-
Notifications
You must be signed in to change notification settings - Fork 334
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
142 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| name: Windows Proxy Via Netsh | ||
| id: c137bfe8-6036-4cff-b77b-4e327dd0a1cf | ||
| version: 1 | ||
| date: '2023-05-25' | ||
| author: Teoderick Contreras, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| data_source: | ||
| - Sysmon Event ID 1 | ||
| description: This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line | ||
| scripting utility that allows you to, either locally or remotely, display or modify | ||
| the network configuration of a computer that is currently running. Netsh can be | ||
| used as a persistence proxy technique to execute a helper DLL when netsh.exe is | ||
| executed. In this search, we are looking for processes spawned by netsh.exe and | ||
| executing commands via the command line. | ||
| search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes | ||
| where `process_netsh` Processes.process = "* portproxy *" Processes.process = "* v4tov4 *" by Processes.parent_process_name Processes.parent_process Processes.original_file_name Processes.process_name Processes.process Processes.user Processes.dest | ||
| |`drop_dm_object_name("Processes")` | ||
| |`security_content_ctime(firstTime)` | ||
| |`security_content_ctime(lastTime)` | ||
| | `windows_proxy_via_netsh_filter`' | ||
| how_to_implement: To successfully implement this search you need to be ingesting information | ||
| on process that include the name of the process responsible for the changes from | ||
| your endpoints into the `Endpoint` datamodel in the `Processes` node. In addition, | ||
| confirm the latest CIM App 4.20 or higher is installed and the latest TA for the | ||
| endpoint product. | ||
| known_false_positives: Some VPN applications are known to launch netsh.exe. Outside | ||
| of these instances, it is unusual for an executable to launch netsh.exe and run | ||
| commands. | ||
| references: | ||
| - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ | ||
| tags: | ||
| analytic_story: | ||
| - Volt Typhoon | ||
| asset_type: Endpoint | ||
| atomic_guid: | ||
| - b8223ea9-4be2-44a6-b50a-9657a3d4e72a | ||
| confidence: 70 | ||
| impact: 70 | ||
| message: A process $process_name$ has launched netsh with command-line $process$ | ||
| on $dest$. | ||
| mitre_attack_id: | ||
| - T1090.001 | ||
| - T1090 | ||
| observable: | ||
| - name: dest | ||
| type: Hostname | ||
| role: | ||
| - Victim | ||
| - name: user | ||
| type: User | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| risk_score: 49 | ||
| required_fields: | ||
| - _time | ||
| - Processes.process | ||
| - Processes.parent_process_name | ||
| - Processes.parent_process | ||
| - Processes.process_name | ||
| - Processes.user | ||
| - Processes.dest | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log | ||
| source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
| sourcetype: xmlwineventlog |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| name: Windows Proxy Via Registry | ||
| id: 0270455b-1385-4579-9ac5-e77046c508ae | ||
| version: 1 | ||
| date: '2023-05-25' | ||
| author: Teoderick Contreras, Splunk | ||
| status: production | ||
| type: Anomaly | ||
| data_source: | ||
| - Sysmon EventID 12 | ||
| - Sysmon EventID 13 | ||
| - Sysmon EventID 14 | ||
| description: This search looks for processes launching netsh.exe for connection proxy. Netsh is a command-line | ||
| scripting utility that allows you to, either locally or remotely, display or modify | ||
| the network configuration of a computer that is currently running. Netsh can be | ||
| used as a persistence proxy technique to execute a helper DLL when netsh.exe is | ||
| executed. In this search, we are looking for processes spawned by netsh.exe and | ||
| executing commands via the command line. | ||
| search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry | ||
| where Registry.registry_path ="*\\System\\CurrentControlSet\\Services\\PortProxy\\v4tov4\\tcp*" | ||
| by Registry.registry_path Registry.registry_key_name Registry.registry_value_name Registry.action Registry.dest Registry.user | ||
| | `security_content_ctime(lastTime)` | ||
| | `security_content_ctime(firstTime)` | ||
| | `drop_dm_object_name(Registry)` | ||
| | `windows_proxy_via_registry_filter`' | ||
| how_to_implement: To successfully implement this search, you need to be ingesting | ||
| logs with the registry value name, registry path, and registry value data from your | ||
| endpoints. If you are using Sysmon, you must have at least version 2.0 of the offical | ||
| Sysmon TA. https://splunkbase.splunk.com/app/5709 | ||
| known_false_positives: unknown | ||
| references: | ||
| - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ | ||
| tags: | ||
| analytic_story: | ||
| - Volt Typhoon | ||
| asset_type: Endpoint | ||
| atomic_guid: | ||
| - b8223ea9-4be2-44a6-b50a-9657a3d4e72a | ||
| confidence: 70 | ||
| impact: 70 | ||
| message: A registry modification for port proxy in$dest$ | ||
| mitre_attack_id: | ||
| - T1090.001 | ||
| - T1090 | ||
| observable: | ||
| - name: dest | ||
| type: Endpoint | ||
| role: | ||
| - Victim | ||
| product: | ||
| - Splunk Enterprise | ||
| - Splunk Enterprise Security | ||
| - Splunk Cloud | ||
| risk_score: 49 | ||
| required_fields: | ||
| - _time | ||
| - Registry.registry_key_name | ||
| - Registry.registry_path | ||
| - Registry.user | ||
| - Registry.dest | ||
| - Registry.registry_value_name | ||
| - Registry.action | ||
| - Registry.registry_value_data | ||
| security_domain: endpoint | ||
| tests: | ||
| - name: True Positive Test | ||
| attack_data: | ||
| - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1090.001/netsh_portproxy/volt_sysmon.log | ||
| source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational | ||
| sourcetype: xmlwineventlog |