diff --git a/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml b/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml new file mode 100644 index 0000000000..7ba4fc7362 --- /dev/null +++ b/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml @@ -0,0 +1,66 @@ +name: AWS CloudWatchLogs VPCflow +id: 38a34fc4-e128-4478-a8f4-7835d51d5135 +author: Bhavin Patel, Splunk +source: aws_cloudwatchlogs_vpcflow +sourcetype: aws:cloudwatchlogs:vpcflow +separator: eventName +supported_TA: + name: Splunk Add-on for Amazon Web Services (AWS) + version: 7.4.1 + url: https://splunkbase.splunk.com/app/1876 +event_names: [] +fields: +- _raw +- _time +- account_id +- action +- app +- aws_account_id +- bytes +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- dest_ip +- dest_port +- duration +- dvc +- end_time +- eventtype +- host +- index +- interface_id +- linecount +- log_status +- packets +- protocol +- protocol_code +- protocol_full_name +- protocol_version +- punct +- region +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_ip +- src_port +- start_time +- tag +- tag::action +- tag::eventtype +- timeendpos +- timestartpos +- transport +- user_id +- vendor_account +- vendor_product +- version +- vpcflow_action +example_log: '2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK' diff --git a/data_sources/endpoint/Windows_Event_Log_Security.yml b/data_sources/endpoint/Windows_Event_Log_Security.yml index 46e786a697..ca5c7355c4 100644 --- a/data_sources/endpoint/Windows_Event_Log_Security.yml +++ b/data_sources/endpoint/Windows_Event_Log_Security.yml @@ -45,6 +45,8 @@ event_names: data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml - event_name: Windows Event Log Security 4726 data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml +- event_name: Windows Event Log Security 4728 + data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4728.yml - event_name: Windows Event Log Security 4732 data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml - event_name: Windows Event Log Security 4738 diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml new file mode 100644 index 0000000000..6374e6f659 --- /dev/null +++ b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml @@ -0,0 +1,88 @@ +event_name: Windows Event Log System 4728 +fields: +- _time +- Account_Domain +- Account_Name +- CategoryString +- ComputerName +- Error_Code +- EventCode +- EventType +- Keywords +- LogName +- Logon_ID +- Message +- OpCode +- RecordNumber +- Security_ID +- SourceName +- Subject_Account_Domain +- Subject_Account_Name +- Subject_Logon_ID +- Subject_Security_ID +- Target_Account_Domain +- Target_Account_Name +- Target_Security_ID +- TaskCategory +- Type +- action +- app +- body +- category +- change_type +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- dest_nt_domain +- dest_nt_host +- dvc +- dvc_nt_host +- event_id +- eventtype +- host +- id +- index +- linecount +- member_dn +- member_id +- member_nt_domain +- msad_action +- name +- object +- object_attrs +- object_category +- object_id +- product +- punct +- result +- session_id +- severity +- severity_id +- signature +- signature_id +- source +- sourcetype +- splunk_server +- src_nt_domain +- src_user +- src_user_name +- status +- subject +- ta_windows_action +- ta_windows_security_CategoryString +- tag +- tag::eventtype +- timeendpos +- timestartpos +- user +- user_group +- user_name +- vendor +- vendor_product +example_log: 10/09/2020 10:41:29 AM diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml new file mode 100644 index 0000000000..518b80d315 --- /dev/null +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -0,0 +1,81 @@ +name: Detect Distributed Password Spray Attempts +id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57 +version: 1 +date: '2023-11-01' +author: Dean Luxton +status: production +type: Hunting +data_source: +- Azure Active Directory Sign-in activity +description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A + distributed password spray attack is a type of brute force attack where the attacker attempts a few + common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. + By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication + events, providing comprehensive coverage and enhancing security against these attacks. +search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m + | `drop_dm_object_name("Authentication")` + ```fill out time buckets for 0-count events during entire search length``` + | appendpipe [| timechart limit=0 span=5m count | table _time] + | fillnull value=0 unique_accounts, unique_src + ``` remove duplicate & empty time buckets``` + | sort - total_failures + | dedup _time + ``` Create aggregation field & apply to all null events``` + | eval counter=sourcetype+"__"+signature_id + | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) + ``` 3-sigma detection logic ``` + | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter + | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3) + | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0) + | replace "::ffff:*" with * in src + | where isOutlier=1 + | foreach * + [ eval <> = if(<>="null",null(),<>)] + | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id + | sort - total_failures | `detect_distributed_password_spray_attempts_filter`' +how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM) + and that the src field is populated with the source device information. Additionally, ensure that + fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from + log sources that do not feature the signature_id field in the results. +known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings. +references: +- https://attack.mitre.org/techniques/T1110/003/ +tags: + analytic_story: + - Compromised User Account + - Active Directory Password Spraying + asset_type: Endpoint + atomic_guid: + - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 + confidence: 70 + impact: 70 + message: Distributed Password Spray Attempt Detected from $src$ + mitre_attack_id: + - T1110.003 + - T1110 + observable: + - name: src + type: IP Address + role: + - Attacker + - name: unique_accounts + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 49 + required_fields: + - Authentication.action + - Authentication.user + - Authentication.src + security_domain: access + manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion. +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log + source: azure:monitor:aad + sourcetype: azure:monitor:aad \ No newline at end of file diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml new file mode 100644 index 0000000000..6a90bbebdc --- /dev/null +++ b/detections/application/detect_password_spray_attempts.yml @@ -0,0 +1,75 @@ +name: Detect Password Spray Attempts +id: 086ab581-8877-42b3-9aee-4a7ecb0923af +version: 1 +date: '2023-11-01' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Event Log Security 4625 +description: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts + from a single source. A password spray attack is a type of brute force attack where an attacker tries a few + common passwords across many different accounts to avoid detection and account lockouts. By utilizing the + Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing + comprehensive coverage and enhancing security against these attacks. +search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time span=2m + | `drop_dm_object_name("Authentication")` + ```fill out time buckets for 0-count events during entire search length``` + | appendpipe [| timechart limit=0 span=5m count | table _time] + | fillnull value=0 unique_accounts, unique_src + ``` remove duplicate & empty time buckets``` + | sort - total_failures + | dedup _time + ``` Create aggregation field & apply to all null events``` + | eval counter=src+"__"+sourcetype+"__"+signature_id + | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) + | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter + | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0) + | replace "::ffff:*" with * in src + | where isOutlier=1 + | foreach * [ eval <> = if(<>="null",null(),<>)] + | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id + | `detect_password_spray_attempts_filter`' +how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1110/003/ +tags: + analytic_story: + - Compromised User Account + - Active Directory Password Spraying + asset_type: Endpoint + atomic_guid: + - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 + confidence: 70 + impact: 70 + message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts. + mitre_attack_id: + - T1110.003 + - T1110 + observable: + - name: src + type: Endpoint + role: + - Attacker + - name: sourcetype + type: Other + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 49 + required_fields: + - Authentication.action + - Authentication.user + - Authentication.src + security_domain: access +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml new file mode 100644 index 0000000000..d01cf4389e --- /dev/null +++ b/detections/application/windows_ad_add_self_to_group.yml @@ -0,0 +1,54 @@ +name: Windows AD add Self to Group +id: 065f2701-b7ea-42f5-9ec4-fbc2261165f9 +version: 1 +date: '2023-12-18' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Event Log Security 4728 +description: This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity + is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher + privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior, + which could be part of a larger attack strategy aimed at compromising critical systems and data. +search: '`wineventlog_security` EventCode IN (4728) + | where user=src_user + | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name, src_user + | `windows_ad_add_self_to_group_filter`' +how_to_implement: This analytic requires eventCode 4728 to be ingested. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Active Directory Privilege Escalation + - Sneaky Active Directory Persistence Tricks + asset_type: Endpoint + confidence: 100 + impact: 50 + message: $user$ added themselves to AD Group $Group_Name$ + mitre_attack_id: + - T1098 + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 50 + required_fields: + - EventCode + - user + - src_user + - signature + - Group_Name + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog + update_timestamp: true \ No newline at end of file diff --git a/detections/application/windows_increase_in_group_or_object_modification_activity.yml b/detections/application/windows_increase_in_group_or_object_modification_activity.yml new file mode 100644 index 0000000000..e3099cbb2a --- /dev/null +++ b/detections/application/windows_increase_in_group_or_object_modification_activity.yml @@ -0,0 +1,57 @@ +name: Windows Increase in Group or Object Modification Activity +id: 4f9564dd-a204-4f22-b375-4dfca3a68731 +version: 1 +date: '2023-10-13' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Event Log Security 4663 +description: This analytic detects an increase in modifications to AD groups or objects. + Frequent changes to AD groups or objects can indicate potential security risks, + such as unauthorized access attempts, impairing defences or establishing persistence. + By monitoring AD logs for unusual modification patterns, this detection helps identify + suspicious behavior that could compromise the integrity and security of the AD environment. +search: >- + `wineventlog_security` EventCode IN (4670,4727,4731,4734,4735,4764) + | bucket span=5m _time + | stats values(object) as object, dc(object) as objectCount, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status + | eventstats avg(objectCount) as comp_avg, stdev(objectCount) as comp_std by src_user, signature + | eval upperBound=(comp_avg+comp_std) + | eval isOutlier=if(objectCount > 10 and (objectCount >= upperBound), 1, 0) + | search isOutlier=1 + | `windows_increase_in_group_or_object_modification_activity_filter` +how_to_implement: Run this detection looking over a 7 day timeframe for best results. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Sneaky Active Directory Persistence Tricks + asset_type: Endpoint + confidence: 40 + impact: 20 + message: Spike in Group or Object Modifications performed by $src_user$ + mitre_attack_id: + - T1098 + - T1562 + observable: + - name: src_user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 8 + required_fields: + - EventCode + - src_user + - signature + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/application/windows_increase_in_user_modification_activity.yml b/detections/application/windows_increase_in_user_modification_activity.yml new file mode 100644 index 0000000000..2f6baf93a7 --- /dev/null +++ b/detections/application/windows_increase_in_user_modification_activity.yml @@ -0,0 +1,58 @@ +name: Windows Increase in User Modification Activity +id: 0995fca1-f346-432f-b0bf-a66d14e6b428 +version: 1 +date: '2023-10-13' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Event Log Security 4720 +description: This analytic detects an increase in modifications to AD user objects. + A large volume of changes to user objects can indicate potential security risks, + such as unauthorized access attempts, impairing defences or establishing persistence. + By monitoring AD logs for unusual modification patterns, this detection helps identify + suspicious behavior that could compromise the integrity and security of the AD environment. +search: >- + `wineventlog_security` EventCode IN (4720,4722,4723,4724,4725,4726,4728,4732,4733,4738,4743,4780) + | bucket span=5m _time + | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category by _time, src_user, signature, status + | eventstats avg(userCount) as comp_avg , stdev(userCount) as comp_std by src_user, signature + | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(userCount > 10 and userCount >= upperBound, 1, 0) + | search isOutlier=1 + | stats values(TargetDomainName) as TargetDomainName, values(user) as user, dc(user) as userCount, values(user_category) as user_category, values(src_user_category) as src_user_category, values(dest) as dest, values(dest_category) as dest_category values(signature) as signature by _time, src_user, status + | `windows_increase_in_user_modification_activity_filter` +how_to_implement: Run this detection looking over a 7 day timeframe for best results. +known_false_positives: Genuine activity +references: [] +tags: + analytic_story: + - Sneaky Active Directory Persistence Tricks + asset_type: Endpoint + confidence: 40 + impact: 20 + message: Spike in User Modification actions performed by $src_user$ + mitre_attack_id: + - T1098 + - T1562 + observable: + - name: src_user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 8 + required_fields: + - EventCode + - src_user + - signature + security_domain: audit +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog \ No newline at end of file diff --git a/detections/endpoint/windows_network_share_interaction_with_net.yml b/detections/endpoint/windows_network_share_interaction_with_net.yml new file mode 100644 index 0000000000..057b77623e --- /dev/null +++ b/detections/endpoint/windows_network_share_interaction_with_net.yml @@ -0,0 +1,71 @@ +name: Windows Network Share Interaction With Net +id: 4dc3951f-b3f8-4f46-b412-76a483f72277 +version: 1 +date: '2023-04-21' +author: Dean Luxton +status: production +type: TTP +data_source: +- Sysmon EventID 1 +description: This analytic detects network share discovery and collection activities performed on Windows systems using the Net command. + Attackers often use network share discovery to identify accessible shared resources within a network, + which can be a precursor to privilege escalation or data exfiltration. By monitoring Windows Event Logs for + the usage of the Net command to list and interact with network shares, this detection helps identify potential reconnaissance and collection + activities. +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.user_category) as user_category values(Processes.user_bunit) as user_bunit FROM datamodel=Endpoint.Processes WHERE (Processes.process_name="net.exe" OR Processes.process_name="net1.exe" OR Processes.orig_process_name="net.exe" OR Processes.orig_process_name="net1net[\s\.ex1]+view|net[\s\.ex1]+share|net[\s\.ex1]+use\s.exe") BY Processes.user Processes.dest Processes.process_exec Processes.parent_process_exec + Processes.process Processes.parent_process + | `drop_dm_object_name(Processes)` + | regex process="net[\s\.ex1]+view|net[\s\.ex1]+share|net[\s\.ex1]+use\s" + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_network_share_interaction_with_net_filter`' +how_to_implement: The detection is based on data originating from either Endpoint Detection and Response (EDR) telemetry or EventCode 4688 with + process command line logging enabled. These sources provide security-related telemetry from the endpoints. To implement this search, you must + ingest logs that contain the process name, parent process, and complete command-line executions. These logs must be mapped to the Splunk Common + Information Model (CIM) to normalize the field names capture the data within the datamodel schema. +known_false_positives: Unknown +references: +- https://attack.mitre.org/techniques/T1135/ +tags: + analytic_story: + - Active Directory Discovery + - Active Directory Privilege Escalation + - Network Discovery + asset_type: Endpoint + atomic_guid: + - ab39a04f-0c93-4540-9ff2-83f862c385ae + confidence: 100 + impact: 20 + message: User $user$ leveraged net.exe on $dest$ to interact with network shares, executed by parent process $parent_process$ + mitre_attack_id: + - T1135 + - T1039 + required_fields: + - Processes.process_name + - Processes.user + - Processes.dest + - Processes.process_exec + - Processes.parent_process_exec + - Processes.process + - Processes.parent_process + observable: + - name: dest + type: Hostname + role: + - Victim + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 20 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1135/net_share/windows-sysmon.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: xmlwineventlog \ No newline at end of file diff --git a/detections/endpoint/windows_vulnerable_driver_installed.yml b/detections/endpoint/windows_vulnerable_driver_installed.yml new file mode 100644 index 0000000000..373abfb0ea --- /dev/null +++ b/detections/endpoint/windows_vulnerable_driver_installed.yml @@ -0,0 +1,60 @@ +name: Windows Vulnerable Driver Installed +id: 1dda7586-57be-4a1b-8de1-a9ad802b9a7f +version: 1 +date: '2023-09-27' +author: Dean Luxton +status: production +type: TTP +data_source: +- Windows Event Log System 7045 +description: The following analytic detects the loading of known vulnerable Windows + drivers, which may indicate potential persistence or privilege escalation attempts. + It leverages Windows System service install EventCode 7045 to identify driver loading + events and cross-references them with a list of vulnerable drivers. This activity is + significant as attackers often exploit vulnerable drivers to gain elevated privileges + or maintain persistence on a system. If confirmed malicious, this could allow attackers + to execute arbitrary code with high privileges, leading to further system compromise + and potential data exfiltration. This detection is a Windows Event Log adaptation of + the Sysmon driver loaded detection written by Michael Haag. +search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" | table _time dest EventCode ImagePath ServiceName ServiceType | lookup loldrivers driver_name AS ImagePath OUTPUT is_driver driver_description | search is_driver = TRUE | `windows_vulnerable_driver_installed_filter`' +how_to_implement: Ensure the Splunk is collecting XmlWinEventLog:System events and the EventCode 7045 is being ingested. +known_false_positives: False positives will be present. Drill down into the driver + further by version number and cross reference by signer. Review the reference material + in the lookup. In addition, modify the query to look within specific paths, which + will remove a lot of "normal" drivers. +references: +- https://loldrivers.io/ +- https://github.com/SpikySabra/Kernel-Cactus +- https://github.com/wavestone-cdt/EDRSandblast +- https://research.splunk.com/endpoint/a2b1f1ef-221f-4187-b2a4-d4b08ec745f4/ +- https://www.splunk.com/en_us/blog/security/these-are-the-drivers-you-are-looking-for-detect-and-prevent-malicious-drivers.html +tags: + analytic_story: + - Windows Drivers + asset_type: Endpoint + confidence: 50 + impact: 100 + message: Potentially vulnerable/malicious driver ($driver_name$) has been installed on $dest$ + mitre_attack_id: + - T1543.003 + observable: + - name: dest + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 50 + required_fields: + - ServiceType + - driver_name + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1014/windows-system.log + source: XmlWinEventLog:System + sourcetype: XmlWinEventLog + update_timestamp: true \ No newline at end of file diff --git a/detections/network/internal_horizontal_port_scan.yml b/detections/network/internal_horizontal_port_scan.yml new file mode 100644 index 0000000000..2482756b8d --- /dev/null +++ b/detections/network/internal_horizontal_port_scan.yml @@ -0,0 +1,65 @@ +name: Internal Horizontal Port Scan +id: 1ff9eb9a-7d72-4993-a55e-59a839e607f1 +version: 1 +date: '2023-10-20' +author: Dean Luxton +status: production +type: TTP +data_source: +- AWS CloudWatchLogs VPCflow +description: This analytic identifies instances where an internal host has attempted to communicate + with 250 or more destination IP addresses using the same port and protocol. Horizontal + port scans from internal hosts can indicate reconnaissance or scanning activities, + potentially signaling malicious intent or misconfiguration. By monitoring network + traffic logs, this detection helps detect and respond to such behavior promptly, + enhancing network security and preventing potential threats. +search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action + values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as + dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic + where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip All_Traffic.dest_port + All_Traffic.dest_ip span=1s _time All_Traffic.transport | `drop_dm_object_name("All_Traffic")` + | eval gtime=_time | bin span=1h gtime | stats min(_time) as _time values(action) + as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) + as dest_zone values(src_zone) as src_zone by src_ip dest_port gtime transport | + where totalDestIPCount>=250 | eval dest_port=transport + "/" + dest_port | stats + min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount + values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) + as dest_zone values(src_zone) as src_zone by src_ip gtime | fields - gtime | `internal_horizontal_port_scan_filter`' +how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as + firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to + enable this search effectively. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + confidence: 80 + impact: 80 + message: $src_ip$ has scanned for port $dest_port$ across $totalDestIPCount$ destination IPs + mitre_attack_id: + - T1046 + observable: + - name: src_ip + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 64 + required_fields: + - _time + - All_Traffic.action + - All_Traffic.src_ip + - All_Traffic.dest_ip + - All_Traffic.dest_port + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log + source: aws:cloudwatchlogs:vpcflow + sourcetype: aws:cloudwatchlogs:vpcflow + update_timestamp: true \ No newline at end of file diff --git a/detections/network/internal_vertical_port_scan.yml b/detections/network/internal_vertical_port_scan.yml new file mode 100644 index 0000000000..d322a38390 --- /dev/null +++ b/detections/network/internal_vertical_port_scan.yml @@ -0,0 +1,67 @@ +name: Internal Vertical Port Scan +id: 40d2dc41-9bbf-421a-a34b-8611271a6770 +version: 1 +date: '2023-10-20' +author: Dean Luxton +status: production +type: TTP +data_source: +- AWS CloudWatchLogs VPCflow +description: This analytic detects instances where an internal host attempts to communicate + with over 500 ports on a single destination IP address. It includes filtering + criteria to exclude applications performing scans over ephemeral port ranges, + focusing on potential reconnaissance or scanning activities. Monitoring network + traffic logs allows for timely detection and response to such behavior, enhancing + network security by identifying and mitigating potential threats promptly. +search: '| tstats `security_content_summariesonly` values(All_Traffic.action) as action + values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as + dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic + where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip + All_Traffic.dest_port All_Traffic.dest_ip All_Traffic.transport span=1s _time | + `drop_dm_object_name("All_Traffic")` | eval gtime=_time | bin span=1h gtime | stats + min(_time) as _time values(action) as action dc(eval(if(dest_port<1024 AND transport="tcp",dest_port,null))) + as privilegedDestTcpPortCount dc(eval(if(transport="tcp",dest_port,null))) as totalDestTcpPortCount + dc(eval(if(dest_port<1024 AND transport="udp",dest_port,null))) as privilegedDestUdpPortCount + dc(eval(if(transport="udp",dest_port,null))) as totalDestUdpPortCount values(src_category) + as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip + dest_ip transport gtime | eval totalDestPortCount=totalDestUdpPortCount+totalDestTcpPortCount, + privilegedDestPortCount=privilegedDestTcpPortCount+privilegedDestUdpPortCount| where + (totalDestPortCount>=500 AND privilegedDestPortCount>=20) | fields - gtime | `internal_vertical_port_scan_filter`' +how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as + firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to + enable this search effectively. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + confidence: 80 + impact: 80 + message: $src_ip$ has scanned $totalDestPortCount$ ports on $dest_ip$ + mitre_attack_id: + - T1046 + observable: + - name: src_ip + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 64 + required_fields: + - _time + - All_Traffic.action + - All_Traffic.src_ip + - All_Traffic.dest_ip + - All_Traffic.dest_port + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/vertical.log + source: aws:cloudwatchlogs:vpcflow + sourcetype: aws:cloudwatchlogs:vpcflow + update_timestamp: trues \ No newline at end of file diff --git a/detections/network/internal_vulnerability_scan.yml b/detections/network/internal_vulnerability_scan.yml new file mode 100644 index 0000000000..342cb164d1 --- /dev/null +++ b/detections/network/internal_vulnerability_scan.yml @@ -0,0 +1,62 @@ +name: Internal Vulnerability Scan +id: 46f946ed-1c78-4e96-9906-c7a4be15e39b +version: 1 +date: '2023-10-27' +author: Dean Luxton +status: experimental +type: TTP +data_source: [] +description: This analytic detects internal hosts triggering multiple IDS signatures, which may include either + more than 25 signatures against a single host or a single signature across over 25 destination IP addresses. + Such patterns can indicate active vulnerability scanning activities within the network. By monitoring + IDS logs, this detection helps identify and respond to potential vulnerability scanning attempts, + enhancing the network's security posture and preventing potential exploits. +search: '| tstats `security_content_summariesonly` values(IDS_Attacks.action) as action + values(IDS_Attacks.src_category) as src_category values(IDS_Attacks.dest_category) + as dest_category count from datamodel=Intrusion_Detection.IDS_Attacks where IDS_Attacks.src + IN (10.0.0.0/8,192.168.0.0/16,172.16.0.0/12) IDS_Attacks.severity IN (critical, + high, medium) by IDS_Attacks.src IDS_Attacks.severity IDS_Attacks.signature IDS_Attacks.dest + IDS_Attacks.dest_port IDS_Attacks.transport span=1s _time | `drop_dm_object_name("IDS_Attacks")` + | eval gtime=_time | bin span=1h gtime | eventstats count as sevCount by severity + src | eventstats count as sigCount by signature src | eval severity=severity +"("+sevCount+")" + | eval signature=signature +"("+sigCount+")" | eval dest_port=transport + "/" + + dest_port | stats min(_time) as _time values(action) as action dc(dest) as destCount + dc(signature) as sigCount values(signature) values(src_category) as src_category + values(dest_category) as dest_category values(severity) as severity values(dest_port) + as dest_ports by src gtime | fields - gtime | where destCount>25 OR sigCount>25 + | `internal_vulnerability_scan_filter`' +how_to_implement: For this detection to function effectively, it is essential to ingest IDS/IPS logs that are + mapped to the Common Information Model (CIM). These logs provide the necessary security-related telemetry + and contextual information needed to accurately identify and analyze potential threats. +known_false_positives: Internal vulnerability scanners will trigger this detection. +references: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + confidence: 80 + impact: 80 + message: Large volume of IDS signatures triggered by $src$ + mitre_attack_id: + - T1595.002 + - T1046 + observable: + - name: src + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 64 + required_fields: + - _time + - IDS_Attacks.action + - IDS_Attacks.src + - IDS_Attacks.dest + - IDS_Attacks.dest_port + - IDS_Attacks.severity + - IDS_Attacks.signature + - IDS_Attacks.transport + security_domain: network \ No newline at end of file