-
Notifications
You must be signed in to change notification settings - Fork 353
/
detect_processes_used_for_system_network_configuration_discovery.yml
57 lines (57 loc) · 2.4 KB
/
detect_processes_used_for_system_network_configuration_discovery.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Detect processes used for System Network Configuration Discovery
id: a51bfe1a-94f0-48cc-b1e4-16ae10145893
version: 2
date: '2020-11-10'
author: Bhavin Patel, Splunk
type: batch
datamodel:
- Endpoint
description: This search looks for fast execution of processes used for system network
configuration discovery on the endpoint.
search: '| tstats `security_content_summariesonly` count values(Processes.process)
as process values(Processes.parent_process) as parent_process min(_time) as firstTime
max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest Processes.process_name
Processes.user _time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)` | search `system_network_configuration_discovery_tools`
| transaction dest connected=false maxpause=5m |where eventcount>=5 | table firstTime
lastTime dest user process_name process parent_process eventcount | `detect_processes_used_for_system_network_configuration_discovery_filter`'
how_to_implement: You must be ingesting data that records registry activity from your
hosts to populate the Endpoint data model in the processes node. This is typically
populated via endpoint detection-and-response product, such as Carbon Black, or
endpoint data sources, such as Sysmon. The data used for this search is usually
generated via logs that report reads and writes to the registry or that are populated
via Windows event logs, after enabling process tracking in your Windows audit settings.
known_false_positives: It is uncommon for normal users to execute a series of commands
used for network discovery. System administrators often use scripts to execute these
commands. These can generate false positives.
references: []
tags:
analytic_story:
- Unusual Processes
asset_type: Endpoint
automated_detection_testing: passed
cis20:
- CIS 2
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1016/discovery_commands/windows-sysmon.log
kill_chain_phases:
- Installation
- Command and Control
- Actions on Objectives
mitre_attack_id:
- T1016
nist:
- ID.AM
- PR.DS
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.process
- Processes.parent_process
- Processes.dest
- Processes.process_name
- Processes.user
security_domain: endpoint