/ +tags: + analytic_story: + - Compromised User Account + - Active Directory Password Spraying + asset_type: Endpoint + atomic_guid: + - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 + confidence: 70 + impact: 70 + message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts. + mitre_attack_id: + - T1110.003 + - T1110 + observable: + - name: src + type: Endpoint + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 49 + required_fields: + - Authentication.action + - Authentication.user + - Authentication.src + security_domain: access +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml new file mode 100644 index 0000000000..b0caa2160d --- /dev/null +++ b/detections/application/windows_ad_add_self_to_group.yml @@ -0,0 +1,51 @@ +name: Windows AD add Self to Group +id: 065f2701-b7ea-42f5-9ec4-fbc2261165f9 +version: 1 +date: '2023-12-18' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Event Log Security 4728 +description: Detect when a user adds themselfs to an AD Group. +search: '`wineventlog_security` EventCode IN (4728) + | where user=src_user + | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name, src_user + | `windows_ad_add_self_to_group_filter`' +how_to_implement: This analytic requires eventCode 4728 to be ingested. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Active Directory Privilege Escalation + - Sneaky Active Directory Persistence Tricks + asset_type: Endpoint + confidence: 100 + impact: 50 + message: $user$ added themselves to AD Group $Group_Name$ + mitre_attack_id: + - T1098 + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 50 + required_fields: + - EventCode + - user + - src_user + - signature + - Group_Name + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog + update_timestamp: true \ No newline at end of file diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml new file mode 100644 index 0000000000..1fdbd7f382 --- /dev/null +++ b/detections/application/windows_increase_in_group_or_object_modification_activity.yml @@ -0,0 +1,52 @@ +name: Windows Increase in Group or Object Modification Activity +id: 4f9564dd-a204-4f22-b375-4dfca3a68731 +version: 1 +date: '2023-10-13' +author: Dean Luxton +status: production +type: TTP +data_source: +- XmlWinEventLog:Security +description: Increase in group or AD object modifications. +search: >- + `wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764) + | bucket span=5m _time + | stats values(object) as object, dc(object) as objectCount, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status + | eventstats avg(objectCount) as comp_avg, stdev(objectCount) as comp_std by src_user, signature + | eval upperBound=(comp_avg+comp_std) + | eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0) + | search isOutlier=1 + | `windows_increase_in_group_or_object_modification_activity_filter` +how_to_implement: Run over past 7 days for best results. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Sneaky Active Directory Persistence Tricks + asset_type: Endpoint + confidence: 40 + impact: 20 + message: Spike in Group or Object Modifications performed by $src_user$ + mitre_attack_id: + - T1098 + observable: + - name: src_user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 8 + required_fields: + - EventCode + - src_user + - signature + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml new file mode 100644 index 0000000000..cb8e263e59 --- /dev/null +++ b/detections/application/windows_increase_in_user_modification_activity.yml @@ -0,0 +1,53 @@ +name: Windows Increase in User Modification Activity +id: 0995fca1-f346-432f-b0bf-a66d14e6b428 +version: 1 +date: '2023-10-13' +author: Dean Luxton +status: production +type: TTP +data_source: +- XmlWinEventLog:Security +description: Increase in user account modifications. +search: >- + `wineventlog_security` EventCode IN (4720,4722,4723,4724,4725,4726,4728,4732,4733,4738,4743,4780) + | bucket span=5m _time + | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status + | eventstats avg(userCount) as comp_avg , stdev(userCount) as comp_std by src_user, signature + | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(userCount > 10 and userCount >= upperBound, 1, 0) + | search isOutlier=1 + | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category values(signature) as signature by _time, src_user, status + | `windows_increase_in_user_modification_activity_filter` +how_to_implement: Run over past 7 days for best results. +known_false_positives: Genuine activity +references: [] +tags: + analytic_story: + - Sneaky Active Directory Persistence Tricks + asset_type: Endpoint + confidence: 40 + impact: 20 + message: Spike in User Modification actions performed by $src_user$ + mitre_attack_id: + - T1098 + observable: + - name: src_user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 8 + required_fields: + - EventCode + - src_user + - signature + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_network_share_discovery_with_net.yml b/detections/endpoint/windows_network_share_discovery_with_net.yml new file mode 100644 index 0000000000..950f1a390d --- /dev/null +++ b/detections/endpoint/windows_network_share_discovery_with_net.yml @@ -0,0 +1,59 @@ +name: Windows Network Share Discovery With Net +id: 4dc3951f-b3f8-4f46-b412-76a483f72277 +version: 1 +date: '2023-04-21' +author: Dean Luxton +status: production +type: TTP +data_source: +- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log +description: Network share discovery performed on Windows using the Net Command. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.user_category) as user_category values(Processes.user_bunit) as user_bunit FROM datamodel=Endpoint.Processes WHERE ((Processes.process_name="net.exe" OR Processes.orig_process_name="net.exe") AND (Processes.process="*net*view*" OR Processes.process="*net*share*")) BY Processes.user Processes.dest Processes.process_exec Processes.parent_process_exec + Processes.process Processes.parent_process + | `drop_dm_object_name(Processes)` + | regex process="net\s+view|net\s+share" + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_network_share_discovery_with_net_filter`' +how_to_implement: Ensure you are populating the endpoint datamodel. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1135/ +tags: + analytic_story: + - Active Directory Discovery + - Active Directory Privilege Escalation + - Network Discovery + asset_type: Endpoint + atomic_guid: + - ab39a04f-0c93-4540-9ff2-83f862c385ae + confidence: 100 + impact: 20 + message: Network share enumeration performed on $dest$ by $user$, executed by parent process $parent_process$ + mitre_attack_id: + - T1135 + required_fields: + - Processes.process_name + - Processes.user + - Processes.dest + - Processes.process_exec + - Processes.parent_process_exec + - Processes.process + - Processes.parent_process + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 20 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml new file mode 100644 index 0000000000..505571fcfd --- /dev/null +++ b/detections/network/internal_horizontal_port_scan.yml @@ -0,0 +1,57 @@ +name: Internal Horizontal Port Scan +id: 1ff9eb9a-7d72-4993-a55e-59a839e607f1 +version: 1 +date: '2023-10-20' +author: Dean Luxton +status: production +type: TTP +data_source: [] +description: This analytic detects where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port / protocol. +search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action + values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as + dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic + where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip All_Traffic.dest_port + All_Traffic.dest_ip span=1s _time All_Traffic.transport | `drop_dm_object_name("All_Traffic")` + | eval gtime=_time | bin span=1h gtime | stats min(_time) as _time values(action) + as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) + as dest_zone values(src_zone) as src_zone by src_ip dest_port gtime transport | + where totalDestIPCount>=250 | eval dest_port=transport + "/" + dest_port | stats + min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount + values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) + as dest_zone values(src_zone) as src_zone by src_ip gtime | fields - gtime | `internal_horizontal_port_scan_filter`' +how_to_implement: Ensure your network traffic data is populating the Network_Traffic data model. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + confidence: 80 + impact: 80 + message: $src_ip$ has scanned for port $dest_port$ across $totalDestIPCount$ destination IPs + mitre_attack_id: + - T1046 + observable: + - name: src_ip + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 64 + required_fields: + - _time + - All_Traffic.action + - All_Traffic.src_ip + - All_Traffic.dest_ip + - All_Traffic.dest_port + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log + source: aws:cloudwatchlogs:vpcflow + sourcetype: aws:cloudwatchlogs:vpcflow + update_timestamp: true \ No newline at end of file diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml new file mode 100644 index 0000000000..e69de29bb2 diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml new file mode 100644 index 0000000000..2f2dab7164 --- /dev/null +++ b/detections/network/internal_vulnerability_scan.yml @@ -0,0 +1,56 @@ +name: Internal Vulnerability Scan +id: 46f946ed-1c78-4e96-9906-c7a4be15e39b +version: 1 +date: '2023-10-27' +author: Dean Luxton +status: experimental +type: TTP +data_source: [] +description: This analytic detects internal hosts triggering multiple IDS signatures (either more than 25 signatures against a single host, or a single signature across over 25 destinations), which can be indicative of active vulnerability scanning performed within the network. +search: '| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action + values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) + as dest_category count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.src + IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical, + high, medium) by IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature IDS_Attacks.dest + IDS_Attacks.dest_port IDS_Attacks.transport span=1s _time | `drop_dm_object_name("IDS_Attacks")` + | eval gtime=_time | bin span=1h gtime | eventstats count as sevCount by severity + src | eventstats count as sigCount by signature src | eval severity=severity +"("+sevCount+")" + | eval signature=signature +"("+sigCount+")" | eval dest_port=transport + "/" + + dest_port | stats min(_time) as _time values(action) as action dc(dest) as destCount + dc(signature) as sigCount values(signature) values(src_category) as src_category + values(dest_category) as dest_category values(severity) as severity values(dest_port) + as dest_ports by src gtime | fields - gtime | where destCount>25 OR sigCount>25 + | `internal_vulnerability_scan_filter`' +how_to_implement: CIM mapped IDS/IPS logs are a required to drive this detection. +known_false_positives: Vulnerability Scanners and informational / low severity signatures. +references: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + confidence: 80 + impact: 80 + message: Large volume of IDS signatures triggered by $src$ + mitre_attack_id: + - T1595.002 + - T1046 + observable: + - name: src + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 64 + required_fields: + - _time + - IDS_Attacks.action + - IDS_Attacks.src + - IDS_Attacks.dest + - IDS_Attacks.dest_port + - IDS_Attacks.severity + - IDS_Attacks.signature + - IDS_Attacks.transport + security_domain: network \ No newline at end of file From 21812873776af9ecd1a3b8d38269c0659556636d Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 2 Jul 2024 12:00:01 +1000 Subject: [PATCH 3/8] Adding new detections --- .../windows_vulnerable_driver_installed.yml | 57 ++++++++++++++++++ .../network/internal_vertical_port_scan.yml | 59 +++++++++++++++++++ 2 files changed, 116 insertions(+) diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml index e69de29bb2..9c3c497ceb 100644 --- a/detections/endpoint/windows_vulnerable_driver_installed.yml +++ b/detections/endpoint/windows_vulnerable_driver_installed.yml @@ -0,0 +1,57 @@ +name: Windows Vulnerable Driver Installed +id: 1dda7586-57be-4a1b-8de1-a9ad802b9a7f +version: 1 +date: '2023-09-27' +author: Dean Luxton +status: production +type: TTP +data_source: +- XmlWinEventLog System EventCode 7045 +description: The following analytic utilises a known list of vulnerable Windows drivers + to help defenders find potential persistence or privelege escalation via a vulnerable + driver. This analytic uses native windows system service install events to capture when the vulnerable driver is installed. + A known gap with this lookup is that it does not use the hash or known signer of the vulnerable driver + therefore it is up to the defender to identify version and signing info and confirm + it is a vulnerable driver. + This detection is a winventlog copy of the Sysmon driver loaded detection written by Michael Haag. +search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" | table _time dest EventCode ImagePath ServiceName ServiceType | lookup loldrivers driver_name AS ImagePath OUTPUT is_driver driver_description | search is_driver = TRUE | `windows_vulnerable_driver_installed_filter`' +how_to_implement: Ensure the Splunk is collecting XmlWinEventLog:System events and the EventCode 7045 is being ingested. +known_false_positives: False positives may be present. Drill down into the driver + further by version number and cross reference by signer. Review the reference material + in the lookup. +references: +- https://loldrivers.io/ +- https://github.com/SpikySabra/Kernel-Cactus +- https://github.com/wavestone-cdt/EDRSandblast +- https://research.splunk.com/endpoint/a2b1f1ef-221f-4187-b2a4-d4b08ec745f4/ +- https://www.splunk.com/en_us/blog/security/these-are-the-drivers-you-are-looking-for-detect-and-prevent-malicious-drivers.html +tags: + analytic_story: + - Windows Drivers + asset_type: Endpoint + confidence: 50 + impact: 100 + message: Potentially vulnerable/malicious driver ($driver_name$) has been installed on $dest$ + mitre_attack_id: + - T1543.003 + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 50 + required_fields: + - ServiceType + - driver_name + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-system.log + source: XmlWinEventLog:System + sourcetype: XmlWinEventLog + update_timestamp: true \ No newline at end of file diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml index e69de29bb2..95c8c63c30 100644 --- a/detections/network/internal_vertical_port_scan.yml +++ b/detections/network/internal_vertical_port_scan.yml @@ -0,0 +1,59 @@ +name: Internal Vertical Port Scan +id: 40d2dc41-9bbf-421a-a34b-8611271a6770 +version: 1 +date: '2023-10-20' +author: Dean Luxton +status: production +type: TTP +data_source: [] +description: This analytic detects an internal host has attempted to communicate with over 500 ports on a single destination IP. Additional filtering is performed on the number of privileged ports within the request to filter out applications performing port scans over ephemeral port ranges. +search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action + values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as + dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic + where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip + All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.transport span=1s _time | + `drop_dm_object_name("All_Traffic")` | eval gtime=_time | bin span=1h gtime | stats + min(_time) as _time values(action) as action dc(eval(if(dest_port<1024 AND transport="tcp",dest_port,null))) + as privilegedDestTcpPortCount dc(eval(if(transport="tcp",dest_port,null))) as totalDestTcpPortCount + dc(eval(if(dest_port<1024 AND transport="udp",dest_port,null))) as privilegedDestUdpPortCount + dc(eval(if(transport="udp",dest_port,null))) as totalDestUdpPortCount values(src_category) + as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip + dest_ip transport gtime | eval totalDestPortCount=totalDestUdpPortCount+totalDestTcpPortCount, + privilegedDestPortCount=privilegedDestTcpPortCount+privilegedDestUdpPortCount| where + (totalDestPortCount>=500 AND privilegedDestPortCount>=20) | fields - gtime | `internal_vertical_port_scan_filter`' +how_to_implement: Ensure your network traffic data is populating the Network_Traffic data model. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + confidence: 80 + impact: 80 + message: $src_ip$ has scanned $totalDestPortCount$ ports on $dest_ip$ + mitre_attack_id: + - T1046 + observable: + - name: src_ip + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 64 + required_fields: + - _time + - All_Traffic.action + - All_Traffic.src_ip + - All_Traffic.dest_ip + - All_Traffic.dest_port + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/vertical.log + source: aws:cloudwatchlogs:vpcflow + sourcetype: aws:cloudwatchlogs:vpcflow + update_timestamp: trues \ No newline at end of file From 3791f25b6bcb7726c47178d389d04d6e81035171 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 2 Jul 2024 12:03:46 +1000 Subject: [PATCH 4/8] Adding new detections --- .../detect_distributed_password_spray_attempts.yml | 4 ++++ detections/application/detect_password_spray_attempts.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index be4c070da1..49332f4831 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -51,6 +51,10 @@ tags: type: Endpoint role: - Attacker + - name: sourcetype + type: Other + role: + - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index 9c0ea37da0..b5bf2c435b 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -49,6 +49,10 @@ tags: type: Endpoint role: - Attacker + - name: sourcetype + type: Other + role: + - Victim product: - Splunk Enterprise - Splunk Enterprise Security From 65cdbcbaf87de21bb2aa40e058ef28aafd1da748 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Thu, 11 Jul 2024 18:06:51 +1000 Subject: [PATCH 5/8] updating descriptions --- ...ct_distributed_password_spray_attempts.yml | 6 +- .../detect_password_spray_attempts.yml | 6 +- .../windows_ad_add_self_to_group.yml | 5 +- ..._group_or_object_modification_activity.yml | 9 ++- ...increase_in_user_modification_activity.yml | 9 ++- ...ndows_network_share_discovery_with_net.yml | 59 --------------- ...ows_network_share_interaction_with_net.yml | 71 +++++++++++++++++++ .../windows_vulnerable_driver_installed.yml | 21 +++--- .../network/internal_horizontal_port_scan.yml | 11 ++- .../network/internal_vertical_port_scan.yml | 11 ++- .../network/internal_vulnerability_scan.yml | 12 +++- 11 files changed, 138 insertions(+), 82 deletions(-) delete mode 100644 detections/endpoint/windows_network_share_discovery_with_net.yml create mode 100644 detections/endpoint/windows_network_share_interaction_with_net.yml diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index 49332f4831..08399b0a9a 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -7,7 +7,11 @@ status: production type: Hunting data_source: - Authentication Datamodel -description: This analytic uses the 3-sigma approach to detect a distributed password spray attack. Utilising the authentication datamodel this detection is affective for all CIM mapped authication events. +description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A + distributed password spray attack is a type of brute force attack where the attacker attempts a few + common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. + By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication + events, providing comprehensive coverage and enhancing security against these attacks. search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m | `drop_dm_object_name("Authentication")` ```fill out time buckets for 0-count events during entire search length``` diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index b5bf2c435b..c084024e91 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -7,7 +7,11 @@ status: production type: TTP data_source: - Authentication Datamodel -description: This analytic uses the 3-sigma approach to detect an unusual volume of failed authentication from a single source. Utilising the authentication datamodel this detection is affective for all CIM mapped authication events. +description: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts + from a single source. A password spray attack is a type of brute force attack where an attacker tries a few + common passwords across many different accounts to avoid detection and account lockouts. By utilizing the + Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing + comprehensive coverage and enhancing security against these attacks. search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time span=2m | `drop_dm_object_name("Authentication")` ```fill out time buckets for 0-count events during entire search length``` diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml index b0caa2160d..d01cf4389e 100644 --- a/detections/application/windows_ad_add_self_to_group.yml +++ b/detections/application/windows_ad_add_self_to_group.yml @@ -7,7 +7,10 @@ status: production type: TTP data_source: - Windows Event Log Security 4728 -description: Detect when a user adds themselfs to an AD Group. +description: This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity + is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher + privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior, + which could be part of a larger attack strategy aimed at compromising critical systems and data. search: '`wineventlog_security` EventCode IN (4728) | where user=src_user | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name, src_user diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml index 1fdbd7f382..185773ebc9 100644 --- a/detections/application/windows_increase_in_group_or_object_modification_activity.yml +++ b/detections/application/windows_increase_in_group_or_object_modification_activity.yml @@ -7,7 +7,11 @@ status: production type: TTP data_source: - XmlWinEventLog:Security -description: Increase in group or AD object modifications. +description: This analytic detects an increase in modifications to AD groups or objects. + Frequent changes to AD groups or objects can indicate potential security risks, + such as unauthorized access attempts, impairing defences or establishing persistence. + By monitoring AD logs for unusual modification patterns, this detection helps identify + suspicious behavior that could compromise the integrity and security of the AD environment. search: >- `wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764) | bucket span=5m _time @@ -17,7 +21,7 @@ search: >- | eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0) | search isOutlier=1 | `windows_increase_in_group_or_object_modification_activity_filter` -how_to_implement: Run over past 7 days for best results. +how_to_implement: Run this detection looking over a 7 day timeframe for best results. known_false_positives: Unknown references: [] tags: @@ -29,6 +33,7 @@ tags: message: Spike in Group or Object Modifications performed by $src_user$ mitre_attack_id: - T1098 + - T1562 observable: - name: src_user type: User diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml index cb8e263e59..f7eceacd10 100644 --- a/detections/application/windows_increase_in_user_modification_activity.yml +++ b/detections/application/windows_increase_in_user_modification_activity.yml @@ -7,7 +7,11 @@ status: production type: TTP data_source: - XmlWinEventLog:Security -description: Increase in user account modifications. +description: This analytic detects an increase in modifications to AD user objects. + A large volume of changes to user objects can indicate potential security risks, + such as unauthorized access attempts, impairing defences or establishing persistence. + By monitoring AD logs for unusual modification patterns, this detection helps identify + suspicious behavior that could compromise the integrity and security of the AD environment. search: >- `wineventlog_security` EventCode IN (4720,4722,4723,4724,4725,4726,4728,4732,4733,4738,4743,4780) | bucket span=5m _time @@ -18,7 +22,7 @@ search: >- | search isOutlier=1 | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category values(signature) as signature by _time, src_user, status | `windows_increase_in_user_modification_activity_filter` -how_to_implement: Run over past 7 days for best results. +how_to_implement: Run this detection looking over a 7 day timeframe for best results. known_false_positives: Genuine activity references: [] tags: @@ -30,6 +34,7 @@ tags: message: Spike in User Modification actions performed by $src_user$ mitre_attack_id: - T1098 + - T1562 observable: - name: src_user type: User diff --git a/detections/endpoint/windows_network_share_discovery_with_net.yml b/detections/endpoint/windows_network_share_discovery_with_net.yml deleted file mode 100644 index 950f1a390d..0000000000 --- a/detections/endpoint/windows_network_share_discovery_with_net.yml +++ /dev/null @@ -1,59 +0,0 @@ -name: Windows Network Share Discovery With Net -id: 4dc3951f-b3f8-4f46-b412-76a483f72277 -version: 1 -date: '2023-04-21' -author: Dean Luxton -status: production -type: TTP -data_source: -- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log -description: Network share discovery performed on Windows using the Net Command. -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.user_category) as user_category values(Processes.user_bunit) as user_bunit FROM datamodel=Endpoint.Processes WHERE ((Processes.process_name="net.exe" OR Processes.orig_process_name="net.exe") AND (Processes.process="*net*view*" OR Processes.process="*net*share*")) BY Processes.user Processes.dest Processes.process_exec Processes.parent_process_exec - Processes.process Processes.parent_process - | `drop_dm_object_name(Processes)` - | regex process="net\s+view|net\s+share" - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_network_share_discovery_with_net_filter`' -how_to_implement: Ensure you are populating the endpoint datamodel. -known_false_positives: Unknown -references: -- https://attack.mitre.org/techniques/T1135/ -tags: - analytic_story: - - Active Directory Discovery - - Active Directory Privilege Escalation - - Network Discovery - asset_type: Endpoint - atomic_guid: - - ab39a04f-0c93-4540-9ff2-83f862c385ae - confidence: 100 - impact: 20 - message: Network share enumeration performed on $dest$ by $user$, executed by parent process $parent_process$ - mitre_attack_id: - - T1135 - required_fields: - - Processes.process_name - - Processes.user - - Processes.dest - - Processes.process_exec - - Processes.parent_process_exec - - Processes.process - - Processes.parent_process - observable: - - name: dest - type: Hostname - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - risk_score: 20 - security_domain: endpoint -tests: -- name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log - source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: xmlwineventlog \ No newline at end of file diff --git a/detections/endpoint/windows_network_share_interaction_with_net.yml b/detections/endpoint/windows_network_share_interaction_with_net.yml new file mode 100644 index 0000000000..057b77623e --- /dev/null +++ b/detections/endpoint/windows_network_share_interaction_with_net.yml @@ -0,0 +1,71 @@ +name: Windows Network Share Interaction With Net +id: 4dc3951f-b3f8-4f46-b412-76a483f72277 +version: 1 +date: '2023-04-21' +author: Dean Luxton +status: production +type: TTP +data_source: +- Sysmon EventID 1 +description: This analytic detects network share discovery and collection activities performed on Windows systems using the Net command. + Attackers often use network share discovery to identify accessible shared resources within a network, + which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for + the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection + activities. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.user_category) as user_category values(Processes.user_bunit) as user_bunit FROM datamodel=Endpoint.Processes WHERE (Processes.process_name="net.exe" OR Processes.process_name="net1.exe" OR Processes.orig_process_name="net.exe" OR Processes.orig_process_name="net1net[\s\.ex1]+view|net[\s\.ex1]+share|net[\s\.ex1]+use\s.exe") BY Processes.user Processes.dest Processes.process_exec Processes.parent_process_exec + Processes.process Processes.parent_process + | `drop_dm_object_name(Processes)` + | regex process="net[\s\.ex1]+view|net[\s\.ex1]+share|net[\s\.ex1]+use\s" + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_network_share_interaction_with_net_filter`' +how_to_implement: The detection is based on data originating from either Endpoint Detection and Response (EDR) telemetry or EventCode 4688 with + process command line logging enabled. These sources provide security-related telemetry from the endpoints. To implement this search, you must + ingest logs that contain the process name, parent process, and complete command-line executions. These logs must be mapped to the Splunk Common + Information Model (CIM) to normalize the field names capture the data within the datamodel schema. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1135/ +tags: + analytic_story: + - Active Directory Discovery + - Active Directory Privilege Escalation + - Network Discovery + asset_type: Endpoint + atomic_guid: + - ab39a04f-0c93-4540-9ff2-83f862c385ae + confidence: 100 + impact: 20 + message: User $user$ leveraged net.exe on $dest$ to interact with network shares, executed by parent process $parent_process$ + mitre_attack_id: + - T1135 + - T1039 + required_fields: + - Processes.process_name + - Processes.user + - Processes.dest + - Processes.process_exec + - Processes.parent_process_exec + - Processes.process + - Processes.parent_process + observable: + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 20 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml index 9c3c497ceb..e0324ffc1a 100644 --- a/detections/endpoint/windows_vulnerable_driver_installed.yml +++ b/detections/endpoint/windows_vulnerable_driver_installed.yml @@ -7,18 +7,21 @@ status: production type: TTP data_source: - XmlWinEventLog System EventCode 7045 -description: The following analytic utilises a known list of vulnerable Windows drivers - to help defenders find potential persistence or privelege escalation via a vulnerable - driver. This analytic uses native windows system service install events to capture when the vulnerable driver is installed. - A known gap with this lookup is that it does not use the hash or known signer of the vulnerable driver - therefore it is up to the defender to identify version and signing info and confirm - it is a vulnerable driver. - This detection is a winventlog copy of the Sysmon driver loaded detection written by Michael Haag. +description: The following analytic detects the loading of known vulnerable Windows + drivers, which may indicate potential persistence or privilege escalation attempts. + It leverages Windows System service install EventCode 7045 to identify driver loading + events and cross-references them with a list of vulnerable drivers. This activity is + significant as attackers often exploit vulnerable drivers to gain elevated privileges + or maintain persistence on a system. If confirmed malicious, this could allow attackers + to execute arbitrary code with high privileges, leading to further system compromise + and potential data exfiltration. This detection is a Windows Event Log adaptation of + the Sysmon driver loaded detection written by Michael Haag. search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" | table _time dest EventCode ImagePath ServiceName ServiceType | lookup loldrivers driver_name AS ImagePath OUTPUT is_driver driver_description | search is_driver = TRUE | `windows_vulnerable_driver_installed_filter`' how_to_implement: Ensure the Splunk is collecting XmlWinEventLog:System events and the EventCode 7045 is being ingested. -known_false_positives: False positives may be present. Drill down into the driver +known_false_positives: False positives will be present. Drill down into the driver further by version number and cross reference by signer. Review the reference material - in the lookup. + in the lookup. In addition, modify the query to look within specific paths, which + will remove a lot of "normal" drivers. references: - https://loldrivers.io/ - https://github.com/SpikySabra/Kernel-Cactus diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml index 505571fcfd..f2670befd9 100644 --- a/detections/network/internal_horizontal_port_scan.yml +++ b/detections/network/internal_horizontal_port_scan.yml @@ -6,7 +6,12 @@ author: Dean Luxton status: production type: TTP data_source: [] -description: This analytic detects where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port / protocol. +description: This analytic identifies instances where an internal host has attempted to communicate + with 250 or more destination IP addresses using the same port and protocol. Horizontal + port scans from internal hosts can indicate reconnaissance or scanning activities, + potentially signaling malicious intent or misconfiguration. By monitoring network + traffic logs, this detection helps detect and respond to such behavior promptly, + enhancing network security and preventing potential threats. search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic @@ -19,7 +24,9 @@ search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip gtime | fields - gtime | `internal_horizontal_port_scan_filter`' -how_to_implement: Ensure your network traffic data is populating the Network_Traffic data model. +how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as + firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to + enable this search effectively. known_false_positives: Unknown references: [] tags: diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml index 95c8c63c30..8a18aac5f3 100644 --- a/detections/network/internal_vertical_port_scan.yml +++ b/detections/network/internal_vertical_port_scan.yml @@ -6,7 +6,12 @@ author: Dean Luxton status: production type: TTP data_source: [] -description: This analytic detects an internal host has attempted to communicate with over 500 ports on a single destination IP. Additional filtering is performed on the number of privileged ports within the request to filter out applications performing port scans over ephemeral port ranges. +description: This analytic detects instances where an internal host attempts to communicate + with over 500 ports on a single destination IP address. It includes filtering + criteria to exclude applications performing scans over ephemeral port ranges, + focusing on potential reconnaissance or scanning activities. Monitoring network + traffic logs allows for timely detection and response to such behavior, enhancing + network security by identifying and mitigating potential threats promptly. search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic @@ -21,7 +26,9 @@ search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as dest_ip transport gtime | eval totalDestPortCount=totalDestUdpPortCount+totalDestTcpPortCount, privilegedDestPortCount=privilegedDestTcpPortCount+privilegedDestUdpPortCount| where (totalDestPortCount>=500 AND privilegedDestPortCount>=20) | fields - gtime | `internal_vertical_port_scan_filter`' -how_to_implement: Ensure your network traffic data is populating the Network_Traffic data model. +how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as + firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to + enable this search effectively. known_false_positives: Unknown references: [] tags: diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml index 2f2dab7164..342cb164d1 100644 --- a/detections/network/internal_vulnerability_scan.yml +++ b/detections/network/internal_vulnerability_scan.yml @@ -6,7 +6,11 @@ author: Dean Luxton status: experimental type: TTP data_source: [] -description: This analytic detects internal hosts triggering multiple IDS signatures (either more than 25 signatures against a single host, or a single signature across over 25 destinations), which can be indicative of active vulnerability scanning performed within the network. +description: This analytic detects internal hosts triggering multiple IDS signatures, which may include either + more than 25 signatures against a single host or a single signature across over 25 destination IP addresses. + Such patterns can indicate active vulnerability scanning activities within the network. By monitoring + IDS logs, this detection helps identify and respond to potential vulnerability scanning attempts, + enhancing the network's security posture and preventing potential exploits. search: '| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) as dest_category count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.src @@ -21,8 +25,10 @@ search: '| tstats `security_content_summariesonly` values(IDS_Attacks.action) as values(dest_category) as dest_category values(severity) as severity values(dest_port) as dest_ports by src gtime | fields - gtime | where destCount>25 OR sigCount>25 | `internal_vulnerability_scan_filter`' -how_to_implement: CIM mapped IDS/IPS logs are a required to drive this detection. -known_false_positives: Vulnerability Scanners and informational / low severity signatures. +how_to_implement: For this detection to function effectively, it is essential to ingest IDS/IPS logs that are + mapped to the Common Information Model (CIM). These logs provide the necessary security-related telemetry + and contextual information needed to accurately identify and analyze potential threats. +known_false_positives: Internal vulnerability scanners will trigger this detection. references: [] tags: analytic_story: From d375c32991f4aa0b16eb9d18c6e17d5e8c78a30b Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Fri, 12 Jul 2024 09:33:44 +1000 Subject: [PATCH 6/8] Updating the distributed pwd spray detection --- .../detect_distributed_password_spray_attempts.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index 08399b0a9a..7d6f8bd09f 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -33,7 +33,10 @@ search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS un [ eval <> = if(<>="null",null(),<>)] | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id | sort - total_failures | `detect_distributed_password_spray_attempts_filter`' -how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. +how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM) + and that the src field is populated with the source device information. Additionally, ensure that + fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from + log sources that do not feature the signature_id field in the results. known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings. references: - https://attack.mitre.org/techniques/T1110/003/ @@ -69,9 +72,10 @@ tags: - Authentication.user - Authentication.src security_domain: access + manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion. tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techni[…]ure_ad_distributed_spray/azure_ad_distributed_spray.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log source: azure:monitor:aad sourcetype: azure:monitor:aad \ No newline at end of file From 40248a397a02c730a17131c88c5acbd138669f76 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 16 Jul 2024 08:11:24 -0700 Subject: [PATCH 7/8] updating data source files --- .../cloud/AWS_CloudWatchLogs_VPCflow.yml | 66 ++++++++++++++ .../endpoint/Windows_Event_Log_Security.yml | 2 + .../Windows_Event_Log_System_4728.yml | 89 +++++++++++++++++++ ...ct_distributed_password_spray_attempts.yml | 10 +-- .../detect_password_spray_attempts.yml | 2 +- ..._group_or_object_modification_activity.yml | 2 +- ...increase_in_user_modification_activity.yml | 2 +- .../windows_vulnerable_driver_installed.yml | 2 +- .../network/internal_horizontal_port_scan.yml | 3 +- .../network/internal_vertical_port_scan.yml | 3 +- 10 files changed, 170 insertions(+), 11 deletions(-) create mode 100644 data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml create mode 100644 data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml diff --git a/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml b/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml new file mode 100644 index 0000000000..7ba4fc7362 --- /dev/null +++ b/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml @@ -0,0 +1,66 @@ +name: AWS CloudWatchLogs VPCflow +id: 38a34fc4-e128-4478-a8f4-7835d51d5135 +author: Bhavin Patel, Splunk +source: aws_cloudwatchlogs_vpcflow +sourcetype: aws:cloudwatchlogs:vpcflow +separator: eventName +supported_TA: + name: Splunk Add-on for Amazon Web Services (AWS) + version: 7.4.1 + url: https://splunkbase.splunk.com/app/1876 +event_names: [] +fields: +- _raw +- _time +- account_id +- action +- app +- aws_account_id +- bytes +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- dest_ip +- dest_port +- duration +- dvc +- end_time +- eventtype +- host +- index +- interface_id +- linecount +- log_status +- packets +- protocol +- protocol_code +- protocol_full_name +- protocol_version +- punct +- region +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_ip +- src_port +- start_time +- tag +- tag::action +- tag::eventtype +- timeendpos +- timestartpos +- transport +- user_id +- vendor_account +- vendor_product +- version +- vpcflow_action +example_log: '2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK' diff --git a/data_sources/endpoint/Windows_Event_Log_Security.yml b/data_sources/endpoint/Windows_Event_Log_Security.yml index 46e786a697..ca5c7355c4 100644 --- a/data_sources/endpoint/Windows_Event_Log_Security.yml +++ b/data_sources/endpoint/Windows_Event_Log_Security.yml @@ -45,6 +45,8 @@ event_names: data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml - event_name: Windows Event Log Security 4726 data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml +- event_name: Windows Event Log Security 4728 + data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4728.yml - event_name: Windows Event Log Security 4732 data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml - event_name: Windows Event Log Security 4738 diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml new file mode 100644 index 0000000000..0f8a2baa8a --- /dev/null +++ b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml @@ -0,0 +1,89 @@ + +event_name: Windows Event Log System 4728 +fields: +- _time +- Account_Domain +- Account_Name +- CategoryString +- ComputerName +- Error_Code +- EventCode +- EventType +- Keywords +- LogName +- Logon_ID +- Message +- OpCode +- RecordNumber +- Security_ID +- SourceName +- Subject_Account_Domain +- Subject_Account_Name +- Subject_Logon_ID +- Subject_Security_ID +- Target_Account_Domain +- Target_Account_Name +- Target_Security_ID +- TaskCategory +- Type +- action +- app +- body +- category +- change_type +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- dest_nt_domain +- dest_nt_host +- dvc +- dvc_nt_host +- event_id +- eventtype +- host +- id +- index +- linecount +- member_dn +- member_id +- member_nt_domain +- msad_action +- name +- object +- object_attrs +- object_category +- object_id +- product +- punct +- result +- session_id +- severity +- severity_id +- signature +- signature_id +- source +- sourcetype +- splunk_server +- src_nt_domain +- src_user +- src_user_name +- status +- subject +- ta_windows_action +- ta_windows_security_CategoryString +- tag +- tag::eventtype +- timeendpos +- timestartpos +- user +- user_group +- user_name +- vendor +- vendor_product +example_log: 10/09/2020 10:41:29 AM diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index 7d6f8bd09f..518b80d315 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -6,7 +6,7 @@ author: Dean Luxton status: production type: Hunting data_source: -- Authentication Datamodel +- Azure Active Directory Sign-in activity description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A distributed password spray attack is a type of brute force attack where the attacker attempts a few common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. @@ -49,17 +49,17 @@ tags: - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 confidence: 70 impact: 70 - message: Distributed Password Spray Attempt Detected + message: Distributed Password Spray Attempt Detected from $src$ mitre_attack_id: - T1110.003 - T1110 observable: - name: src - type: Endpoint + type: IP Address role: - Attacker - - name: sourcetype - type: Other + - name: unique_accounts + type: User role: - Victim product: diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index c084024e91..6a90bbebdc 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -6,7 +6,7 @@ author: Dean Luxton status: production type: TTP data_source: -- Authentication Datamodel +- Windows Event Log Security 4625 description: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts from a single source. A password spray attack is a type of brute force attack where an attacker tries a few common passwords across many different accounts to avoid detection and account lockouts. By utilizing the diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml index 185773ebc9..e3099cbb2a 100644 --- a/detections/application/windows_increase_in_group_or_object_modification_activity.yml +++ b/detections/application/windows_increase_in_group_or_object_modification_activity.yml @@ -6,7 +6,7 @@ author: Dean Luxton status: production type: TTP data_source: -- XmlWinEventLog:Security +- Windows Event Log Security 4663 description: This analytic detects an increase in modifications to AD groups or objects. Frequent changes to AD groups or objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml index f7eceacd10..2f6baf93a7 100644 --- a/detections/application/windows_increase_in_user_modification_activity.yml +++ b/detections/application/windows_increase_in_user_modification_activity.yml @@ -6,7 +6,7 @@ author: Dean Luxton status: production type: TTP data_source: -- XmlWinEventLog:Security +- Windows Event Log Security 4720 description: This analytic detects an increase in modifications to AD user objects. A large volume of changes to user objects can indicate potential security risks, such as unauthorized access attempts, impairing defences or establishing persistence. diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml index e0324ffc1a..373abfb0ea 100644 --- a/detections/endpoint/windows_vulnerable_driver_installed.yml +++ b/detections/endpoint/windows_vulnerable_driver_installed.yml @@ -6,7 +6,7 @@ author: Dean Luxton status: production type: TTP data_source: -- XmlWinEventLog System EventCode 7045 +- Windows Event Log System 7045 description: The following analytic detects the loading of known vulnerable Windows drivers, which may indicate potential persistence or privilege escalation attempts. It leverages Windows System service install EventCode 7045 to identify driver loading diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml index f2670befd9..2482756b8d 100644 --- a/detections/network/internal_horizontal_port_scan.yml +++ b/detections/network/internal_horizontal_port_scan.yml @@ -5,7 +5,8 @@ date: '2023-10-20' author: Dean Luxton status: production type: TTP -data_source: [] +data_source: +- AWS CloudWatchLogs VPCflow description: This analytic identifies instances where an internal host has attempted to communicate with 250 or more destination IP addresses using the same port and protocol. Horizontal port scans from internal hosts can indicate reconnaissance or scanning activities, diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml index 8a18aac5f3..d322a38390 100644 --- a/detections/network/internal_vertical_port_scan.yml +++ b/detections/network/internal_vertical_port_scan.yml @@ -5,7 +5,8 @@ date: '2023-10-20' author: Dean Luxton status: production type: TTP -data_source: [] +data_source: +- AWS CloudWatchLogs VPCflow description: This analytic detects instances where an internal host attempts to communicate with over 500 ports on a single destination IP address. It includes filtering criteria to exclude applications performing scans over ephemeral port ranges, From 8d42322842d5aa84a7d48ebc1962e76553dfb0a8 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 16 Jul 2024 08:12:27 -0700 Subject: [PATCH 8/8] rm new line --- .../endpoint/event_sources/Windows_Event_Log_System_4728.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml index 0f8a2baa8a..6374e6f659 100644 --- a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml +++ b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml @@ -1,4 +1,3 @@ - event_name: Windows Event Log System 4728 fields: - _time