/
web_servers_executing_suspicious_processes.yml
60 lines (60 loc) · 3.46 KB
/
web_servers_executing_suspicious_processes.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: Web Servers Executing Suspicious Processes
id: ec3b7601-689a-4463-94e0-c9f45638efb9
version: 1
date: '2019-04-01'
author: David Dorsey, Splunk
status: experimental
type: TTP
description: |-
The following analytic detects suspicious processes on systems labeled as web servers. This detection is made by a Splunk query that searches for specific process names that might indicate malicious activity. These suspicious processes include "whoami", "ping", "iptables", "wget", "service", and "curl". Uses the Splunk data model "Endpoint.Processes" and filters the results to only include systems categorized as web servers. This detection is important because it indicates unauthorized or malicious activity on web servers since these processes are commonly used by attackers to perform reconnaissance, establish persistence, or exfiltrate data from compromised systems. The impact of such an attack can be significant, ranging from data theft to the deployment of additional malicious payloads, potentially leading to ransomware or other damaging outcomes. False positives might occur since the legitimate use of these processes on web servers can trigger the analytic. Next steps include triaging and investigating to determine the legitimacy of the activity. Also, review the source and command of the suspicious process. You must also examine any relevant on-disk artifacts and look for concurrent processes to identify the source of the attack.
data_source:
- Sysmon Event ID 1
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.dest_category="web_server"
AND (Processes.process="*whoami*" OR Processes.process="*ping*" OR Processes.process="*iptables*"
OR Processes.process="*wget*" OR Processes.process="*service*" OR Processes.process="*curl*")
by Processes.process Processes.process_name, Processes.dest Processes.user| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `web_servers_executing_suspicious_processes_filter`'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: Some of these processes may be used legitimately on web servers
during maintenance or other administrative tasks.
references: []
tags:
analytic_story:
- Apache Struts Vulnerability
asset_type: Web Server
confidence: 50
impact: 50
message: tbd
mitre_attack_id:
- T1082
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.dest_category
- Processes.process
- Processes.process_name
- Processes.dest
- Processes.user
risk_score: 25
security_domain: endpoint