diff --git a/detections/endpoint/windows_detect_network_scanner_behavior.yml b/detections/endpoint/windows_detect_network_scanner_behavior.yml new file mode 100644 index 0000000000..9fc1b34e46 --- /dev/null +++ b/detections/endpoint/windows_detect_network_scanner_behavior.yml @@ -0,0 +1,76 @@ +name: Windows Detect Network Scanner Behavior +id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7 +version: 1 +date: '2024-12-26' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation. +data_source: +- Sysmon EventID 3 +search: '| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m +| `drop_dm_object_name(All_Traffic)` +| rex field=app ".*\\\(?.*)$" +| where port_count > 10 OR dest_count > 10 +| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `windows_detect_network_scanner_behavior_filter`' +how_to_implement: This detection relies on Sysmon EventID 3 events being ingested AND tagged into the Network_Traffic datamodel. +known_false_positives: Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed. +references: +- https://attack.mitre.org/techniques/T1595 +drilldown_searches: +- name: View the detection results for - "$src$" and "$user$" + search: '%original_detection_search% | search src = "$src$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +tags: + analytic_story: + - Network Discovery + - Windows Discovery Techniques + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$ + mitre_attack_id: + - T1595 + - T1595.001 + - T1595.002 + observable: + - name: src + type: IP Address + role: + - Victim + - name: user + type: User + role: + - Victim + - name: process_name + type: Process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - All_Traffic.dest_port + - host + - All_Traffic.app + - All_Traffic.src + - All_Traffic.src_ip + - All_Traffic.user + - _time + risk_score: 25 + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog