# Detecting Attacker Behavior With Splunk Based On TTPs
In the dynamic field of cybersecurity, effective threat detection is essential. This requires a comprehensive understanding of the tactics, techniques, and procedures (TTPs) used by adversaries, as well as a deep familiarity with our network systems and their typical behaviors. Successful threat detection often hinges on identifying patterns that either match known malicious activities or deviate significantly from expected norms.
When developing detection-related SPL (Search Processing Language) queries in Splunk, two primary approaches are used:
* **TTP-Based Detection:** This approach relies on a thorough knowledge of known adversary tactics and attack vectors. It focuses on identifying behaviors that are characteristic of specific threats, akin to recognizing familiar patterns.
* **Anomaly Detection:** This approach leverages statistical analysis to identify abnormal behavior within a baseline of normal activity. It is less about matching specific threats and more about detecting anomalies, based on the premise that malicious activity often stands out as an outlier from the norm.
In both approaches, it is essential to thoroughly understand our data and environment to effectively refine queries and thresholds. This careful tuning balances accurate detection with minimizing false positives. By continuously reviewing and adjusting our SPL queries, we can sustain a strong security posture and maintain a high level of readiness.
## Crafting SPL Searches Based On Known TTPs
With this strategy, our focus is on recognizing patterns that we've seen before, which are indicative of specific threats or attack vectors.
### **Example: Detection Of Reconnaissance Activities Leveraging Native Windows Binaries**
Attackers often leverage native Windows binaries (such as `net.exe`) to gain insights into the target environment, identify potential privilege escalation opportunities, and perform lateral movement. `Sysmon Event ID 1` can assist in identifying such behavior.
```shell-session
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 Image=*\\ipconfig.exe OR Image=*\\net.exe OR Image=*\\whoami.exe OR Image=*\\netstat.exe OR Image=*\\nbtstat.exe OR Image=*\\hostname.exe OR Image=*\\tasklist.exe | stats count by Image,CommandLine | sort - count
```
### **Example: Detection Of Requesting Malicious Payloads/Tools Hosted On Reputable/Whitelisted Domains (Such As githubusercontent.com)**
Attackers frequently exploit the use of `githubusercontent.com` as a hosting platform for their payloads. This is due to the common whitelisting and permissibility of the domain by company proxies. `Sysmon Event ID 22` can assist in identifying such behavior.
```shell-session
index="main" sourcetype="WinEventLog:Sysmon" EventCode=22 QueryName="*github*" | stats count by Image, QueryName
```
### **Example: Detection Of PsExec Usage**
PsExec, part of the Windows Sysinternals suite, was designed to assist system administrators in managing remote Windows systems via a command-line interface. It allows members of a computer's Local Administrator group to connect to and interact with remote systems efficiently.
However, the same capabilities that make PsExec valuable for system administration also make it a popular choice for malicious actors. PsExec has been associated with several MITRE ATT\&CK techniques, such as T1569.002 (System Services: Service Execution), T1021.002 (Remote Services: SMB/Windows Admin Shares), and T1570 (Lateral Tool Transfer).
PsExec operates by copying a service executable to the hidden Admin$ share and then using the Windows Service Control Manager API to launch the service. The service communicates back to the PsExec tool using named pipes. Notably, PsExec can be used both locally and remotely and can run with NT AUTHORITY\SYSTEM privileges. Research from Synacktiv and Hurricane Labs indicates that monitoring Sysmon Event IDs 13, 11, 17, and 18 can help detect PsExec usage.
**Case 1: Leveraging Sysmon Event ID 13**
```shell-session
index="main" sourcetype="WinEventLog:Sysmon" EventCode=13 Image="C:\\Windows\\system32\\services.exe" TargetObject="HKLM\\System\\CurrentControlSet\\Services\\*\\ImagePath" | rex field=Details "(?[^\\\]+)$" | eval reg_file_name = lower(reg_file_name), file_name = if(isnull(file_name),reg_file_name,lower(file_name)) | stats values(Image) AS Image, values(Details) AS RegistryDetails, values(_time) AS EventTimes, count by file_name, ComputerName
```
* `index="main" sourcetype="WinEventLog:Sysmon" EventCode=13 Image="C:\\Windows\\system32\\services.exe" TargetObject="HKLM\\System\\CurrentControlSet\\Services\\*\\ImagePath"`: This part of the query is selecting logs from the `main` index with the sourcetype of `WinEventLog:Sysmon`. We're specifically looking for events with `EventCode=13`. In Sysmon logs, `EventCode 13` represents an event where a registry value was set. The `Image` field is set to `C:\\Windows\\system32\\services.exe` to filter for events where the services.exe process was involved, which is the Windows process responsible for handling service creation and management. The `TargetObject` field specifies the registry keys that we're interested in. In this case, we're looking for changes to the `ImagePath` value under any service key in `HKLM\\System\\CurrentControlSet\\Services`. The `ImagePath` registry value of a service specifies the path to the executable file for the service.
* `| rex field=Details "(?[^\\\]+)$"`: The `rex` command here is extracting the file name from the `Details` field using a regular expression. The pattern `[^\\\]+)$` captures the part of the path after the last backslash, which is typically the file name. This value is stored in a new field `reg_file_name`.
* `| eval file_name = if(isnull(file_name),reg_file_name,(file_name))`: This eval command checks if the `file_name` field is `null`. If it is, it sets `file_name` to the value of `reg_file_name` (the file name we extracted from the `Details` field). If `file_name` is not null, it remains the same.
* `| stats values(Image), values(Details), values(TargetObject), values(_time), values(EventCode), count by file_name, ComputerName`: Finally, the `stats` command aggregates the data by `file_name` and `ComputerName`. For each unique combination of `file_name` and `ComputerName`, it collects all the unique values of `Image`, `Details`, `TargetObject`, and `_time`, and counts the number of events.
#### **Case 2: Leveraging Sysmon Event ID 11**
```shell-session
index="main" sourcetype="WinEventLog:Sysmon" EventCode=11 Image=System | stats count by TargetFilename
```
#### **Case 3: Leveraging Sysmon Event ID 18**
```shell-session
index="main" sourcetype="WinEventLog:Sysmon" EventCode=18 Image=System | stats count by PipeName
```
### **Example: Detection Of Utilizing Archive Files For Transferring Tools Or Data Exfiltration**
Attackers may employ `zip`, `rar`, or `7z` files for transferring tools to a compromised host or exfiltrating data from it. The following search examines the creation of `zip`, `rar`, or `7z` files, with results sorted in descending order based on count.
```shell-session
index="main" EventCode=11 (TargetFilename="*.zip" OR TargetFilename="*.rar" OR TargetFilename="*.7z") | stats count by ComputerName, User, TargetFilename | sort - count
```
### **Example: Detection Of Utilizing PowerShell or MS Edge For Downloading Payloads/Tools**
Attackers may exploit PowerShell to download additional payloads and tools, or deceive users into downloading malware via web browsers. The following SPL searches examine files downloaded through PowerShell or MS Edge.
```shell-session
index="main" sourcetype="WinEventLog:Sysmon" EventCode=11 Image="*powershell.exe*" | stats count by Image, TargetFilename | sort + count
```
```shell-session
index="main" sourcetype="WinEventLog:Sysmon" EventCode=11 Image="*msedge.exe" TargetFilename=*"Zone.Identifier" | stats count by TargetFilename | sort + count
```
The `*Zone.Identifier` is indicative of a file downloaded from the internet or another potentially untrustworthy source. Windows uses this zone identifier to track the security zones of a file. The `Zone.Identifier` is an ADS (Alternate Data Stream) that contains metadata about where the file was downloaded from and its security settings.
### **Example: Detection Of Execution From Atypical Or Suspicious Locations**
The following SPL search is designed to identify any process creation (`EventCode=1`) occurring in a user's `Downloads` folder.
```shell-session
index="main" EventCode=1 | regex Image="C:\\\\Users\\\\.*\\\\Downloads\\\\.*" | stats count by Image
```
### **Example: Detection Of Executables or DLLs Being Created Outside The Windows Directory**
The following SPL identifies potential malware activity by checking for the creation of executable and DLL files outside the Windows directory. It then groups and counts these activities by user and target filename.
```shell-session
index="main" EventCode=11 (TargetFilename="*.exe" OR TargetFilename="*.dll") TargetFilename!="*\\windows\\*" | stats count by User, TargetFilename | sort + count
```
### **Example: Detection Of Misspelling Legitimate Binaries**
Attackers often disguise their malicious binaries by intentionally misspelling legitimate ones to blend in and avoid detection. The purpose of the following SPL search is to detect potential misspellings of the legitimate `PSEXESVC.exe` binary, commonly used by `PsExec`.
```shell-session
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 (CommandLine="*psexe*.exe" NOT (CommandLine="*PSEXESVC.exe" OR CommandLine="*PsExec64.exe")) OR (ParentCommandLine="*psexe*.exe" NOT (ParentCommandLine="*PSEXESVC.exe" OR ParentCommandLine="*PsExec64.exe")) OR (ParentImage="*psexe*.exe" NOT (ParentImage="*PSEXESVC.exe" OR ParentImage="*PsExec64.exe")) OR (Image="*psexe*.exe" NOT (Image="*PSEXESVC.exe" OR Image="*PsExec64.exe")) | table Image, CommandLine, ParentImage, ParentCommandLine
```
### **Example: Detection Of Using Non-standard Ports For Communications/Transfers**
Attackers often utilize non-standard ports during their operations. The following SPL search detects suspicious network connections to non-standard ports by excluding standard web and file transfer ports (80, 443, 22, 21). The `stats` command aggregates these connections, and they are sorted in descending order by `count`.
```shell-session
index="main" EventCode=3 NOT (DestinationPort=80 OR DestinationPort=443 OR DestinationPort=22 OR DestinationPort=21) | stats count by SourceIp, DestinationIp, DestinationPort | sort - count
```
### Practical Exercises
Navigate to http\://\[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the password utilized during the PsExec activity. Enter it as your answer.
```
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 CommandLine: "*psexec*"
| table Image, CommandLine, ParentImage, ParentCommandLine
```
Answer: Password\@123
.png?alt=media&token=d5cfdf2e-7e24-445e-9e60-b2f54d5b6f9e)