Detecting Attacker Behavior With Splunk Based On TTPs
Last updated
Last updated
In the dynamic field of cybersecurity, effective threat detection is essential. This requires a comprehensive understanding of the tactics, techniques, and procedures (TTPs) used by adversaries, as well as a deep familiarity with our network systems and their typical behaviors. Successful threat detection often hinges on identifying patterns that either match known malicious activities or deviate significantly from expected norms.
When developing detection-related SPL (Search Processing Language) queries in Splunk, two primary approaches are used:
TTP-Based Detection: This approach relies on a thorough knowledge of known adversary tactics and attack vectors. It focuses on identifying behaviors that are characteristic of specific threats, akin to recognizing familiar patterns.
Anomaly Detection: This approach leverages statistical analysis to identify abnormal behavior within a baseline of normal activity. It is less about matching specific threats and more about detecting anomalies, based on the premise that malicious activity often stands out as an outlier from the norm.
In both approaches, it is essential to thoroughly understand our data and environment to effectively refine queries and thresholds. This careful tuning balances accurate detection with minimizing false positives. By continuously reviewing and adjusting our SPL queries, we can sustain a strong security posture and maintain a high level of readiness.
With this strategy, our focus is on recognizing patterns that we've seen before, which are indicative of specific threats or attack vectors.
Attackers often leverage native Windows binaries (such as net.exe
) to gain insights into the target environment, identify potential privilege escalation opportunities, and perform lateral movement. Sysmon Event ID 1
can assist in identifying such behavior.
Attackers frequently exploit the use of githubusercontent.com
as a hosting platform for their payloads. This is due to the common whitelisting and permissibility of the domain by company proxies. Sysmon Event ID 22
can assist in identifying such behavior.
PsExec, part of the Windows Sysinternals suite, was designed to assist system administrators in managing remote Windows systems via a command-line interface. It allows members of a computer's Local Administrator group to connect to and interact with remote systems efficiently.
However, the same capabilities that make PsExec valuable for system administration also make it a popular choice for malicious actors. PsExec has been associated with several MITRE ATT&CK techniques, such as T1569.002 (System Services: Service Execution), T1021.002 (Remote Services: SMB/Windows Admin Shares), and T1570 (Lateral Tool Transfer).
PsExec operates by copying a service executable to the hidden Admin$ share and then using the Windows Service Control Manager API to launch the service. The service communicates back to the PsExec tool using named pipes. Notably, PsExec can be used both locally and remotely and can run with NT AUTHORITY\SYSTEM privileges. Research from Synacktiv and Hurricane Labs indicates that monitoring Sysmon Event IDs 13, 11, 17, and 18 can help detect PsExec usage.
Case 1: Leveraging Sysmon Event ID 13
index="main" sourcetype="WinEventLog:Sysmon" EventCode=13 Image="C:\\Windows\\system32\\services.exe" TargetObject="HKLM\\System\\CurrentControlSet\\Services\\*\\ImagePath"
: This part of the query is selecting logs from the main
index with the sourcetype of WinEventLog:Sysmon
. We're specifically looking for events with EventCode=13
. In Sysmon logs, EventCode 13
represents an event where a registry value was set. The Image
field is set to C:\\Windows\\system32\\services.exe
to filter for events where the services.exe process was involved, which is the Windows process responsible for handling service creation and management. The TargetObject
field specifies the registry keys that we're interested in. In this case, we're looking for changes to the ImagePath
value under any service key in HKLM\\System\\CurrentControlSet\\Services
. The ImagePath
registry value of a service specifies the path to the executable file for the service.
| rex field=Details "(?<reg_file_name>[^\\\]+)$"
: The rex
command here is extracting the file name from the Details
field using a regular expression. The pattern [^\\\]+)$
captures the part of the path after the last backslash, which is typically the file name. This value is stored in a new field reg_file_name
.
| eval file_name = if(isnull(file_name),reg_file_name,(file_name))
: This eval command checks if the file_name
field is null
. If it is, it sets file_name
to the value of reg_file_name
(the file name we extracted from the Details
field). If file_name
is not null, it remains the same.
| stats values(Image), values(Details), values(TargetObject), values(_time), values(EventCode), count by file_name, ComputerName
: Finally, the stats
command aggregates the data by file_name
and ComputerName
. For each unique combination of file_name
and ComputerName
, it collects all the unique values of Image
, Details
, TargetObject
, and _time
, and counts the number of events.
Attackers may employ zip
, rar
, or 7z
files for transferring tools to a compromised host or exfiltrating data from it. The following search examines the creation of zip
, rar
, or 7z
files, with results sorted in descending order based on count.
Attackers may exploit PowerShell to download additional payloads and tools, or deceive users into downloading malware via web browsers. The following SPL searches examine files downloaded through PowerShell or MS Edge.
The *Zone.Identifier
is indicative of a file downloaded from the internet or another potentially untrustworthy source. Windows uses this zone identifier to track the security zones of a file. The Zone.Identifier
is an ADS (Alternate Data Stream) that contains metadata about where the file was downloaded from and its security settings.
The following SPL search is designed to identify any process creation (EventCode=1
) occurring in a user's Downloads
folder.
The following SPL identifies potential malware activity by checking for the creation of executable and DLL files outside the Windows directory. It then groups and counts these activities by user and target filename.
Attackers often disguise their malicious binaries by intentionally misspelling legitimate ones to blend in and avoid detection. The purpose of the following SPL search is to detect potential misspellings of the legitimate PSEXESVC.exe
binary, commonly used by PsExec
.
Attackers often utilize non-standard ports during their operations. The following SPL search detects suspicious network connections to non-standard ports by excluding standard web and file transfer ports (80, 443, 22, 21). The stats
command aggregates these connections, and they are sorted in descending order by count
.
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the password utilized during the PsExec activity. Enter it as your answer.
Answer: Password@123