Detecting Attacker Behavior With Splunk Based On TTPs
In the dynamic field of cybersecurity, effective threat detection is essential. This requires a comprehensive understanding of the tactics, techniques, and procedures (TTPs) used by adversaries, as well as a deep familiarity with our network systems and their typical behaviors. Successful threat detection often hinges on identifying patterns that either match known malicious activities or deviate significantly from expected norms.
When developing detection-related SPL (Search Processing Language) queries in Splunk, two primary approaches are used:
TTP-Based Detection: This approach relies on a thorough knowledge of known adversary tactics and attack vectors. It focuses on identifying behaviors that are characteristic of specific threats, akin to recognizing familiar patterns.
Anomaly Detection: This approach leverages statistical analysis to identify abnormal behavior within a baseline of normal activity. It is less about matching specific threats and more about detecting anomalies, based on the premise that malicious activity often stands out as an outlier from the norm.
In both approaches, it is essential to thoroughly understand our data and environment to effectively refine queries and thresholds. This careful tuning balances accurate detection with minimizing false positives. By continuously reviewing and adjusting our SPL queries, we can sustain a strong security posture and maintain a high level of readiness.
Crafting SPL Searches Based On Known TTPs
With this strategy, our focus is on recognizing patterns that we've seen before, which are indicative of specific threats or attack vectors.
Example: Detection Of Reconnaissance Activities Leveraging Native Windows Binaries
Attackers often leverage native Windows binaries (such as net.exe) to gain insights into the target environment, identify potential privilege escalation opportunities, and perform lateral movement. Sysmon Event ID 1 can assist in identifying such behavior.
Example: Detection Of Requesting Malicious Payloads/Tools Hosted On Reputable/Whitelisted Domains (Such As githubusercontent.com)
Attackers frequently exploit the use of githubusercontent.com as a hosting platform for their payloads. This is due to the common whitelisting and permissibility of the domain by company proxies. Sysmon Event ID 22 can assist in identifying such behavior.
Example: Detection Of PsExec Usage
PsExec, part of the Windows Sysinternals suite, was designed to assist system administrators in managing remote Windows systems via a command-line interface. It allows members of a computer's Local Administrator group to connect to and interact with remote systems efficiently.
However, the same capabilities that make PsExec valuable for system administration also make it a popular choice for malicious actors. PsExec has been associated with several MITRE ATT&CK techniques, such as T1569.002 (System Services: Service Execution), T1021.002 (Remote Services: SMB/Windows Admin Shares), and T1570 (Lateral Tool Transfer).
PsExec operates by copying a service executable to the hidden Admin$ share and then using the Windows Service Control Manager API to launch the service. The service communicates back to the PsExec tool using named pipes. Notably, PsExec can be used both locally and remotely and can run with NT AUTHORITY\SYSTEM privileges. Research from Synacktiv and Hurricane Labs indicates that monitoring Sysmon Event IDs 13, 11, 17, and 18 can help detect PsExec usage.
Case 1: Leveraging Sysmon Event ID 13
index="main" sourcetype="WinEventLog:Sysmon" EventCode=13 Image="C:\\Windows\\system32\\services.exe" TargetObject="HKLM\\System\\CurrentControlSet\\Services\\*\\ImagePath": This part of the query is selecting logs from themainindex with the sourcetype ofWinEventLog:Sysmon. We're specifically looking for events withEventCode=13. In Sysmon logs,EventCode 13represents an event where a registry value was set. TheImagefield is set toC:\\Windows\\system32\\services.exeto filter for events where the services.exe process was involved, which is the Windows process responsible for handling service creation and management. TheTargetObjectfield specifies the registry keys that we're interested in. In this case, we're looking for changes to theImagePathvalue under any service key inHKLM\\System\\CurrentControlSet\\Services. TheImagePathregistry value of a service specifies the path to the executable file for the service.| rex field=Details "(?<reg_file_name>[^\\\]+)$": Therexcommand here is extracting the file name from theDetailsfield using a regular expression. The pattern[^\\\]+)$captures the part of the path after the last backslash, which is typically the file name. This value is stored in a new fieldreg_file_name.| eval file_name = if(isnull(file_name),reg_file_name,(file_name)): This eval command checks if thefile_namefield isnull. If it is, it setsfile_nameto the value ofreg_file_name(the file name we extracted from theDetailsfield). Iffile_nameis not null, it remains the same.| stats values(Image), values(Details), values(TargetObject), values(_time), values(EventCode), count by file_name, ComputerName: Finally, thestatscommand aggregates the data byfile_nameandComputerName. For each unique combination offile_nameandComputerName, it collects all the unique values ofImage,Details,TargetObject, and_time, and counts the number of events.
Case 2: Leveraging Sysmon Event ID 11
Case 3: Leveraging Sysmon Event ID 18
Example: Detection Of Utilizing Archive Files For Transferring Tools Or Data Exfiltration
Attackers may employ zip, rar, or 7z files for transferring tools to a compromised host or exfiltrating data from it. The following search examines the creation of zip, rar, or 7z files, with results sorted in descending order based on count.
Example: Detection Of Utilizing PowerShell or MS Edge For Downloading Payloads/Tools
Attackers may exploit PowerShell to download additional payloads and tools, or deceive users into downloading malware via web browsers. The following SPL searches examine files downloaded through PowerShell or MS Edge.
The *Zone.Identifier is indicative of a file downloaded from the internet or another potentially untrustworthy source. Windows uses this zone identifier to track the security zones of a file. The Zone.Identifier is an ADS (Alternate Data Stream) that contains metadata about where the file was downloaded from and its security settings.
Example: Detection Of Execution From Atypical Or Suspicious Locations
The following SPL search is designed to identify any process creation (EventCode=1) occurring in a user's Downloads folder.
Example: Detection Of Executables or DLLs Being Created Outside The Windows Directory
The following SPL identifies potential malware activity by checking for the creation of executable and DLL files outside the Windows directory. It then groups and counts these activities by user and target filename.
Example: Detection Of Misspelling Legitimate Binaries
Attackers often disguise their malicious binaries by intentionally misspelling legitimate ones to blend in and avoid detection. The purpose of the following SPL search is to detect potential misspellings of the legitimate PSEXESVC.exe binary, commonly used by PsExec.
Example: Detection Of Using Non-standard Ports For Communications/Transfers
Attackers often utilize non-standard ports during their operations. The following SPL search detects suspicious network connections to non-standard ports by excluding standard web and file transfer ports (80, 443, 22, 21). The stats command aggregates these connections, and they are sorted in descending order by count.
Practical Exercises
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the password utilized during the PsExec activity. Enter it as your answer.
Answer: Password@123
Last updated