From 20206e746344623ade3d0f1cb3b29aebd553b2df Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Wed, 25 Sep 2024 13:01:45 +1000 Subject: [PATCH 01/20] Updating detections and adding a new one --- .../detect_large_outbound_icmp_packets.yml | 19 ++++-- .../network/detect_outbound_smb_traffic.yml | 17 ++--- ...ernal_horizontal_port_scan_nmap_top_20.yml | 64 +++++++++++++++++++ .../remote_desktop_network_bruteforce.yml | 17 +++-- .../remote_desktop_network_traffic.yml | 2 +- detections/network/smb_traffic_spike.yml | 4 +- .../high_volume_of_bytes_out_to_url.yml | 0 ...class_file_download_by_java_user_agent.yml | 0 ...ltiple_archive_files_http_post_traffic.yml | 0 .../plain_http_post_exfiltrated_data.yml | 0 .../unusually_long_content_type_length.yml | 16 +++-- 11 files changed, 108 insertions(+), 31 deletions(-) create mode 100644 detections/network/internal_horizontal_port_scan_nmap_top_20.yml rename detections/{network => web}/high_volume_of_bytes_out_to_url.yml (100%) rename detections/{endpoint => web}/java_class_file_download_by_java_user_agent.yml (100%) rename detections/{network => web}/multiple_archive_files_http_post_traffic.yml (100%) rename detections/{network => web}/plain_http_post_exfiltrated_data.yml (100%) rename detections/{network => web}/unusually_long_content_type_length.yml (68%) diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml index c4dc8a9563..e62c50cd73 100644 --- a/detections/network/detect_large_outbound_icmp_packets.yml +++ b/detections/network/detect_large_outbound_icmp_packets.yml @@ -14,13 +14,14 @@ description: The following analytic identifies outbound ICMP packets with a size maintain covert communication channels, exfiltrate sensitive data, or further compromise the network. data_source: [] -search: '| tstats `security_content_summariesonly` count earliest(_time) as firstTime - latest(_time) as lastTime values(All_Traffic.action) values(All_Traffic.bytes) from +search: >- + | tstats `security_content_summariesonly` count earliest(_time) as firstTime + latest(_time) as lastTime values(All_Traffic.action) as action values(All_Traffic.bytes) as bytes from datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes - > 1000 by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")` - | search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16) - | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter`' + > 1000 AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")` + | iplocation dest_ip + | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter` how_to_implement: 'In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able @@ -44,11 +45,15 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: tbd + message: Detect Large Outbound ICMP Packets Detected from $src_ip$ to $dest_ip$ mitre_attack_id: - T1095 observable: - - name: dest + - name: dest_ip + type: Hostname + role: + - Victim + - name: src_ip type: Hostname role: - Victim diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml index 67643b492d..1360cf1128 100644 --- a/detections/network/detect_outbound_smb_traffic.yml +++ b/detections/network/detect_outbound_smb_traffic.yml @@ -14,16 +14,13 @@ description: The following analytic detects outbound SMB (Server Message Block) this activity could lead to unauthorized access to sensitive data and potential full system compromise. data_source: [] -search: '| tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) - as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app - values(All_Traffic.dest_ip) as dest_ip values(All_Traffic.dest_port) as dest_port - values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed - All_Traffic.direction=outbound All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 - OR All_Traffic.app="smb") by All_Traffic.src_ip | `drop_dm_object_name("All_Traffic")` - | eval match=case( cidrmatch("10.0.0.0/8" ,dest_ip) ,"1", cidrmatch("172.16.0.0/12" - ,dest_ip) ,"1", cidrmatch("192.168.0.0/16" ,dest_ip) ,"1", cidrmatch("100.64.0.0/10" - ,dest_ip) ,"1", 1=1,"0") | search match=0 | fields - match | `security_content_ctime(start_time)` - | `security_content_ctime(end_time)` | `detect_outbound_smb_traffic_filter`' +search: >- + | tstats `security_content_summariesonly` earliest(_time) as start_time latest(_time) as end_time values(All_Traffic.action) as action values(All_Traffic.app) as app values(sourcetype) as sourcetype count from datamodel=Network_Traffic where (All_Traffic.action=allowed All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") AND All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","100.64.0.0/10") by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.dest_port + | `drop_dm_object_name("All_Traffic")` + | `security_content_ctime(start_time)` + | `security_content_ctime(end_time)` + | iplocation dest_ip + | `detect_outbound_smb_traffic_filter` how_to_implement: 'This search also requires you to be ingesting your network traffic and populating the Network_Traffic data model' known_false_positives: It is likely that the outbound Server Message Block (SMB) traffic diff --git a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml new file mode 100644 index 0000000000..e6759a4d8c --- /dev/null +++ b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml @@ -0,0 +1,64 @@ +name: Internal Horizontal Port Scan NMAP Top 20 +id: 3141a041-4f57-4277-9faa-9305ca1f8e5b +version: 1 +date: '2024-09-25' +author: Dean Luxton +status: production +type: TTP +data_source: +- AWS CloudWatchLogs VPCflow +description: This analytic identifies instances where an internal host has attempted to communicate + with 250 or more destination IP addresses using on of the NMAP top 20 ports. Horizontal + port scans from internal hosts can indicate reconnaissance or scanning activities, + potentially signaling malicious intent or misconfiguration. By monitoring network + traffic logs, this detection helps detect and respond to such behavior promptly, + enhancing network security and preventing potential threats. +search: >- + | tstats summariesonly=true fillnull_value=null values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND All_Traffic.dest_port IN (21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080) by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip span=1s _time All_Traffic.transport + | `drop_dm_object_name("All_Traffic")` + | eval gtime=_time + | bin span=1h gtime + | stats min(_time) as _time values(action) as action dc(dest_ip) as totalDestIPCount values(src_category) as src_category values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip dest_port gtime transport + | where totalDestIPCount>=250 + | eval dest_port=transport + "/" + dest_port + | stats min(_time) as _time values(action) as action sum(totalDestIPCount) as totalDestIPCount values(src_category) as src_category values(dest_port) as dest_ports values(dest_zone) as dest_zone values(src_zone) as src_zone by src_ip gtime + | fields - gtime + | `internal_horizontal_port_scan_nmap_top_20_filter` +how_to_implement: To properly run this search, Splunk needs to ingest data from networking telemetry sources such as + firewalls, NetFlow, or host-based networking events. Ensure that the Network_Traffic data model is populated to + enable this search effectively. +known_false_positives: Unknown +references: [] +tags: + analytic_story: + - Network Discovery + asset_type: Endpoint + confidence: 80 + impact: 90 + message: $src_ip$ has scanned for ports $dest_ports$ across $totalDestIPCount$ destination IPs + mitre_attack_id: + - T1046 + observable: + - name: src_ip + type: Hostname + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + risk_score: 72 + required_fields: + - _time + - All_Traffic.action + - All_Traffic.src_ip + - All_Traffic.dest_ip + - All_Traffic.dest_port + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1046/nmap/horizontal.log + source: aws:cloudwatchlogs:vpcflow + sourcetype: aws:cloudwatchlogs:vpcflow + update_timestamp: true \ No newline at end of file diff --git a/detections/network/remote_desktop_network_bruteforce.yml b/detections/network/remote_desktop_network_bruteforce.yml index 44de7180fa..63166fefe5 100644 --- a/detections/network/remote_desktop_network_bruteforce.yml +++ b/detections/network/remote_desktop_network_bruteforce.yml @@ -14,12 +14,13 @@ description: The following analytic identifies potential Remote Desktop Protocol to gain unauthorized access to systems via RDP. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further network compromise. data_source: [] -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) - as lastTime from datamodel=Network_Traffic where All_Traffic.app=rdp by All_Traffic.src - All_Traffic.dest All_Traffic.dest_port | eventstats stdev(count) AS stdev avg(count) - AS avg p50(count) AS p50 | where count>(avg + stdev*2) | rename All_Traffic.src - AS src All_Traffic.dest AS dest | table firstTime lastTime src dest count avg p50 - stdev | `remote_desktop_network_bruteforce_filter`' +search: >- + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Network_Traffic where (All_Traffic.app=rdp OR All_Traffic.dest_port=3389) AND All_Traffic.action=allowed by All_Traffic.src All_Traffic.dest All_Traffic.dest_port + | eventstats stdev(count) AS stdev avg(count) AS avg p50(count) AS p50 + | where count>(avg + stdev*2) + | rename All_Traffic.src AS src All_Traffic.dest AS dest + | table firstTime lastTime src dest count avg p50 stdev + | `remote_desktop_network_bruteforce_filter` how_to_implement: You must ensure that your network traffic data is populating the Network_Traffic data model. known_false_positives: RDP gateways may have unusually high amounts of traffic from @@ -41,6 +42,10 @@ tags: type: Hostname role: - Victim + - name: src + type: Hostname + role: + - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/network/remote_desktop_network_traffic.yml b/detections/network/remote_desktop_network_traffic.yml index 90269189f7..168dc21bbc 100644 --- a/detections/network/remote_desktop_network_traffic.yml +++ b/detections/network/remote_desktop_network_traffic.yml @@ -40,7 +40,7 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: tbd + message: Remote Desktop Network Traffic Anomaly Detected from $src$ to $dest$ mitre_attack_id: - T1021.001 - T1021 diff --git a/detections/network/smb_traffic_spike.yml b/detections/network/smb_traffic_spike.yml index ab999aa0dc..123566dfa5 100644 --- a/detections/network/smb_traffic_spike.yml +++ b/detections/network/smb_traffic_spike.yml @@ -30,12 +30,12 @@ tags: asset_type: Endpoint confidence: 50 impact: 50 - message: tbd + message: Anomalous splike of SMB traffic sent from $src$ mitre_attack_id: - T1021.002 - T1021 observable: - - name: dest + - name: src type: Hostname role: - Victim diff --git a/detections/network/high_volume_of_bytes_out_to_url.yml b/detections/web/high_volume_of_bytes_out_to_url.yml similarity index 100% rename from detections/network/high_volume_of_bytes_out_to_url.yml rename to detections/web/high_volume_of_bytes_out_to_url.yml diff --git a/detections/endpoint/java_class_file_download_by_java_user_agent.yml b/detections/web/java_class_file_download_by_java_user_agent.yml similarity index 100% rename from detections/endpoint/java_class_file_download_by_java_user_agent.yml rename to detections/web/java_class_file_download_by_java_user_agent.yml diff --git a/detections/network/multiple_archive_files_http_post_traffic.yml b/detections/web/multiple_archive_files_http_post_traffic.yml similarity index 100% rename from detections/network/multiple_archive_files_http_post_traffic.yml rename to detections/web/multiple_archive_files_http_post_traffic.yml diff --git a/detections/network/plain_http_post_exfiltrated_data.yml b/detections/web/plain_http_post_exfiltrated_data.yml similarity index 100% rename from detections/network/plain_http_post_exfiltrated_data.yml rename to detections/web/plain_http_post_exfiltrated_data.yml diff --git a/detections/network/unusually_long_content_type_length.yml b/detections/web/unusually_long_content_type_length.yml similarity index 68% rename from detections/network/unusually_long_content_type_length.yml rename to detections/web/unusually_long_content_type_length.yml index 2d6ecb1b3c..c877f3d60b 100644 --- a/detections/network/unusually_long_content_type_length.yml +++ b/detections/web/unusually_long_content_type_length.yml @@ -14,9 +14,15 @@ description: The following analytic identifies unusually long strings in the Con or bypass security controls, potentially leading to unauthorized access or data breaches. data_source: [] -search: '`stream_http` | eval cs_content_type_length = len(cs_content_type) | where - cs_content_type_length > 100 | table endtime src_ip dest_ip cs_content_type_length - cs_content_type url | `unusually_long_content_type_length_filter`' +search: >- + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web by Web.src Web.dest Web.url Web.http_user_agent Web.http_content_type + | `drop_dm_object_name("Web")` + | eval http_content_type_length = len(http_content_type) + | where http_content_type_length > 100 + | table firstTime lastTime src dest http_content_type_length http_content_type url http_user_agent + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `unusually_long_content_type_length_filter` how_to_implement: This particular search leverages data extracted from Stream:HTTP. You must configure the http stream using the Splunk Stream App on your Splunk Stream deployment server to extract the cs_content_type field. @@ -29,9 +35,9 @@ tags: asset_type: Web Server confidence: 50 impact: 50 - message: tbd + message: Unusually Long Content-Type Length ($http_content_type_length$ characters) In Web Request from $src$ observable: - - name: dest + - name: src type: Hostname role: - Victim From 6726f83d400de336838058623520636593a86fd9 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:23:46 +1000 Subject: [PATCH 02/20] Updating risk object --- detections/web/unusually_long_content_type_length.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/detections/web/unusually_long_content_type_length.yml b/detections/web/unusually_long_content_type_length.yml index c877f3d60b..86193fa4f4 100644 --- a/detections/web/unusually_long_content_type_length.yml +++ b/detections/web/unusually_long_content_type_length.yml @@ -37,6 +37,10 @@ tags: impact: 50 message: Unusually Long Content-Type Length ($http_content_type_length$ characters) In Web Request from $src$ observable: + - name: dest + type: Hostname + role: + - Victim - name: src type: Hostname role: From 1462197b3f93626618e95d32fb9b5a234ab48294 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Wed, 25 Sep 2024 14:27:02 +1000 Subject: [PATCH 03/20] Updating risk object --- detections/web/unusually_long_content_type_length.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/web/unusually_long_content_type_length.yml b/detections/web/unusually_long_content_type_length.yml index 86193fa4f4..29c2b7577f 100644 --- a/detections/web/unusually_long_content_type_length.yml +++ b/detections/web/unusually_long_content_type_length.yml @@ -37,7 +37,7 @@ tags: impact: 50 message: Unusually Long Content-Type Length ($http_content_type_length$ characters) In Web Request from $src$ observable: - - name: dest + - name: dest type: Hostname role: - Victim From 4f91cca39e50ab6e0cc84ce39665d5c4f9df331e Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:13:26 +1000 Subject: [PATCH 04/20] fixing SPL --- contentctl.yml | 7 ++++++- .../network/internal_horizontal_port_scan_nmap_top_20.yml | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/contentctl.yml b/contentctl.yml index 92ab87dc3e..5d23ef058f 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -194,5 +194,10 @@ apps: version: 3.2.1 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/crowdstrike-falcon-event-streams-technical-add-on_321.tgz - +- uid: 6853 + title: Splunk Add-on for Admon Enrichment + appid: SA-admon + version: 1.1.2 + description: description of app + hardcoded_path: /Users/dluxton/Downloads/splunk-add-on-for-admon-enrichment_112.tgz githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd diff --git a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml index e6759a4d8c..aa5d7ea3e9 100644 --- a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml +++ b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml @@ -14,7 +14,7 @@ description: This analytic identifies instances where an internal host has attem traffic logs, this detection helps detect and respond to such behavior promptly, enhancing network security and preventing potential threats. search: >- - | tstats summariesonly=true fillnull_value=null values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND All_Traffic.dest_port IN (21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080) by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip span=1s _time All_Traffic.transport + | tstats `security_content_summariesonly` values(All_Traffic.action) as action values(All_Traffic.src_category) as src_category values(All_Traffic.dest_zone) as dest_zone values(All_Traffic.src_zone) as src_zone count from datamodel=Network_Traffic where All_Traffic.src_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND All_Traffic.dest_port IN (21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080) by All_Traffic.src_ip All_Traffic.dest_port All_Traffic.dest_ip span=1s _time All_Traffic.transport | `drop_dm_object_name("All_Traffic")` | eval gtime=_time | bin span=1h gtime From f3b69b3305be9edcb9727ab6744f67688c026f2e Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Tue, 15 Oct 2024 17:18:34 +1000 Subject: [PATCH 05/20] removing change --- contentctl.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/contentctl.yml b/contentctl.yml index 5d23ef058f..348c2c756d 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -194,10 +194,4 @@ apps: version: 3.2.1 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/Latest/crowdstrike-falcon-event-streams-technical-add-on_321.tgz -- uid: 6853 - title: Splunk Add-on for Admon Enrichment - appid: SA-admon - version: 1.1.2 - description: description of app - hardcoded_path: /Users/dluxton/Downloads/splunk-add-on-for-admon-enrichment_112.tgz githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd From 66800ab65ddb5132b086b725d35c8e4a6a012242 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Wed, 16 Oct 2024 08:52:53 +1000 Subject: [PATCH 06/20] updating versions of things --- detections/network/detect_large_outbound_icmp_packets.yml | 4 ++-- detections/network/detect_outbound_smb_traffic.yml | 4 ++-- detections/network/remote_desktop_network_bruteforce.yml | 4 ++-- detections/network/remote_desktop_network_traffic.yml | 4 ++-- detections/network/smb_traffic_spike.yml | 4 ++-- detections/web/unusually_long_content_type_length.yml | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml index e62c50cd73..b5d911955f 100644 --- a/detections/network/detect_large_outbound_icmp_packets.yml +++ b/detections/network/detect_large_outbound_icmp_packets.yml @@ -1,7 +1,7 @@ name: Detect Large Outbound ICMP Packets id: e9c102de-4d43-42a7-b1c8-8062ea297419 -version: 3 -date: '2024-05-24' +version: 4 +date: '2024-10-16' author: Rico Valdez, Splunk status: experimental type: TTP diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml index 1360cf1128..e3065506c9 100644 --- a/detections/network/detect_outbound_smb_traffic.yml +++ b/detections/network/detect_outbound_smb_traffic.yml @@ -1,7 +1,7 @@ name: Detect Outbound SMB Traffic id: 1bed7774-304a-4e8f-9d72-d80e45ff492b -version: 5 -date: '2024-05-25' +version: 6 +date: '2024-10-16' author: Bhavin Patel, Stuart Hopkins, Patrick Bareiss status: experimental type: TTP diff --git a/detections/network/remote_desktop_network_bruteforce.yml b/detections/network/remote_desktop_network_bruteforce.yml index 63166fefe5..393ccbf2cb 100644 --- a/detections/network/remote_desktop_network_bruteforce.yml +++ b/detections/network/remote_desktop_network_bruteforce.yml @@ -1,7 +1,7 @@ name: Remote Desktop Network Bruteforce id: a98727cc-286b-4ff2-b898-41df64695923 -version: 3 -date: '2024-05-17' +version: 4 +date: '2024-10-16' author: Jose Hernandez, Splunk status: experimental type: TTP diff --git a/detections/network/remote_desktop_network_traffic.yml b/detections/network/remote_desktop_network_traffic.yml index 168dc21bbc..5c0c4fec8b 100644 --- a/detections/network/remote_desktop_network_traffic.yml +++ b/detections/network/remote_desktop_network_traffic.yml @@ -1,7 +1,7 @@ name: Remote Desktop Network Traffic id: 272b8407-842d-4b3d-bead-a704584003d3 -version: 5 -date: '2024-05-29' +version: 6 +date: '2024-10-16' author: David Dorsey, Splunk status: production type: Anomaly diff --git a/detections/network/smb_traffic_spike.yml b/detections/network/smb_traffic_spike.yml index 123566dfa5..d391d80c9e 100644 --- a/detections/network/smb_traffic_spike.yml +++ b/detections/network/smb_traffic_spike.yml @@ -1,7 +1,7 @@ name: SMB Traffic Spike id: 7f5fb3e1-4209-4914-90db-0ec21b936378 -version: 4 -date: '2024-05-27' +version: 5 +date: '2024-10-16' author: David Dorsey, Splunk status: experimental type: Anomaly diff --git a/detections/web/unusually_long_content_type_length.yml b/detections/web/unusually_long_content_type_length.yml index 29c2b7577f..17892c2c94 100644 --- a/detections/web/unusually_long_content_type_length.yml +++ b/detections/web/unusually_long_content_type_length.yml @@ -1,7 +1,7 @@ name: Unusually Long Content-Type Length id: 57a0a2bf-353f-40c1-84dc-29293f3c35b7 -version: 2 -date: '2024-05-13' +version: 3 +date: '2024-10-16' author: Bhavin Patel, Splunk status: experimental type: Anomaly From ea879745015bf227516af3da5b212b30ad3139fd Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Wed, 16 Oct 2024 09:12:43 +1000 Subject: [PATCH 07/20] updating versions of things --- .../aws_multiple_users_failing_to_authenticate_from_ip.yml | 5 +++-- .../web/java_class_file_download_by_java_user_agent.yml | 6 +++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml index 4073132f6f..eb21ebfeaa 100644 --- a/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/aws_multiple_users_failing_to_authenticate_from_ip.yml @@ -1,7 +1,7 @@ name: AWS Multiple Users Failing To Authenticate From Ip id: 71e1fb89-dd5f-4691-8523-575420de4630 -version: 2 -date: '2024-05-10' +version: 3 +date: '2024-10-16' author: Bhavin Patel status: production type: Anomaly @@ -17,6 +17,7 @@ data_source: - AWS CloudTrail ConsoleLogin search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(user_name) AS unique_accounts values(user_name) as tried_accounts by _time, src_ip + | where unique_accounts>30 | `aws_multiple_users_failing_to_authenticate_from_ip_filter`' how_to_implement: You must install Splunk Add-on for AWS in order to ingest Cloudtrail. We recommend the users to try different combinations of the bucket span time and diff --git a/detections/web/java_class_file_download_by_java_user_agent.yml b/detections/web/java_class_file_download_by_java_user_agent.yml index 45d6b599b1..f10d9eb1c2 100644 --- a/detections/web/java_class_file_download_by_java_user_agent.yml +++ b/detections/web/java_class_file_download_by_java_user_agent.yml @@ -1,7 +1,7 @@ name: Java Class File download by Java User Agent id: 8281ce42-5c50-11ec-82d2-acde48001122 -version: 3 -date: '2024-08-15' +version: 4 +date: '2024-10-16' author: Michael Haag, Splunk status: production type: TTP @@ -14,7 +14,7 @@ description: The following analytic identifies a Java user agent performing a GE system. data_source: - Splunk Stream HTTP -search: '| tstats count from datamodel=Web where Web.http_user_agent="*Java*" Web.http_method="GET" +search: '| tstats `security_content_summariesonly` count from datamodel=Web where Web.http_user_agent="*Java*" Web.http_method="GET" Web.url="*.class*" by Web.http_user_agent Web.http_method, Web.url,Web.url_length Web.src, Web.dest | `drop_dm_object_name("Web")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `java_class_file_download_by_java_user_agent_filter`' From 61b6a70de60e31270969ed6d2db606da464d6a3d Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Wed, 16 Oct 2024 09:42:55 +1000 Subject: [PATCH 08/20] Beefing up this detection --- ...beroasting_spn_request_with_rc4_encryption.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml index 206a89180c..c37f256ae9 100644 --- a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml +++ b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml @@ -1,8 +1,8 @@ name: Kerberoasting spn request with RC4 encryption id: 5cc67381-44fa-4111-8a37-7a230943f027 version: 6 -date: '2024-05-16' -author: Jose Hernandez, Patrick Bareiss, Mauricio Velazco, Splunk +date: '2024-10-16' +author: Jose Hernandez, Patrick Bareiss, Mauricio Velazco, Dean Luxton, Splunk status: production type: TTP description: The following analytic detects potential Kerberoasting attacks by identifying @@ -16,12 +16,16 @@ data_source: - Windows Event Log Security 4769 search: '`wineventlog_security` EventCode=4769 ServiceName!="*$" (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) TicketEncryptionType=0x17 - | stats count min(_time) as firstTime max(_time) as lastTime by Computer, service_id, + | stats count min(_time) as firstTime max(_time) as lastTime by Computer, user, service_id, service, TicketEncryptionType, TicketOptions | rename Computer as dest | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter`' how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. + Whithin environments where this type of communication is common, consider dropping + the risk score and add throttling based on the user and service_id for 30 days. + This will allow RBA to alert when there is an anomalous spike of these kerberoastable + SPN requests within a short period of time. known_false_positives: Older systems that support kerberos RC4 by default like NetApp may generate false positives. Filter as needed references: @@ -36,13 +40,12 @@ tags: asset_type: Endpoint confidence: 80 impact: 90 - message: Potential kerberoasting attack via service principal name requests detected - on $dest$ + message: User $user$ requested a service ticket for SPN $service_id$ with RC4 encryption. mitre_attack_id: - T1558 - T1558.003 observable: - - name: dest + - name: user type: Endpoint role: - Victim From 09c0b0e4789e2ef9207f5cbb7f1bfb51a8edf152 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Thu, 17 Oct 2024 11:43:48 +1000 Subject: [PATCH 09/20] anchoring filtering via regex --- .../windows_driver_load_non_standard_path.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/detections/endpoint/windows_driver_load_non_standard_path.yml b/detections/endpoint/windows_driver_load_non_standard_path.yml index c6585c949d..acbba783ab 100644 --- a/detections/endpoint/windows_driver_load_non_standard_path.yml +++ b/detections/endpoint/windows_driver_load_non_standard_path.yml @@ -1,7 +1,7 @@ name: Windows Driver Load Non-Standard Path id: 9216ef3d-066a-4958-8f27-c84589465e62 -version: 3 -date: "2024-05-22" +version: 4 +date: "2024-10-17" author: Michael Haag, Splunk status: production type: TTP @@ -15,11 +15,14 @@ description: The following analytic detects the loading of new Kernel Mode Drive threat to system integrity and security. data_source: - Windows Event Log System 7045 -search: '`wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" NOT - (ImagePath IN ("*\\Windows\\*", "*\\Program File*", "*\\systemroot\\*","%SystemRoot%*", - "system32\*")) | stats count min(_time) as firstTime max(_time) as lastTime by Computer - EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` | `windows_driver_load_non_standard_path_filter`' +search: >- + `wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" + | regex ImagePath!="(?i)^(\w:\\\\Windows\\\\|\w:\\\\Program\sFile|\\\\systemroot\\\\|%SystemRoot%|system32\\\\" + | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType + | rename Computer as dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_driver_load_non_standard_path_filter` how_to_implement: To implement this analytic, the Windows EventCode 7045 will need to be logged. The Windows TA for Splunk is also recommended. known_false_positives: False positives may be present based on legitimate third party From b17c2d1e17b3e623cd43c7261928db47082eb1d2 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Thu, 17 Oct 2024 15:41:19 +1000 Subject: [PATCH 10/20] fixing SPL --- ...ct_distributed_password_spray_attempts.yml | 23 +++++------ .../detect_password_spray_attempts.yml | 41 +++++++++++-------- ...asting_spn_request_with_rc4_encryption.yml | 2 +- macros/wineventlog_task_scheduler.yml | 2 +- 4 files changed, 35 insertions(+), 33 deletions(-) diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index 518b80d315..096d1565ba 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -1,7 +1,7 @@ name: Detect Distributed Password Spray Attempts id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57 -version: 1 -date: '2023-11-01' +version: 2 +date: '2024-10-17' author: Dean Luxton status: production type: Hunting @@ -12,17 +12,18 @@ description: This analytic employs the 3-sigma approach to identify distributed common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks. -search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=2m +search: >- + | tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=5m | `drop_dm_object_name("Authentication")` ```fill out time buckets for 0-count events during entire search length``` | appendpipe [| timechart limit=0 span=5m count | table _time] - | fillnull value=0 unique_accounts, unique_src - ``` remove duplicate & empty time buckets``` - | sort - total_failures - | dedup _time + | fillnull value=0 unique_accounts, unique_src, total_failures ``` Create aggregation field & apply to all null events``` | eval counter=sourcetype+"__"+signature_id - | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) + | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) | mvexpand counter + ``` remove duplicate & empty time buckets``` + | sort - _time unique_accounts + | dedup _time counter ``` 3-sigma detection logic ``` | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3) @@ -32,7 +33,7 @@ search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS un | foreach * [ eval <> = if(<>="null",null(),<>)] | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id - | sort - total_failures | `detect_distributed_password_spray_attempts_filter`' + | `detect_distributed_password_spray_attempts_filter` how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM) and that the src field is populated with the source device information. Additionally, ensure that fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from @@ -58,10 +59,6 @@ tags: type: IP Address role: - Attacker - - name: unique_accounts - type: User - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index 6a90bbebdc..2bac636c10 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -1,7 +1,7 @@ name: Detect Password Spray Attempts id: 086ab581-8877-42b3-9aee-4a7ecb0923af -version: 1 -date: '2023-11-01' +version: 2 +date: '2024-10-17' author: Dean Luxton status: production type: TTP @@ -12,25 +12,30 @@ description: This analytic employs the 3-sigma approach to detect an unusual vol common passwords across many different accounts to avoid detection and account lockouts. By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks. -search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time span=2m +search: >- + | tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" NOT Authentication.src IN ("-","unknown") by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time span=5m | `drop_dm_object_name("Authentication")` - ```fill out time buckets for 0-count events during entire search length``` + ```fill out time buckets for 0-count events during entire search length``` | appendpipe [| timechart limit=0 span=5m count | table _time] - | fillnull value=0 unique_accounts, unique_src - ``` remove duplicate & empty time buckets``` - | sort - total_failures - | dedup _time - ``` Create aggregation field & apply to all null events``` - | eval counter=src+"__"+sourcetype+"__"+signature_id - | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) + | fillnull value=0 unique_accounts + ``` Create aggregation field & apply to all null events``` + | eval counter=src+"__"+sourcetype+"__"+signature_id + | eventstats values(counter) as fnscounter + | eval counter=coalesce(counter,fnscounter) + | stats values(app) as app values(total_failures) as total_failures values(src) as src values(signature_id) as signature_id values(sourcetype) as sourcetype count by counter unique_accounts _time + ``` remove duplicate time buckets for each unique source``` + | sort - _time unique_accounts + | dedup _time counter + ```Find the outliers``` | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter | eval upperBound=(comp_avg+comp_std*3) | eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0) - | replace "::ffff:*" with * in src - | where isOutlier=1 - | foreach * [ eval <> = if(<>="null",null(),<>)] - | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id - | `detect_password_spray_attempts_filter`' + | replace "::ffff:*" with * in src + | where isOutlier=1 + | foreach * + [ eval <> = if(<>="null",null(),<>)] + | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id, counter + | `detect_password_spray_attempts_filter` how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. known_false_positives: Unknown references: @@ -43,7 +48,7 @@ tags: atomic_guid: - 90bc2e54-6c84-47a5-9439-0a2a92b4b175 confidence: 70 - impact: 70 + impact: 100 message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts. mitre_attack_id: - T1110.003 @@ -61,7 +66,7 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - risk_score: 49 + risk_score: 70 required_fields: - Authentication.action - Authentication.user diff --git a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml index c37f256ae9..2e2f89cb10 100644 --- a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml +++ b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml @@ -40,7 +40,7 @@ tags: asset_type: Endpoint confidence: 80 impact: 90 - message: User $user$ requested a service ticket for SPN $service_id$ with RC4 encryption. + message: User $user$ requested a service ticket for SPN $service_id$ with RC4 encryption mitre_attack_id: - T1558 - T1558.003 diff --git a/macros/wineventlog_task_scheduler.yml b/macros/wineventlog_task_scheduler.yml index 49af84013c..d548b6f987 100644 --- a/macros/wineventlog_task_scheduler.yml +++ b/macros/wineventlog_task_scheduler.yml @@ -1,4 +1,4 @@ -definition: source="XmlWinEventLog:Security" +definition: (source="XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational" OR source="WinEventLog:Microsoft-Windows-TaskScheduler/Operational") description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environmnent. name: wineventlog_task_scheduler \ No newline at end of file From ab830ebc6f7634070c885db433c721040f69bb65 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Thu, 17 Oct 2024 17:04:01 +1000 Subject: [PATCH 11/20] fixing up detections --- ...ct_distributed_password_spray_attempts.yml | 25 ++++++++++++------- .../detect_password_spray_attempts.yml | 11 ++++---- 2 files changed, 22 insertions(+), 14 deletions(-) diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index 096d1565ba..54a5b3900a 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -13,26 +13,30 @@ description: This analytic employs the 3-sigma approach to identify distributed By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks. search: >- - | tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time span=5m + | tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src values(Authentication.app) as app values(Authentication.src) as src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" NOT Authentication.src IN ("-","unknown") Authentication.user_agent="*" by Authentication.signature_id, Authentication.user_agent, sourcetype, _time span=10m | `drop_dm_object_name("Authentication")` ```fill out time buckets for 0-count events during entire search length``` - | appendpipe [| timechart limit=0 span=5m count | table _time] - | fillnull value=0 unique_accounts, unique_src, total_failures + | appendpipe [| timechart limit=0 span=10m count | table _time] + | fillnull value=0 unique_accounts, unique_src ``` Create aggregation field & apply to all null events``` | eval counter=sourcetype+"__"+signature_id - | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) | mvexpand counter - ``` remove duplicate & empty time buckets``` + | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) + | stats values(total_failures) as total_failures values(signature_id) as signature_id values(src) as src values(sourcetype) as sourcetype values(app) as app count by counter unique_accounts unique_src user_agent _time + ``` remove 0 count rows where counter has data``` | sort - _time unique_accounts | dedup _time counter ``` 3-sigma detection logic ``` - | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter + | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter user_agent | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3) - | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0) + | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_src >= upperBoundsrc), 1, 0) | replace "::ffff:*" with * in src | where isOutlier=1 | foreach * [ eval <> = if(<>="null",null(),<>)] - | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id + | mvexpand src + | iplocation src + | table _time, unique_src, unique_accounts, total_failures, sourcetype, signature_id, user_agent, src, Country + | eval date_wday=strftime(_time,"%a"), date_hour=strftime(_time,"%H") | `detect_distributed_password_spray_attempts_filter` how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM) and that the src field is populated with the source device information. Additionally, ensure that @@ -59,13 +63,16 @@ tags: type: IP Address role: - Attacker + - name: user_agent + type: user_agent + role: + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud risk_score: 49 required_fields: - - Authentication.action - Authentication.user - Authentication.src security_domain: access diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index 2bac636c10..7d76ed4ca2 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -36,7 +36,12 @@ search: >- [ eval <> = if(<>="null",null(),<>)] | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id, counter | `detect_password_spray_attempts_filter` -how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. +how_to_implement: >- + Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. + Also ensure fill_nullvalue is set within the macro security_content_summariesonly. + + This search opporates best on a 5 minute schedule, looking back over the past 70 minutes. + Configure 70 minute throttling on the two fields _time and counter. known_false_positives: Unknown references: - https://attack.mitre.org/techniques/T1110/003/ @@ -58,10 +63,6 @@ tags: type: Endpoint role: - Attacker - - name: sourcetype - type: Other - role: - - Victim product: - Splunk Enterprise - Splunk Enterprise Security From dc4ca9f8fec8b61f970bee60fa6def61c5a1d082 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Thu, 17 Oct 2024 17:30:33 +1000 Subject: [PATCH 12/20] Beefing out kerberoast detection --- ..._of_kerberos_service_tickets_requested.yml | 33 +++++++++++-------- 1 file changed, 20 insertions(+), 13 deletions(-) diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml index 4c667330df..f0f1e9cc56 100644 --- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml @@ -1,8 +1,8 @@ name: Unusual Number of Kerberos Service Tickets Requested id: eb3e6702-8936-11ec-98fe-acde48001122 -version: 4 -date: '2024-09-24' -author: Mauricio Velazco, Splunk +version: 5 +date: '2024-10-17' +author: Mauricio Velazco, Dean Luxton, Splunk status: production type: Anomaly description: 'The following analytic identifies an unusual number of Kerberos service @@ -14,12 +14,15 @@ description: 'The following analytic identifies an unusual number of Kerberos se to sensitive accounts and escalation of privileges within the Active Directory environment.' data_source: - Windows Event Log Security 4769 -search: '`wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 - | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName) - as requested_services by _time, src | eventstats avg(unique_services) as comp_avg - , stdev(unique_services) as comp_std by src | eval upperBound=(comp_avg+comp_std*3) - | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) - | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter`' +search: >- + `wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) + | bucket span=2m _time + | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services values(user_category) as user_category values(src_category) as src_category by _time, user, src + | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by user, src + | eval upperBound=(comp_avg+comp_std*3) + | eval isOutlier=if(unique_services > 5 and unique_services >= upperBound, 1, 0) + | search isOutlier=1 + | `unusual_number_of_kerberos_service_tickets_requested_filter` how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. @@ -34,9 +37,9 @@ tags: analytic_story: - Active Directory Kerberos Attacks asset_type: Endpoint - confidence: 60 - impact: 60 - message: tbd + confidence: 80 + impact: 80 + message: User $user$ requested a service ticket for $unique_services$ services indicating a potential kerberoasting attack mitre_attack_id: - T1558 - T1558.003 @@ -45,6 +48,10 @@ tags: type: Endpoint role: - Victim + - name: user + type: User + role: + - Victim product: - Splunk Enterprise - Splunk Enterprise Security @@ -58,7 +65,7 @@ tags: - Service_Name - service_id - Client_Address - risk_score: 36 + risk_score: 64 security_domain: endpoint tests: - name: True Positive Test From 27e48cd2253be27cb6ab6702099058c384cd8f2c Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Thu, 17 Oct 2024 18:42:23 +1000 Subject: [PATCH 13/20] adding additional filtering and rex for user --- ...ceprincipalname_added_to_domain_account.yml | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml index 72bbe63729..332f702c83 100644 --- a/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml +++ b/detections/endpoint/windows_ad_serviceprincipalname_added_to_domain_account.yml @@ -1,7 +1,7 @@ name: Windows AD ServicePrincipalName Added To Domain Account id: 8a1259cb-0ea7-409c-8bfe-74bad89259f9 -version: 4 -date: '2024-09-24' +version: 5 +date: '2024-10-16' author: Mauricio Velazco, Splunk type: TTP status: production @@ -14,10 +14,12 @@ description: The following analytic detects the addition of a Service Principal and crack service account passwords offline. If confirmed malicious, this could allow an attacker to obtain cleartext passwords, leading to unauthorized access and potential lateral movement within the domain environment. -search: '`wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName - OperationType="%%14674" | stats values(ObjectDN) as ObjectDN by _time, Computer, - SubjectUserName, AttributeValue | rename Computer as dest SubjectUserName as user - | `windows_ad_serviceprincipalname_added_to_domain_account_filter`' +search: >- + `wineventlog_security` EventCode=5136 AttributeLDAPDisplayName=servicePrincipalName OperationType="%%14674" ObjectClass=user + | stats values(ObjectDN) as ObjectDN by _time, Computer, SubjectUserName, AttributeValue + | rex field=ObjectDN "^CN=(?P[a-zA-Z0-9!#$%&'@^_{}~.-]+)," + | rename Computer as dest, SubjectUserName as src_user + | `windows_ad_serviceprincipalname_added_to_domain_account_filter` how_to_implement: To successfully implement this search, you ned to be ingesting eventcode `5136`. The Advanced Security Audit policy setting `Audit Directory Services Changes` within `DS Access` needs to be enabled. Additionally, a SACL needs to be created @@ -40,11 +42,11 @@ tags: mitre_attack_id: - T1098 observable: - - name: user + - name: src_user type: User role: - Attacker - - name: ObjectDN + - name: user type: User role: - Victim From 00a0d0c7839a5d5d41424970872f7ee7e756d1c2 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 22 Oct 2024 12:14:53 -0700 Subject: [PATCH 14/20] testing locally --- .../detect_distributed_password_spray_attempts.yml | 2 +- .../application/detect_password_spray_attempts.yml | 10 +++++++--- .../internal_horizontal_port_scan_nmap_top_20.yml | 9 +++++++++ 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml index 54a5b3900a..9b813996df 100644 --- a/detections/application/detect_distributed_password_spray_attempts.yml +++ b/detections/application/detect_distributed_password_spray_attempts.yml @@ -64,7 +64,7 @@ tags: role: - Attacker - name: user_agent - type: user_agent + type: Other role: - Attacker product: diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index 2dbdce0d62..5a609a0a79 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -13,7 +13,7 @@ description: This analytic employs the 3-sigma approach to detect an unusual vol Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing comprehensive coverage and enhancing security against these attacks. search: >- - | tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" NOT Authentication.src IN ("-","unknown") by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time span=5m + | tstats `security_content_summariesonly` values(Authentication.user) AS unique_user_names dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" NOT Authentication.src IN ("-","unknown") by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time span=5m | `drop_dm_object_name("Authentication")` ```fill out time buckets for 0-count events during entire search length``` | appendpipe [| timechart limit=0 span=5m count | table _time] @@ -22,7 +22,7 @@ search: >- | eval counter=src+"__"+sourcetype+"__"+signature_id | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) - | stats values(app) as app values(total_failures) as total_failures values(src) as src values(signature_id) as signature_id values(sourcetype) as sourcetype count by counter unique_accounts _time + | stats values(app) as app values(unique_user_names) as unique_user_names values(total_failures) as total_failures values(src) as src values(signature_id) as signature_id values(sourcetype) as sourcetype count by counter unique_accounts _time ``` remove duplicate time buckets for each unique source``` | sort - _time unique_accounts | dedup _time counter @@ -34,7 +34,7 @@ search: >- | where isOutlier=1 | foreach * [ eval <> = if(<>="null",null(),<>)] - | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id, counter + | table _time, src, action, app, unique_accounts, unique_user_names, total_failures, sourcetype, signature_id, counter | `detect_password_spray_attempts_filter` how_to_implement: >- Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. @@ -68,6 +68,10 @@ tags: - T1110.003 - T1110 observable: + - name: unique_user_names + type: User + role: + - Victim - name: src type: Endpoint role: diff --git a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml index aa5d7ea3e9..816b6d3af9 100644 --- a/detections/network/internal_horizontal_port_scan_nmap_top_20.yml +++ b/detections/network/internal_horizontal_port_scan_nmap_top_20.yml @@ -29,6 +29,15 @@ how_to_implement: To properly run this search, Splunk needs to ingest data from enable this search effectively. known_false_positives: Unknown references: [] +drilldown_searches: +- name: View the detection results for $src_ip$ + search: '%original_detection_search% | search src_ip = $src_ip$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for $src_ip$ + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) starthoursago=168 endhoursago=1 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - Network Discovery From f2357c0728efa74afd9721f7c75d4bfbc140d2ae Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Thu, 24 Oct 2024 09:30:35 +1000 Subject: [PATCH 15/20] updating detections --- .../application/detect_password_spray_attempts.yml | 1 + ...al_number_of_kerberos_service_tickets_requested.yml | 4 ++-- .../endpoint/windows_driver_load_non_standard_path.yml | 2 +- ...ent_windows_task_scheduler_event_action_started.yml | 10 +++++----- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml index 5a609a0a79..81c1e46d7c 100644 --- a/detections/application/detect_password_spray_attempts.yml +++ b/detections/application/detect_password_spray_attempts.yml @@ -22,6 +22,7 @@ search: >- | eval counter=src+"__"+sourcetype+"__"+signature_id | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter) + ``` stats version of mvexpand ``` | stats values(app) as app values(unique_user_names) as unique_user_names values(total_failures) as total_failures values(src) as src values(signature_id) as signature_id values(sourcetype) as sourcetype count by counter unique_accounts _time ``` remove duplicate time buckets for each unique source``` | sort - _time unique_accounts diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml index 77dfa66ad1..8dcdab644d 100644 --- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml @@ -14,12 +14,12 @@ search: >- | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services values(user_category) as user_category values(src_category) as src_category by _time, user, src | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by user, src | eval upperBound=(comp_avg+comp_std*3) - | eval isOutlier=if(unique_services > 5 and unique_services >= upperBound, 1, 0) + | eval isOutlier=if(unique_services > 2 and unique_services >= upperBound, 1, 0) | search isOutlier=1 | `unusual_number_of_kerberos_service_tickets_requested_filter` how_to_implement: To successfully implement this search, you need to be ingesting Domain Controller and Kerberos events. The Advanced Security Audit policy setting - `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. + `Audit Kerberos Authentication Service` within `Account Logon` needs to be enabled. known_false_positives: An single endpoint requesting a large number of kerberos service tickets is not common behavior. Possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured diff --git a/detections/endpoint/windows_driver_load_non_standard_path.yml b/detections/endpoint/windows_driver_load_non_standard_path.yml index 70cf1197f5..bd1d01d364 100644 --- a/detections/endpoint/windows_driver_load_non_standard_path.yml +++ b/detections/endpoint/windows_driver_load_non_standard_path.yml @@ -10,7 +10,7 @@ data_source: - Windows Event Log System 7045 search: >- `wineventlog_system` EventCode=7045 ServiceType="kernel mode driver" - | regex ImagePath!="(?i)^(\w:\\\\Windows\\\\|\w:\\\\Program\sFile|\\\\systemroot\\\\|%SystemRoot%|system32\\\\" + | regex ImagePath!="(?i)^(\w:\\\\Windows\\\\|\w:\\\\Program\sFile|\\\\systemroot\\\\|%SystemRoot%|system32\\\\)" | stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ImagePath ServiceName ServiceType | rename Computer as dest | `security_content_ctime(firstTime)` diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index c27d521051..2e8c67031a 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -1,7 +1,7 @@ name: WinEvent Windows Task Scheduler Event Action Started id: b3632472-310b-11ec-9aab-acde48001122 version: 5 -date: '2024-10-17' +date: '2024-10-24' author: Michael Haag, Splunk status: production type: Hunting @@ -17,7 +17,7 @@ data_source: - Windows Event Log TaskScheduler 200 - Windows Event Log TaskScheduler 201 search: '`wineventlog_task_scheduler` EventCode IN ("200","201") | stats count min(_time) - as firstTime max(_time) as lastTime by TaskName dest EventCode | `security_content_ctime(firstTime)` + as firstTime max(_time) as lastTime by TaskName dvc EventCode | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `winevent_windows_task_scheduler_event_action_started_filter`' how_to_implement: Task Scheduler logs are required to be collected. Enable logging with inputs.conf by adding a stanza for [WinEventLog://Microsoft-Windows-TaskScheduler/Operational] @@ -50,11 +50,11 @@ tags: asset_type: Endpoint confidence: 100 impact: 80 - message: A Scheduled Task was scheduled and ran on $dest$. + message: A Scheduled Task was scheduled and ran on $dvc$. mitre_attack_id: - T1053.005 observable: - - name: dest + - name: dvc type: Hostname role: - Victim @@ -67,7 +67,7 @@ tags: - TaskName - ActionName - EventID - - dest + - dvc - ProcessID risk_score: 80 security_domain: endpoint From a6b4db0fdd1fd8d793b992b20376845888ab2f93 Mon Sep 17 00:00:00 2001 From: dluxtron <106139814+dluxtron@users.noreply.github.com> Date: Thu, 24 Oct 2024 16:23:52 +1000 Subject: [PATCH 16/20] updating detections --- .../unusual_number_of_kerberos_service_tickets_requested.yml | 5 +++-- .../winevent_windows_task_scheduler_event_action_started.yml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml index 8dcdab644d..eb37562bc4 100644 --- a/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml +++ b/detections/endpoint/unusual_number_of_kerberos_service_tickets_requested.yml @@ -9,7 +9,7 @@ description: The following analytic identifies an unusual number of Kerberos ser data_source: - Windows Event Log Security 4769 search: >- - `wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 (TicketOptions=0x40810000 OR TicketOptions=0x40800000 OR TicketOptions=0x40810010) + `wineventlog_security` EventCode=4769 ServiceName!="*$" TicketEncryptionType=0x17 | bucket span=2m _time | stats dc(ServiceName) AS unique_services values(ServiceName) as requested_services values(user_category) as user_category values(src_category) as src_category by _time, user, src | eventstats avg(unique_services) as comp_avg , stdev(unique_services) as comp_std by user, src @@ -64,7 +64,8 @@ tags: - EventCode - Ticket_Options - Ticket_Encryption_Type - - dest + - user + - src - Service_Name - service_id - Client_Address diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index 2e8c67031a..39f4d9a7af 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -75,5 +75,5 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1053.005/winevent_windows_task_scheduler_event_action_started/windows-xml.log - source: XmlWinEventLog:Security + source: XmlWinEventLog:Microsoft-Windows-TaskScheduler/Operational sourcetype: XmlWinEventLog From 3e2ac0137a8344c49b1118b88afa47f408d45ac3 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 4 Nov 2024 15:41:01 -0800 Subject: [PATCH 17/20] Update kerberoasting_spn_request_with_rc4_encryption.yml --- .../endpoint/kerberoasting_spn_request_with_rc4_encryption.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml index 5fea909e5e..95fbfdeba3 100644 --- a/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml +++ b/detections/endpoint/kerberoasting_spn_request_with_rc4_encryption.yml @@ -49,7 +49,7 @@ tags: - T1558.003 observable: - name: user - type: Endpoint + type: User role: - Victim product: From d49faeac63d028f519c813a23ffefd59f94fbbbf Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 6 Nov 2024 15:08:00 -0800 Subject: [PATCH 18/20] production icmp --- .../detect_large_outbound_icmp_packets.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml index 8bd1ae9df1..16e3f3c0ec 100644 --- a/detections/network/detect_large_outbound_icmp_packets.yml +++ b/detections/network/detect_large_outbound_icmp_packets.yml @@ -1,12 +1,13 @@ name: Detect Large Outbound ICMP Packets id: e9c102de-4d43-42a7-b1c8-8062ea297419 -version: 5 -date: '2024-10-16' -author: Rico Valdez, Splunk -status: experimental +version: 6 +date: '2024-11-06' +author: Rico Valdez, Dean Luxton, Splunk +status: production type: TTP description: The following analytic identifies outbound ICMP packets with a size larger than 1,000 bytes. It leverages the Network_Traffic data model to detect unusually large ICMP packets that are not blocked and are destined for external IP addresses. This activity is significant because threat actors often use ICMP for command and control communication, and large ICMP packets can indicate data exfiltration or other malicious activities. If confirmed malicious, this could allow attackers to maintain covert communication channels, exfiltrate sensitive data, or further compromise the network. -data_source: [] +data_source: +- Palo Alto Network Traffic search: >- | tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) as action values(All_Traffic.bytes) as bytes from @@ -65,3 +66,9 @@ tags: - All_Traffic.dest_ip risk_score: 25 security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1095/palologs/large_icmp.log + sourcetype: pan:traffic + source: pan:traffic From 9a850dcb79177a484a99098ad60a05072723a930 Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 6 Nov 2024 15:13:09 -0800 Subject: [PATCH 19/20] Adding drilldown --- .../network/detect_large_outbound_icmp_packets.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml index 16e3f3c0ec..5285c63707 100644 --- a/detections/network/detect_large_outbound_icmp_packets.yml +++ b/detections/network/detect_large_outbound_icmp_packets.yml @@ -33,6 +33,15 @@ known_false_positives: ICMP packets are used in a variety of ways to help troubl false positives, you can modify the macro `detect_large_outbound_icmp_packets_filter` to adjust the byte threshold or add specific IP addresses to an allow list. references: [] +drilldown_searches: +- name: View the detection results for - "$src_ip$" and "$dest_ip$" + search: '%original_detection_search% | search src = "$src_ip$" dest = "$dest_ip$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$src_ip$" and "$dest_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - Command And Control From 67f8f87914e392bc4b7be88770691769f1ffc945 Mon Sep 17 00:00:00 2001 From: research-bot Date: Wed, 6 Nov 2024 15:45:20 -0800 Subject: [PATCH 20/20] updating icmp --- .../network/detect_large_outbound_icmp_packets.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/detections/network/detect_large_outbound_icmp_packets.yml b/detections/network/detect_large_outbound_icmp_packets.yml index 5285c63707..99ee9f52b5 100644 --- a/detections/network/detect_large_outbound_icmp_packets.yml +++ b/detections/network/detect_large_outbound_icmp_packets.yml @@ -10,12 +10,13 @@ data_source: - Palo Alto Network Traffic search: >- | tstats `security_content_summariesonly` count earliest(_time) as firstTime - latest(_time) as lastTime values(All_Traffic.action) as action values(All_Traffic.bytes) as bytes from - datamodel=Network_Traffic where All_Traffic.action !=blocked All_Traffic.dest_category - !=internal (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes - > 1000 AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip All_Traffic.dest_ip | `drop_dm_object_name("All_Traffic")` - | iplocation dest_ip - | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter` + latest(_time) as lastTime values(All_Traffic.action) as action values(All_Traffic.bytes) as bytes from + datamodel=Network_Traffic where All_Traffic.action !=blocked (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) All_Traffic.bytes + > 1000 AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip All_Traffic.dest_category All_Traffic.dest_ip All_Traffic.protocol + | `drop_dm_object_name("All_Traffic")` + | iplocation dest_ip + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` | `detect_large_outbound_icmp_packets_filter` how_to_implement: 'In order to run this search effectively, we highly recommend that you leverage the Assets and Identity framework. It is important that you have a good understanding of how your network segments are designed and that you are able