diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9d15eb041c..3d613bad10 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,6 +2,9 @@ name: build on: pull_request: types: [opened, reopened, synchronize] + push: + branches: + - develop jobs: build: #Note that the CircleCI job used a Container. The way to do this with Github Actions diff --git a/.github/workflows/unit-testing.yml b/.github/workflows/unit-testing.yml index 970339f562..ea3edbefcb 100644 --- a/.github/workflows/unit-testing.yml +++ b/.github/workflows/unit-testing.yml @@ -7,11 +7,14 @@ jobs: runs-on: ubuntu-latest if: "!contains(github.ref, 'refs/tags/')" #don't run on tags - future steps won't run either since they depend on this job # needs: [validate-tag-if-present, quit-for-dependabot] - steps: + steps: + #For fork PRs, always check out security_content and the PR target in security content! - name: Check out the repository code uses: actions/checkout@v4 with: - ref: develop + repository: 'splunk/security_content' #this should be the TARGET repo of the PR. we hardcode it for now + ref: ${{ github.base_ref }} + - uses: actions/setup-python@v5 with: @@ -24,13 +27,20 @@ jobs: pip install contentctl # Running contentctl test with a few arguments, before running the command make sure you checkout into the current branch of the pull request. This step only performs unit testing on all the changes against the target-branch. In most cases this target branch will be develop + # Make sure we check out the PR, even if it actually lives in a fork + # Instructions for pulling a PR were taken from: + # https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally - name: Run ContentCTL test for changes against target branch run: | + echo "Current Branch (Head Ref): ${{ github.head_ref }}" echo "Target Branch (Base Ref): ${{ github.base_ref }}" git pull > /dev/null 2>&1 - git checkout ${{ github.head_ref }} - echo "The target branch for this PR is ${{ github.base_ref }}" + git fetch origin pull/${{ github.event.pull_request.number }}/head:${{ github.head_ref }} + #We must specifically get the PR's target branch from security_content, not the one that resides in the fork PR's forked repo + git switch ${{ github.head_ref }} + #git checkout ${{ github.head_ref }} + #echo "The target branch for this PR is ${{ github.base_ref }}" contentctl test --disable-tqdm --no-enable-integration-testing --post-test-behavior never_pause mode:changes --mode.target-branch ${{ github.base_ref }} echo "contentctl test - COMPLETED" continue-on-error: true @@ -55,5 +65,4 @@ jobs: run: | echo "This job will fail if there are failures in unit-testing" python .github/workflows/format_test_results.py >> $GITHUB_STEP_SUMMARY - echo "The Unit testing is completed. See details in the unit-testing job summary UI " - \ No newline at end of file + echo "The Unit testing is completed. See details in the unit-testing job summary UI " \ No newline at end of file diff --git a/README.md b/README.md index e6c6fedf80..758a7aede3 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,8 @@

- - + + diff --git a/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml b/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml new file mode 100644 index 0000000000..7ba4fc7362 --- /dev/null +++ b/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml @@ -0,0 +1,66 @@ +name: AWS CloudWatchLogs VPCflow +id: 38a34fc4-e128-4478-a8f4-7835d51d5135 +author: Bhavin Patel, Splunk +source: aws_cloudwatchlogs_vpcflow +sourcetype: aws:cloudwatchlogs:vpcflow +separator: eventName +supported_TA: + name: Splunk Add-on for Amazon Web Services (AWS) + version: 7.4.1 + url: https://splunkbase.splunk.com/app/1876 +event_names: [] +fields: +- _raw +- _time +- account_id +- action +- app +- aws_account_id +- bytes +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- dest_ip +- dest_port +- duration +- dvc +- end_time +- eventtype +- host +- index +- interface_id +- linecount +- log_status +- packets +- protocol +- protocol_code +- protocol_full_name +- protocol_version +- punct +- region +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_ip +- src_port +- start_time +- tag +- tag::action +- tag::eventtype +- timeendpos +- timestartpos +- transport +- user_id +- vendor_account +- vendor_product +- version +- vpcflow_action +example_log: '2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK' diff --git a/data_sources/endpoint/Windows_Event_Log_Security.yml b/data_sources/endpoint/Windows_Event_Log_Security.yml index 46e786a697..ca5c7355c4 100644 --- a/data_sources/endpoint/Windows_Event_Log_Security.yml +++ b/data_sources/endpoint/Windows_Event_Log_Security.yml @@ -45,6 +45,8 @@ event_names: data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml - event_name: Windows Event Log Security 4726 data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml +- event_name: Windows Event Log Security 4728 + data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4728.yml - event_name: Windows Event Log Security 4732 data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml - event_name: Windows Event Log Security 4738 diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml new file mode 100644 index 0000000000..6374e6f659 --- /dev/null +++ b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml @@ -0,0 +1,88 @@ +event_name: Windows Event Log System 4728 +fields: +- _time +- Account_Domain +- Account_Name +- CategoryString +- ComputerName +- Error_Code +- EventCode +- EventType +- Keywords +- LogName +- Logon_ID +- Message +- OpCode +- RecordNumber +- Security_ID +- SourceName +- Subject_Account_Domain +- Subject_Account_Name +- Subject_Logon_ID +- Subject_Security_ID +- Target_Account_Domain +- Target_Account_Name +- Target_Security_ID +- TaskCategory +- Type +- action +- app +- body +- category +- change_type +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- dest_nt_domain +- dest_nt_host +- dvc +- dvc_nt_host +- event_id +- eventtype +- host +- id +- index +- linecount +- member_dn +- member_id +- member_nt_domain +- msad_action +- name +- object +- object_attrs +- object_category +- object_id +- product +- punct +- result +- session_id +- severity +- severity_id +- signature +- signature_id +- source +- sourcetype +- splunk_server +- src_nt_domain +- src_user +- src_user_name +- status +- subject +- ta_windows_action +- ta_windows_security_CategoryString +- tag +- tag::eventtype +- timeendpos +- timestartpos +- user +- user_group +- user_name +- vendor +- vendor_product +example_log: 10/09/2020 10:41:29 AM diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml new file mode 100644 index 0000000000..518b80d315 --- /dev/null +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -0,0 +1,81 @@ +name: Detect Distributed Password Spray Attempts +id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57 +version: 1 +date: '2023-11-01' +author: Dean Luxton +status: production +type: Hunting +data_source: +- Azure Active Directory Sign-in activity +description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A + distributed password spray attack is a type of brute force attack where the attacker attempts a few + common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. + By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication + events, providing comprehensive coverage and enhancing security against these attacks. +search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m + | `drop_dm_object_name("Authentication")` + ```fill out time buckets for 0-count events during entire search length``` + | appendpipe [| timechart limit=0 span=5m count | table _time] + | fillnull value=0 unique_accounts, unique_src + ``` remove duplicate & empty time buckets``` + | sort - total_failures + | dedup _time + ``` Create aggregation field & apply to all null events``` + | eval counter=sourcetype+"__"+signature_id + | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) + ``` 3-sigma detection logic ``` + | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter + | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3) + | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0) + | replace "::ffff:*" with * in src + | where isOutlier=1 + | foreach * + [ eval <> = if(<>="null",null(),<>)] + | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id + | sort - total_failures | `detect_distributed_password_spray_attempts_filter`' +how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM) + and that the src field is populated with the source device information. Additionally, ensure that + fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from + log sources that do not feature the signature_id field in the results. +known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings. +references: +- https://attack.mitre.org/techniques/T1110/003/ +tags: + analytic_story: + - Compromised User Account + - Active Directory Password Spraying + asset_type: Endpoint + atomic_guid: + - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 + confidence: 70 + impact: 70 + message: Distributed Password Spray Attempt Detected from $src$ + mitre_attack_id: + - T1110.003 + - T1110 + observable: + - name: src + type: IP Address + role: + - Attacker + - name: unique_accounts + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 49 + required_fields: + - Authentication.action + - Authentication.user + - Authentication.src + security_domain: access + manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion. +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log + source: azure:monitor:aad + sourcetype: azure:monitor:aad \ No newline at end of file diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml new file mode 100644 index 0000000000..6a90bbebdc --- /dev/null +++ b/detections/application/detect_password_spray_attempts.yml @@ -0,0 +1,75 @@ +name: Detect Password Spray Attempts +id: 086ab581-8877-42b3-9aee-4a7ecb0923af +version: 1 +date: '2023-11-01' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Event Log Security 4625 +description: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts + from a single source. A password spray attack is a type of brute force attack where an attacker tries a few + common passwords across many different accounts to avoid detection and account lockouts. By utilizing the + Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing + comprehensive coverage and enhancing security against these attacks. +search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time span=2m + | `drop_dm_object_name("Authentication")` + ```fill out time buckets for 0-count events during entire search length``` + | appendpipe [| timechart limit=0 span=5m count | table _time] + | fillnull value=0 unique_accounts, unique_src + ``` remove duplicate & empty time buckets``` + | sort - total_failures + | dedup _time + ``` Create aggregation field & apply to all null events``` + | eval counter=src+"__"+sourcetype+"__"+signature_id + | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) + | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter + | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0) + | replace "::ffff:*" with * in src + | where isOutlier=1 + | foreach * [ eval <> = if(<>="null",null(),<>)] + | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id + | `detect_password_spray_attempts_filter`' +how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1110/003/ +tags: + analytic_story: + - Compromised User Account + - Active Directory Password Spraying + asset_type: Endpoint + atomic_guid: + - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 + confidence: 70 + impact: 70 + message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts. + mitre_attack_id: + - T1110.003 + - T1110 + observable: + - name: src + type: Endpoint + role: + - Attacker + - name: sourcetype + type: Other + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 49 + required_fields: + - Authentication.action + - Authentication.user + - Authentication.src + security_domain: access +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml new file mode 100644 index 0000000000..d01cf4389e --- /dev/null +++ b/detections/application/windows_ad_add_self_to_group.yml @@ -0,0 +1,54 @@ +name: Windows AD add Self to Group +id: 065f2701-b7ea-42f5-9ec4-fbc2261165f9 +version: 1 +date: '2023-12-18' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Event Log Security 4728 +description: This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity + is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher + privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior, + which could be part of a larger attack strategy aimed at compromising critical systems and data. +search: '`wineventlog_security` EventCode IN (4728) + | where user=src_user + | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name, src_user + | `windows_ad_add_self_to_group_filter`' +how_to_implement: This analytic requires eventCode 4728 to be ingested. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Active Directory Privilege Escalation + - Sneaky Active Directory Persistence Tricks + asset_type: Endpoint + confidence: 100 + impact: 50 + message: $user$ added themselves to AD Group $Group_Name$ + mitre_attack_id: + - T1098 + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 50 + required_fields: + - EventCode + - user + - src_user + - signature + - Group_Name + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog + update_timestamp: true \ No newline at end of file diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml new file mode 100644 index 0000000000..e3099cbb2a --- /dev/null +++ b/detections/application/windows_increase_in_group_or_object_modification_activity.yml @@ -0,0 +1,57 @@ +name: Windows Increase in Group or Object Modification Activity +id: 4f9564dd-a204-4f22-b375-4dfca3a68731 +version: 1 +date: '2023-10-13' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Event Log Security 4663 +description: This analytic detects an increase in modifications to AD groups or objects. + Frequent changes to AD groups or objects can indicate potential security risks, + such as unauthorized access attempts, impairing defences or establishing persistence. + By monitoring AD logs for unusual modification patterns, this detection helps identify + suspicious behavior that could compromise the integrity and security of the AD environment. +search: >- + `wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764) + | bucket span=5m _time + | stats values(object) as object, dc(object) as objectCount, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status + | eventstats avg(objectCount) as comp_avg, stdev(objectCount) as comp_std by src_user, signature + | eval upperBound=(comp_avg+comp_std) + | eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0) + | search isOutlier=1 + | `windows_increase_in_group_or_object_modification_activity_filter` +how_to_implement: Run this detection looking over a 7 day timeframe for best results. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Sneaky Active Directory Persistence Tricks + asset_type: Endpoint + confidence: 40 + impact: 20 + message: Spike in Group or Object Modifications performed by $src_user$ + mitre_attack_id: + - T1098 + - T1562 + observable: + - name: src_user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 8 + required_fields: + - EventCode + - src_user + - signature + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml new file mode 100644 index 0000000000..2f6baf93a7 --- /dev/null +++ b/detections/application/windows_increase_in_user_modification_activity.yml @@ -0,0 +1,58 @@ +name: Windows Increase in User Modification Activity +id: 0995fca1-f346-432f-b0bf-a66d14e6b428 +version: 1 +date: '2023-10-13' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Event Log Security 4720 +description: This analytic detects an increase in modifications to AD user objects. + A large volume of changes to user objects can indicate potential security risks, + such as unauthorized access attempts, impairing defences or establishing persistence. + By monitoring AD logs for unusual modification patterns, this detection helps identify + suspicious behavior that could compromise the integrity and security of the AD environment. +search: >- + `wineventlog_security` EventCode IN (4720,4722,4723,4724,4725,4726,4728,4732,4733,4738,4743,4780) + | bucket span=5m _time + | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status + | eventstats avg(userCount) as comp_avg , stdev(userCount) as comp_std by src_user, signature + | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(userCount > 10 and userCount >= upperBound, 1, 0) + | search isOutlier=1 + | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category values(signature) as signature by _time, src_user, status + | `windows_increase_in_user_modification_activity_filter` +how_to_implement: Run this detection looking over a 7 day timeframe for best results. +known_false_positives: Genuine activity +references: [] +tags: + analytic_story: + - Sneaky Active Directory Persistence Tricks + asset_type: Endpoint + confidence: 40 + impact: 20 + message: Spike in User Modification actions performed by $src_user$ + mitre_attack_id: + - T1098 + - T1562 + observable: + - name: src_user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 8 + required_fields: + - EventCode + - src_user + - signature + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_network_share_interaction_with_net.yml b/detections/endpoint/windows_network_share_interaction_with_net.yml new file mode 100644 index 0000000000..057b77623e --- /dev/null +++ b/detections/endpoint/windows_network_share_interaction_with_net.yml @@ -0,0 +1,71 @@ +name: Windows Network Share Interaction With Net +id: 4dc3951f-b3f8-4f46-b412-76a483f72277 +version: 1 +date: '2023-04-21' +author: Dean Luxton +status: production +type: TTP +data_source: +- Sysmon EventID 1 +description: This analytic detects network share discovery and collection activities performed on Windows systems using the Net command. + Attackers often use network share discovery to identify accessible shared resources within a network, + which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for + the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection + activities. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.user_category) as user_category values(Processes.user_bunit) as user_bunit FROM datamodel=Endpoint.Processes WHERE (Processes.process_name="net.exe" OR Processes.process_name="net1.exe" OR Processes.orig_process_name="net.exe" OR Processes.orig_process_name="net1net[\s\.ex1]+view|net[\s\.ex1]+share|net[\s\.ex1]+use\s.exe") BY Processes.user Processes.dest Processes.process_exec Processes.parent_process_exec + Processes.process Processes.parent_process + | `drop_dm_object_name(Processes)` + | regex process="net[\s\.ex1]+view|net[\s\.ex1]+share|net[\s\.ex1]+use\s" + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_network_share_interaction_with_net_filter`' +how_to_implement: The detection is based on data originating from either Endpoint Detection and Response (EDR) telemetry or EventCode 4688 with + process command line logging enabled. These sources provide security-related telemetry from the endpoints. To implement this search, you must + ingest logs that contain the process name, parent process, and complete command-line executions. These logs must be mapped to the Splunk Common + Information Model (CIM) to normalize the field names capture the data within the datamodel schema. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1135/ +tags: + analytic_story: + - Active Directory Discovery + - Active Directory Privilege Escalation + - Network Discovery + asset_type: Endpoint + atomic_guid: + - ab39a04f-0c93-4540-9ff2-83f862c385ae + confidence: 100 + impact: 20 + message: User $user$ leveraged net.exe on $dest$ to interact with network shares, executed by parent process $parent_process$ + mitre_attack_id: + - T1135 + - T1039 + required_fields: + - Processes.process_name + - Processes.user + - Processes.dest + - Processes.process_exec + - Processes.parent_process_exec + - Processes.process + - Processes.parent_process + observable: + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 20 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml new file mode 100644 index 0000000000..373abfb0ea --- /dev/null +++ b/detections/endpoint/windows_vulnerable_driver_installed.yml @@ -0,0 +1,60 @@ +name: Windows Vulnerable Driver Installed +id: 1dda7586-57be-4a1b-8de1-a9ad802b9a7f +version: 1 +date: '2023-09-27' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Event Log System 7045 +description: The following analytic detects the loading of known vulnerable Windows + drivers, which may indicate potential persistence or privilege escalation attempts. + It leverages Windows System service install EventCode 7045 to identify driver loading + events and cross-references them with a list of vulnerable drivers. This activity is + significant as attackers often exploit vulnerable drivers to gain elevated privileges + or maintain persistence on a system. If confirmed malicious, this could allow attackers + to execute arbitrary code with high privileges, leading to further system compromise + and potential data exfiltration. This detection is a Windows Event Log adaptation of + the Sysmon driver loaded detection written by Michael Haag. +search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" | table _time dest EventCode ImagePath ServiceName ServiceType | lookup loldrivers driver_name AS ImagePath OUTPUT is_driver driver_description | search is_driver = TRUE | `windows_vulnerable_driver_installed_filter`' +how_to_implement: Ensure the Splunk is collecting XmlWinEventLog:System events and the EventCode 7045 is being ingested. +known_false_positives: False positives will be present. Drill down into the driver + further by version number and cross reference by signer. Review the reference material + in the lookup. In addition, modify the query to look within specific paths, which + will remove a lot of "normal" drivers. +references: +- https://loldrivers.io/ +- https://github.com/SpikySabra/Kernel-Cactus +- https://github.com/wavestone-cdt/EDRSandblast +- https://research.splunk.com/endpoint/a2b1f1ef-221f-4187-b2a4-d4b08ec745f4/ +- https://www.splunk.com/en_us/blog/security/these-are-the-drivers-you-are-looking-for-detect-and-prevent-malicious-drivers.html +tags: + analytic_story: + - Windows Drivers + asset_type: Endpoint + confidence: 50 + impact: 100 + message: Potentially vulnerable/malicious driver ($driver_name$) has been installed on $dest$ + mitre_attack_id: + - T1543.003 + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 50 + required_fields: + - ServiceType + - driver_name + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-system.log + source: XmlWinEventLog:System + sourcetype: XmlWinEventLog + update_timestamp: true \ No newline at end of file diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml new file mode 100644 index 0000000000..2482756b8d --- /dev/null +++ b/detections/network/internal_horizontal_port_scan.yml @@ -0,0 +1,65 @@ +name: Internal Horizontal Port Scan +id: 1ff9eb9a-7d72-4993-a55e-59a839e607f1 +version: 1 +date: '2023-10-20' +author: Dean Luxton +status: production +type: TTP +data_source: +- AWS CloudWatchLogs VPCflow +description: This analytic identifies instances where an internal host has attempted to communicate + with 250 or more destination IP addresses using the same port and protocol. Horizontal + port scans from internal hosts can indicate reconnaissance or scanning activities, + potentially signaling malicious intent or misconfiguration. By monitoring network + traffic logs, this detection helps detect and respond to such behavior promptly, + enhancing network security and preventing potential threats. +search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action + values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as + dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic + where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip All_Traffic.dest_port + All_Traffic.dest_ip span=1s _time All_Traffic.transport | `drop_dm_object_name("All_Traffic")` + | eval gtime=_time | bin span=1h gtime | stats min(_time) as _time values(action) + as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) + as dest_zone values(src_zone) as src_zone by src_ip dest_port gtime transport | + where totalDestIPCount>=250 | eval dest_port=transport + "/" + dest_port | stats + min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount + values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) + as dest_zone values(src_zone) as src_zone by src_ip gtime | fields - gtime | `internal_horizontal_port_scan_filter`' +how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as + firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to + enable this search effectively. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + confidence: 80 + impact: 80 + message: $src_ip$ has scanned for port $dest_port$ across $totalDestIPCount$ destination IPs + mitre_attack_id: + - T1046 + observable: + - name: src_ip + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 64 + required_fields: + - _time + - All_Traffic.action + - All_Traffic.src_ip + - All_Traffic.dest_ip + - All_Traffic.dest_port + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log + source: aws:cloudwatchlogs:vpcflow + sourcetype: aws:cloudwatchlogs:vpcflow + update_timestamp: true \ No newline at end of file diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml new file mode 100644 index 0000000000..d322a38390 --- /dev/null +++ b/detections/network/internal_vertical_port_scan.yml @@ -0,0 +1,67 @@ +name: Internal Vertical Port Scan +id: 40d2dc41-9bbf-421a-a34b-8611271a6770 +version: 1 +date: '2023-10-20' +author: Dean Luxton +status: production +type: TTP +data_source: +- AWS CloudWatchLogs VPCflow +description: This analytic detects instances where an internal host attempts to communicate + with over 500 ports on a single destination IP address. It includes filtering + criteria to exclude applications performing scans over ephemeral port ranges, + focusing on potential reconnaissance or scanning activities. Monitoring network + traffic logs allows for timely detection and response to such behavior, enhancing + network security by identifying and mitigating potential threats promptly. +search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action + values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as + dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic + where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip + All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.transport span=1s _time | + `drop_dm_object_name("All_Traffic")` | eval gtime=_time | bin span=1h gtime | stats + min(_time) as _time values(action) as action dc(eval(if(dest_port<1024 AND transport="tcp",dest_port,null))) + as privilegedDestTcpPortCount dc(eval(if(transport="tcp",dest_port,null))) as totalDestTcpPortCount + dc(eval(if(dest_port<1024 AND transport="udp",dest_port,null))) as privilegedDestUdpPortCount + dc(eval(if(transport="udp",dest_port,null))) as totalDestUdpPortCount values(src_category) + as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip + dest_ip transport gtime | eval totalDestPortCount=totalDestUdpPortCount+totalDestTcpPortCount, + privilegedDestPortCount=privilegedDestTcpPortCount+privilegedDestUdpPortCount| where + (totalDestPortCount>=500 AND privilegedDestPortCount>=20) | fields - gtime | `internal_vertical_port_scan_filter`' +how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as + firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to + enable this search effectively. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + confidence: 80 + impact: 80 + message: $src_ip$ has scanned $totalDestPortCount$ ports on $dest_ip$ + mitre_attack_id: + - T1046 + observable: + - name: src_ip + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 64 + required_fields: + - _time + - All_Traffic.action + - All_Traffic.src_ip + - All_Traffic.dest_ip + - All_Traffic.dest_port + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/vertical.log + source: aws:cloudwatchlogs:vpcflow + sourcetype: aws:cloudwatchlogs:vpcflow + update_timestamp: trues \ No newline at end of file diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml new file mode 100644 index 0000000000..342cb164d1 --- /dev/null +++ b/detections/network/internal_vulnerability_scan.yml @@ -0,0 +1,62 @@ +name: Internal Vulnerability Scan +id: 46f946ed-1c78-4e96-9906-c7a4be15e39b +version: 1 +date: '2023-10-27' +author: Dean Luxton +status: experimental +type: TTP +data_source: [] +description: This analytic detects internal hosts triggering multiple IDS signatures, which may include either + more than 25 signatures against a single host or a single signature across over 25 destination IP addresses. + Such patterns can indicate active vulnerability scanning activities within the network. By monitoring + IDS logs, this detection helps identify and respond to potential vulnerability scanning attempts, + enhancing the network's security posture and preventing potential exploits. +search: '| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action + values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) + as dest_category count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.src + IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical, + high, medium) by IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature IDS_Attacks.dest + IDS_Attacks.dest_port IDS_Attacks.transport span=1s _time | `drop_dm_object_name("IDS_Attacks")` + | eval gtime=_time | bin span=1h gtime | eventstats count as sevCount by severity + src | eventstats count as sigCount by signature src | eval severity=severity +"("+sevCount+")" + | eval signature=signature +"("+sigCount+")" | eval dest_port=transport + "/" + + dest_port | stats min(_time) as _time values(action) as action dc(dest) as destCount + dc(signature) as sigCount values(signature) values(src_category) as src_category + values(dest_category) as dest_category values(severity) as severity values(dest_port) + as dest_ports by src gtime | fields - gtime | where destCount>25 OR sigCount>25 + | `internal_vulnerability_scan_filter`' +how_to_implement: For this detection to function effectively, it is essential to ingest IDS/IPS logs that are + mapped to the Common Information Model (CIM). These logs provide the necessary security-related telemetry + and contextual information needed to accurately identify and analyze potential threats. +known_false_positives: Internal vulnerability scanners will trigger this detection. +references: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + confidence: 80 + impact: 80 + message: Large volume of IDS signatures triggered by $src$ + mitre_attack_id: + - T1595.002 + - T1046 + observable: + - name: src + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 64 + required_fields: + - _time + - IDS_Attacks.action + - IDS_Attacks.src + - IDS_Attacks.dest + - IDS_Attacks.dest_port + - IDS_Attacks.severity + - IDS_Attacks.signature + - IDS_Attacks.transport + security_domain: network \ No newline at end of file