Skip to content

Commit

Permalink
Merge pull request #3059 from splunk/updates
Browse files Browse the repository at this point in the history
Haag's Guided Adventures
  • Loading branch information
patel-bhavin authored Jul 26, 2024
2 parents 3c657fc + c80b39e commit 6823575
Show file tree
Hide file tree
Showing 8 changed files with 131 additions and 65 deletions.
23 changes: 11 additions & 12 deletions detections/endpoint/linux_decode_base64_to_shell.yml
Original file line number Diff line number Diff line change
@@ -1,20 +1,20 @@
name: Linux Decode Base64 to Shell
id: 637b603e-1799-40fd-bf87-47ecbd551b66
version: 2
date: '2024-05-22'
version: 3
date: '2024-06-25'
author: Michael Haag, Splunk
status: production
type: TTP
description: |-
The following analytic detects the decoding of base64-encoded data and its execution in a Linux shell. It leverages the Endpoint.Processes data model to search for commands like "base64 -d" and "base64 --decode" combined with Linux shell execution. This activity is significant because base64 encoding is often used to obfuscate malicious commands or payloads, indicating potential malicious activity. If confirmed malicious, this behavior could allow an attacker to execute unauthorized commands, gain unauthorized access, exfiltrate data, or perform other harmful actions on the Linux system.
description: The following analytic detects the behavior of decoding base64-encoded data and passing it to a Linux shell. Additionally, it mitigates the potential damage and protects the organization's systems and data.The detection is made by searching for specific commands in the Splunk query, namely "base64 -d" and "base64 --decode", within the Endpoint.Processes data model. The analytic also includes a filter for Linux shells. The detection is important because it indicates the presence of malicious activity since Base64 encoding is commonly used to obfuscate malicious commands or payloads, and decoding it can be a step in running those commands. It suggests that an attacker is attempting to run malicious commands on a Linux system to gain unauthorized access, for data exfiltration, or perform other malicious actions.
data_source:
- Sysmon for Linux EventID 1
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*base64
-d*","*base64 --decode*") AND Processes.process="*|*" `linux_shells` by Processes.dest
Processes.user Processes.parent_process_name Processes.process_name Processes.process
Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `linux_decode_base64_to_shell_filter`'
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process="*|*" `linux_shells` by Processes.dest Processes.user Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| rex field=process "base64\s+(?<decode_flag>-{1,2}d\w*)"
| where isnotnull(decode_flag)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_decode_base64_to_shell_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
Expand Down Expand Up @@ -80,8 +80,7 @@ tags:
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon:linux
update_timestamp: true
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
name: Linux Obfuscated Files or Information Base64 Decode
id: 303b38b2-c03f-44e2-8f41-4594606fcfc7
version: 2
date: '2024-05-15'
version: 3
date: '2024-06-25'
author: Michael Haag, Splunk
status: production
type: Anomaly
Expand All @@ -15,9 +15,7 @@ description: The following analytic detects the use of the base64 decode command
data_source:
- Sysmon for Linux EventID 1
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*base64
-d*","*base64 --decode*") by Processes.dest Processes.user Processes.parent_process_name
Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
as lastTime from datamodel=Endpoint.Processes where Processes.process_path="*/base64" Processes.process="*-d*" by Processes.process Processes.dest Processes.process_current_directory Processes.process_name Processes.process_integrity_level Processes.parent_process_name Processes.parent_process_path Processes.parent_process_guid Processes.parent_process_id Processes.process_guid Processes.process_id Processes.user
| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `linux_obfuscated_files_or_information_base64_decode_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
Expand Down Expand Up @@ -84,8 +82,7 @@ tags:
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/linux-sysmon.log
source: Syslog:Linux-Sysmon/Operational
sourcetype: sysmon:linux
update_timestamp: true
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Malicious PowerShell Process - Encoded Command
id: c4db14d9-7909-48b4-a054-aa14d89dbb19
version: 8
date: '2024-05-19'
author: David Dorsey, Michael Haag, Splunk
version: 9
date: '2024-07-26'
author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community
status: production
type: Hunting
description: 'The following analytic detects the use of the EncodedCommand parameter
Expand All @@ -22,8 +22,8 @@ search: "| tstats `security_content_summariesonly` count min(_time) as firstTime
as lastTime from datamodel=Endpoint.Processes where `process_powershell` by Processes.user
Processes.process_name Processes.process Processes.parent_process_name Processes.original_file_name
Processes.dest Processes.process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|– |—|―]e(nc*o*d*e*d*c*o*m*m*a*n*d*)*\\\
s+[^-]\") | `malicious_powershell_process___encoded_command_filter`"
| `security_content_ctime(lastTime)` | where match(process,\"(?i)[\\-|\\/|–|—|―][Ee^]{1,2}[NnCcOoDdEeMmAa^]+\\s+[\\\"]?[A-Za-z0-9+/=]{5,}[\\\"]?\")
| `malicious_powershell_process___encoded_command_filter`"
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
Expand Down Expand Up @@ -84,4 +84,4 @@ tests:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1027/atomic_red_team/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
sourcetype: xmlwineventlog
18 changes: 8 additions & 10 deletions detections/endpoint/possible_lateral_movement_powershell_spawn.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
name: Possible Lateral Movement PowerShell Spawn
id: cb909b3e-512b-11ec-aa31-3e22fbd008af
version: 3
date: '2024-05-20'
author: Mauricio Velazco, Splunk
version: 5
date: '2024-06-18'
author: Mauricio Velazco, Michael Haag, Splunk
status: production
type: TTP
description: 'The following analytic detects the spawning of a PowerShell process
Expand All @@ -22,11 +22,10 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
OR Processes.parent_process_name=services.exe OR Processes.parent_process_name=svchost.exe
OR Processes.parent_process_name=wsmprovhost.exe OR Processes.parent_process_name=mmc.exe)
(Processes.process_name=powershell.exe OR (Processes.process_name=cmd.exe AND Processes.process=*powershell.exe*)
OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*))
NOT (Processes.process IN ("*c:\windows\ccm\*")) by Processes.dest Processes.user
Processes.parent_process_name Processes.process_name Processes.process Processes.process_id
Processes.parent_process_id | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`'
OR Processes.process_name=pwsh.exe OR (Processes.process_name=cmd.exe AND Processes.process=*pwsh.exe*)) NOT (Processes.process IN ("*c:\\windows\\ccm\\*"))
by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
Processes.process Processes.process_id Processes.parent_process_id | `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `possible_lateral_movement_powershell_spawn_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
Expand Down Expand Up @@ -92,7 +91,6 @@ tags:
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1543.003/lateral_movement_powershell/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
24 changes: 13 additions & 11 deletions detections/endpoint/windows_protocol_tunneling_with_plink.yml
Original file line number Diff line number Diff line change
@@ -1,26 +1,26 @@
name: Windows Protocol Tunneling with Plink
id: 8aac5e1e-0fab-4437-af0b-c6e60af23eed
version: 2
date: '2024-05-24'
version: 3
date: '2024-07-26'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects the use of Plink for protocol tunneling,
either for egress or lateral movement within an organization. It identifies specific
Plink command-line options (-R, -L, -D, -l) by analyzing process execution logs
from Endpoint Detection and Response (EDR) agents. This activity is significant
description: This analytic detects the use of Plink (including renamed versions like pvhost.exe) for protocol tunneling,
which may be used for egress or lateral movement within an organization. It identifies specific
command-line options (-R, -L, -D, -l, -N, -P, -pw) commonly used for port forwarding and tunneling
by analyzing process execution logs from Endpoint Detection and Response (EDR) agents. This activity is significant
as it may indicate an attempt to bypass network security controls or establish unauthorized
connections. If confirmed malicious, this could allow an attacker to exfiltrate
data, move laterally across the network, or maintain persistent access, posing a
severe threat to the organization's security.
severe threat to the organization's security. The detection covers both the original Plink executable
and potential renamed versions, enhancing its ability to catch evasion attempts.
data_source:
- Sysmon EventID 1
- Windows Event Log Security 4688
- CrowdStrike ProcessRollup2
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.process_name=plink.exe
OR Processes.original_file_name=Plink Processes.process IN ("*-R *", "*-L *", "*-D
*", "*-l *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=plink.exe OR Processes.process_name=pvhost.exe OR Processes.original_file_name=Plink) AND
Processes.process IN ("*-R *", "*-L *", "*-D *", "*-l *", "*-N *", "*-P *", "*-pw *") by Processes.dest Processes.user Processes.parent_process_name Processes.process_name
Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`|
`windows_protocol_tunneling_with_plink_filter`'
Expand All @@ -40,6 +40,8 @@ references:
- https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
- https://attack.mitre.org/techniques/T1572/
- https://documentation.help/PuTTY/using-cmdline-portfwd.html#S3.8.3.5
- https://media.defense.gov/2024/Jul/25/2003510137/-1/-1/0/Joint-CSA-North-Korea-Cyber-Espionage-Advance-Military-Nuclear-Programs.PDF
- https://blog.talosintelligence.com/lazarus-three-rats/
tags:
analytic_story:
- CISA AA22-257A
Expand Down Expand Up @@ -94,4 +96,4 @@ tests:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1572/plink/plink-windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog
update_timestamp: true
update_timestamp: true
26 changes: 7 additions & 19 deletions detections/network/detect_remote_access_software_usage_dns.yml
Original file line number Diff line number Diff line change
@@ -1,17 +1,11 @@
name: Detect Remote Access Software Usage DNS
id: a16b797d-e309-41bd-8ba0-5067dae2e4be
version: 2
version: 3
date: '2024-05-27'
author: Steven Dick
status: production
type: Anomaly
description: The following analytic detects DNS queries to known remote access software
domains from within the environment. It leverages DNS query logs mapped to the Network_Resolution
data model and cross-references them with a lookup table of remote access software
domains, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant
as adversaries often use remote access tools to maintain persistent access to compromised
systems. If confirmed malicious, this could allow attackers to control systems remotely,
exfiltrate data, or further infiltrate the network, posing a severe security risk.
description: The following analytic detects DNS queries to domains associated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This detection is crucial as adversaries often use these tools to maintain access and control over compromised environments. Identifying such behavior is vital for a Security Operations Center (SOC) because unauthorized remote access can lead to data breaches, ransomware attacks, and other severe impacts if these threats are not mitigated promptly.
data_source:
- Sysmon EventID 22
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
Expand All @@ -20,14 +14,8 @@ search: '| tstats `security_content_summariesonly` count min(_time) as firstTime
`security_content_ctime(lastTime)` | lookup remote_access_software remote_domain
AS query OUTPUT isutility, description as signature, comment_reference as desc,
category | eval dest = query | search isutility = True | `detect_remote_access_software_usage_dns_filter`'
how_to_implement: To implement this search, you must ingest logs that contain the
DNS query and the source of the query. These logs must be processed using the appropriate
Splunk Technology Add-ons that are specific to the DNS logs. The logs must also
be mapped to the `Network_Resolution` data model. Use the Splunk Common Information
Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: It is possible that legitimate remote access software is used
within the environment. Ensure that the lookup is reviewed and updated with any
additional remote access software that is used within the environment.
how_to_implement: To implement this search, you must ingest logs that contain the DNS query and the source of the query. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the DNS logs. The logs must also be mapped to the `Network_Resolution` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. Once the analytic is tuned for your environment, modify the risk scores to be more appropriate.
known_false_positives: It is possible that legitimate remote access software is used within the environment. Ensure that the lookup is reviewed and legitimate remote access software is removed from it to not cause false positives.
references:
- https://attack.mitre.org/techniques/T1219/
- https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
Expand All @@ -38,8 +26,8 @@ tags:
- Command And Control
- Ransomware
asset_type: Endpoint
confidence: 50
impact: 50
confidence: 20
impact: 20
message: A domain for a known remote access software $query$ was contacted by $src$.
mitre_attack_id:
- T1219
Expand All @@ -61,7 +49,7 @@ tags:
- DNS.src
- DNS.query
- DNS.answer
risk_score: 25
risk_score: 4
security_domain: endpoint
tests:
- name: True Positive Test
Expand Down
Loading

0 comments on commit 6823575

Please sign in to comment.