From f1d2c7ddf901505fb3a9b9cb2e94a1d625ba5a57 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Thu, 26 Dec 2024 12:23:09 -0500 Subject: [PATCH] Add files via upload --- ...indows_detect-network_scanner_behavior.yml | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 detections/endpoint/windows_detect-network_scanner_behavior.yml diff --git a/detections/endpoint/windows_detect-network_scanner_behavior.yml b/detections/endpoint/windows_detect-network_scanner_behavior.yml new file mode 100644 index 0000000000..61925c9d19 --- /dev/null +++ b/detections/endpoint/windows_detect-network_scanner_behavior.yml @@ -0,0 +1,65 @@ +name: Windows Detect Network Scanner Behavior +id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7 +version: 1 +date: '2024-12-26' +author: Steven Dick +status: production +type: Anomaly +description: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation. +data_source: +- Sysmon EID 3 +search: '| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m +| `drop_dm_object_name(All_Traffic)` +| rex field=app ".*\\\(?.*)$" +| where port_count > 10 OR dest_count > 10 +| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `windows_detect_network_scanner_behavior_filter`' +how_to_implement: This detection relies on Sysmon EID3 events being ingested AND tagged into the networking datamodel. +known_false_positives: Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed. +references: +- https://attack.mitre.org/techniques/T1595 +tags: + asset_type: Endpoint + confidence: 50 + impact: 50 + message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$ + mitre_attack_id: + - T1595 + - T1595.001 + - T1595.002 + - T1423 + observable: + - name: src + type: system + role: + - Victim + - name: user + type: user + role: + - Victim + - name: process_name + type: process_name + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - All_Traffic.dest_port + - host + - All_Traffic.app + - All_Traffic.src + - All_Traffic.src_ip + - All_Traffic.user + - _time + risk_score: 25 + security_domain: network +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file