/
create_or_delete_windows_shares_using_net_exe.yml
87 lines (87 loc) · 4.52 KB
/
create_or_delete_windows_shares_using_net_exe.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
name: Create or delete windows shares using net exe
id: 743a322c-9a68-4a0f-9c17-85d9cce2a27c
version: 6
date: '2020-09-16'
author: Bhavin Patel, Splunk
status: production
type: TTP
description: |-
The following analytic detects the creation or deletion of hidden shares using the net.exe command for prompt response and mitigation to enhance the overall security posture of the organization and protect against potential data breaches, malware infections, and other damaging outcomes. This detection is made by searching for processes that involve the use of net.exe and filters for actions related to creation or deletion of shares. This detection is important because it suggests that an attacker is attempting to manipulate or exploit the network by creating or deleting hidden shares. The creation or deletion of hidden shares can indicate malicious activity since attackers might use hidden shares to exfiltrate data, distribute malware, or establish persistence within a network. The impact of such an attack can vary, but it often involves unauthorized access to sensitive information, disruption of services, or the introduction of malware. False positives might occur since legitimate actions can also involve the use of net.exe. An extensive triage and investigation is necessary to determine the intent and nature of the detected activity. Next steps include reviewing the details of the process involving the net.exe command, including the user, parent process, and timestamps during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack.
data_source:
- Sysmon EventID 1
search: '| tstats `security_content_summariesonly` count values(Processes.user) as
user values(Processes.parent_process) as parent_process min(_time) as firstTime
max(_time) as lastTime from datamodel=Endpoint.Processes where `process_net` by
Processes.process Processes.process_name Processes.parent_process_name Processes.original_file_name
Processes.dest | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`|
`security_content_ctime(lastTime)` | search process=*share* | `create_or_delete_windows_shares_using_net_exe_filter` '
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: Administrators often leverage net.exe to create or delete network
shares. You should verify that the activity was intentional and is legitimate.
references:
- https://attack.mitre.org/techniques/T1070/005/
tags:
analytic_story:
- Hidden Cobra Malware
- CISA AA22-277A
- Windows Post-Exploitation
- Prestige Ransomware
- DarkGate Malware
asset_type: Endpoint
confidence: 50
impact: 50
message: An instance of $parent_process_name$ spawning $process_name$ was identified
on endpoint $dest$ by user $user$ enumerating Windows file shares.
mitre_attack_id:
- T1070
- T1070.005
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Hostname
role:
- Victim
- name: parent_process_name
type: Process
role:
- Parent Process
- name: process_name
type: Process
role:
- Child Process
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.dest
- Processes.user
- Processes.parent_process_name
- Processes.parent_process
- Processes.original_file_name
- Processes.process_name
- Processes.process
- Processes.process_id
- Processes.parent_process_path
- Processes.process_path
- Processes.parent_process_id
risk_score: 25
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070.005/atomic_red_team/windows-sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog