Merge pull request #3024 from splunk/dlux_1

DLUX 1 - Adding Misc New Detections
splunk · Jul 17, 2024 · 16885f0 · 16885f0
2 parents 6bc0bce + 8d42322
commit 16885f0
Show file tree

Hide file tree

Showing 13 changed files with 806 additions and 0 deletions.
diff --git a/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml b/data_sources/cloud/AWS_CloudWatchLogs_VPCflow.yml
@@ -0,0 +1,66 @@
+name: AWS CloudWatchLogs VPCflow
+id: 38a34fc4-e128-4478-a8f4-7835d51d5135
+author: Bhavin Patel, Splunk
+source: aws_cloudwatchlogs_vpcflow
+sourcetype: aws:cloudwatchlogs:vpcflow
+separator: eventName
+supported_TA:
+  name: Splunk Add-on for Amazon Web Services (AWS)
+  version: 7.4.1
+  url: https://splunkbase.splunk.com/app/1876
+event_names: []
+fields:
+- _raw
+- _time
+- account_id
+- action
+- app
+- aws_account_id
+- bytes
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_ip
+- dest_port
+- duration
+- dvc
+- end_time
+- eventtype
+- host
+- index
+- interface_id
+- linecount
+- log_status
+- packets
+- protocol
+- protocol_code
+- protocol_full_name
+- protocol_version
+- punct
+- region
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_ip
+- src_port
+- start_time
+- tag
+- tag::action
+- tag::eventtype
+- timeendpos
+- timestartpos
+- transport
+- user_id
+- vendor_account
+- vendor_product
+- version
+- vpcflow_action
+example_log: '2 123397614277 eni-0b0f9f261f45e6489 10.0.1.30 10.0.1.1 47254 22 17 2 98 1697608042 1697608070 ACCEPT OK'
diff --git a/data_sources/endpoint/Windows_Event_Log_Security.yml b/data_sources/endpoint/Windows_Event_Log_Security.yml
@@ -45,6 +45,8 @@ event_names:
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4725.yml
 - event_name: Windows Event Log Security 4726
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4726.yml
+- event_name: Windows Event Log Security 4728
+  data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4728.yml
 - event_name: Windows Event Log Security 4732
   data_source: data_sources/endpoint/event_sources/Windows_Event_Log_Security_4732.yml
 - event_name: Windows Event Log Security 4738

diff --git a/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml b/data_sources/endpoint/event_sources/Windows_Event_Log_System_4728.yml
@@ -0,0 +1,88 @@
+event_name: Windows Event Log System 4728
+fields:
+- _time
+- Account_Domain
+- Account_Name
+- CategoryString
+- ComputerName
+- Error_Code
+- EventCode
+- EventType
+- Keywords
+- LogName
+- Logon_ID
+- Message
+- OpCode
+- RecordNumber
+- Security_ID
+- SourceName
+- Subject_Account_Domain
+- Subject_Account_Name
+- Subject_Logon_ID
+- Subject_Security_ID
+- Target_Account_Domain
+- Target_Account_Name
+- Target_Security_ID
+- TaskCategory
+- Type
+- action
+- app
+- body
+- category
+- change_type
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_nt_domain
+- dest_nt_host
+- dvc
+- dvc_nt_host
+- event_id
+- eventtype
+- host
+- id
+- index
+- linecount
+- member_dn
+- member_id
+- member_nt_domain
+- msad_action
+- name
+- object
+- object_attrs
+- object_category
+- object_id
+- product
+- punct
+- result
+- session_id
+- severity
+- severity_id
+- signature
+- signature_id
+- source
+- sourcetype
+- splunk_server
+- src_nt_domain
+- src_user
+- src_user_name
+- status
+- subject
+- ta_windows_action
+- ta_windows_security_CategoryString
+- tag
+- tag::eventtype
+- timeendpos
+- timestartpos
+- user
+- user_group
+- user_name
+- vendor
+- vendor_product
+example_log: 10/09/2020 10:41:29 AM
diff --git a/detections/application/detect_distributed_password_spray_attempts.yml b/detections/application/detect_distributed_password_spray_attempts.yml
@@ -0,0 +1,81 @@
+name: Detect Distributed Password Spray Attempts
+id: b1a82fc8-8a9f-4344-9ec2-bde5c5331b57
+version: 1
+date: '2023-11-01'
+author: Dean Luxton
+status: production
+type: Hunting
+data_source:
+- Azure Active Directory Sign-in activity
+description: This analytic employs the 3-sigma approach to identify distributed password spray attacks. A 
+  distributed password spray attack is a type of brute force attack where the attacker attempts a few 
+  common passwords against many different accounts, connecting from multiple IP addresses to avoid detection. 
+  By utilizing the Authentication Data Model, this detection is effective for all CIM-mapped authentication 
+  events, providing comprehensive coverage and enhancing security against these attacks.
+search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts dc(Authentication.src) as unique_src count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.action, Authentication.signature_id, sourcetype, _time  span=2m
+  | `drop_dm_object_name("Authentication")`
+  ```fill out time buckets for 0-count events during entire search length```
+  | appendpipe [| timechart limit=0 span=5m count | table _time]
+  | fillnull value=0 unique_accounts, unique_src
+  ``` remove duplicate & empty time buckets```
+  | sort - total_failures
+  | dedup _time
+  ``` Create aggregation field & apply to all null events```
+  | eval counter=sourcetype+"__"+signature_id
+  | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter)
+  ``` 3-sigma detection logic ```
+  | eventstats avg(unique_accounts) as comp_avg_user , stdev(unique_accounts) as comp_std_user avg(unique_src) as comp_avg_src , stdev(unique_src) as comp_std_src by counter
+  | eval upperBoundUser=(comp_avg_user+comp_std_user*3), upperBoundsrc=(comp_avg_src+comp_std_src*3)
+  | eval isOutlier=if((unique_accounts > 30 and unique_accounts >= upperBoundUser) and (unique_src > 30 and unique_accounts >= upperBoundsrc), 1, 0)
+  | replace "::ffff:*" with * in src
+  | where isOutlier=1
+  | foreach * 
+      [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
+  | table _time, action, unique_src, unique_accounts, total_failures, sourcetype, signature_id
+  | sort - total_failures | `detect_distributed_password_spray_attempts_filter`'
+how_to_implement: Ensure that all relevant authentication data is mapped to the Common Information Model (CIM)
+  and that the src field is populated with the source device information. Additionally, ensure that 
+  fill_nullvalue is set within the security_content_summariesonly macro to include authentication events from 
+  log sources that do not feature the signature_id field in the results.
+known_false_positives: It is common to see a spike of legitimate failed authentication events on monday mornings.
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+tags:
+  analytic_story:
+  - Compromised User Account
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  atomic_guid:
+  - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
+  confidence: 70
+  impact: 70
+  message: Distributed Password Spray Attempt Detected from $src$
+  mitre_attack_id:
+  - T1110.003
+  - T1110
+  observable:
+  - name: src
+    type: IP Address
+    role:
+    - Attacker
+  - name: unique_accounts
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 49
+  required_fields:
+  - Authentication.action
+  - Authentication.user
+  - Authentication.src
+  security_domain: access
+  manual_test: The dataset & hardcoded timerange doesn't meet the criteria for this detetion. 
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azure_ad_distributed_spray/azure_ad_distributed_spray.log
+    source: azure:monitor:aad
+    sourcetype: azure:monitor:aad
diff --git a/detections/application/detect_password_spray_attempts.yml b/detections/application/detect_password_spray_attempts.yml
@@ -0,0 +1,75 @@
+name: Detect Password Spray Attempts
+id: 086ab581-8877-42b3-9aee-4a7ecb0923af
+version: 1
+date: '2023-11-01'
+author: Dean Luxton
+status: production
+type: TTP
+data_source:
+- Windows Event Log Security 4625
+description: This analytic employs the 3-sigma approach to detect an unusual volume of failed authentication attempts
+  from a single source. A password spray attack is a type of brute force attack where an attacker tries a few
+  common passwords across many different accounts to avoid detection and account lockouts. By utilizing the
+  Authentication Data Model, this detection is effective for all CIM-mapped authentication events, providing
+  comprehensive coverage and enhancing security against these attacks.
+search: '| tstats `security_content_summariesonly` dc(Authentication.user) AS unique_accounts values(Authentication.app) as app count(Authentication.user) as total_failures from datamodel=Authentication.Authentication where Authentication.action="failure" by Authentication.src, Authentication.action, Authentication.signature_id, sourcetype, _time  span=2m
+  | `drop_dm_object_name("Authentication")`
+  ```fill out time buckets for 0-count events during entire search length```
+  | appendpipe [| timechart limit=0 span=5m count | table _time]
+  | fillnull value=0 unique_accounts, unique_src
+  ``` remove duplicate & empty time buckets```
+  | sort - total_failures
+  | dedup _time
+  ``` Create aggregation field & apply to all null events```
+  | eval counter=src+"__"+sourcetype+"__"+signature_id
+  | eventstats values(counter) as fnscounter | eval counter=coalesce(counter,fnscounter)
+  | eventstats avg(unique_accounts) as comp_avg , stdev(unique_accounts) as comp_std by counter
+  | eval upperBound=(comp_avg+comp_std*3)
+  | eval isOutlier=if(unique_accounts > 30 and unique_accounts >= upperBound, 1, 0)
+  | replace "::ffff:*" with * in src
+  | where isOutlier=1
+  | foreach * [ eval <<FIELD>> = if(<<FIELD>>="null",null(),<<FIELD>>)] 
+  | table _time, src, action, app, unique_accounts, total_failures, sourcetype, signature_id
+  | `detect_password_spray_attempts_filter`'
+how_to_implement: Ensure in-scope authentication data is CIM mapped and the src field is populated with the source device. Also ensure fill_nullvalue is set within the macro security_content_summariesonly. 
+known_false_positives: Unknown
+references:
+- https://attack.mitre.org/techniques/T1110/003/
+tags:
+  analytic_story:
+  - Compromised User Account
+  - Active Directory Password Spraying
+  asset_type: Endpoint
+  atomic_guid:
+  - 90bc2e54-6c84-47a5-9439-0a2a92b4b175
+  confidence: 70
+  impact: 70
+  message: Potential Password Spraying attack from $src$ targeting $unique_accounts$ unique accounts. 
+  mitre_attack_id:
+  - T1110.003
+  - T1110
+  observable:
+  - name: src
+    type: Endpoint
+    role:
+    - Attacker
+  - name: sourcetype
+    type: Other
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 49
+  required_fields:
+  - Authentication.action
+  - Authentication.user
+  - Authentication.src
+  security_domain: access
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/purplesharp_invalid_users_kerberos_xml/windows-security.log
+    source: XmlWinEventLog:Security
+    sourcetype: XmlWinEventLog
diff --git a/detections/application/windows_ad_add_self_to_group.yml b/detections/application/windows_ad_add_self_to_group.yml
@@ -0,0 +1,54 @@
+name: Windows AD add Self to Group
+id: 065f2701-b7ea-42f5-9ec4-fbc2261165f9
+version: 1
+date: '2023-12-18'
+author: Dean Luxton
+status: production
+type: TTP
+data_source:
+- Windows Event Log Security 4728
+description: This analytic detects instances where a user adds themselves to an Active Directory (AD) group. This activity
+  is a common indicator of privilege escalation, where a user attempts to gain unauthorized access to higher
+  privileges or sensitive resources. By monitoring AD logs, this detection identifies such suspicious behavior,
+  which could be part of a larger attack strategy aimed at compromising critical systems and data. 
+search: '`wineventlog_security` EventCode IN (4728) 
+  | where user=src_user 
+  | stats min(_time) as _time dc(user) as usercount, values(user) as user values(user_category) as user_category values(src_user_category) as src_user_category values(dvc) as dvc by signature, Group_Name, src_user 
+  | `windows_ad_add_self_to_group_filter`'
+how_to_implement: This analytic requires eventCode 4728 to be ingested.
+known_false_positives: Unknown
+references: []
+tags:
+  analytic_story:
+  - Active Directory Privilege Escalation
+  - Sneaky Active Directory Persistence Tricks
+  asset_type: Endpoint
+  confidence: 100
+  impact: 50
+  message: $user$ added themselves to AD Group $Group_Name$
+  mitre_attack_id:
+  - T1098
+  observable:
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  risk_score: 50
+  required_fields:
+  - EventCode
+  - user
+  - src_user
+  - signature
+  - Group_Name
+  security_domain: audit
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/account_manipulation/xml-windows-security.log
+    source: XmlWinEventLog:Security
+    sourcetype: XmlWinEventLog
+    update_timestamp: true