Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nterl0k - T1595 - Generic Scanning Behavior #3253

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
+65 −0
Open

Nterl0k - T1595 - Generic Scanning Behavior #3253

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 65 additions & 0 deletions detections/endpoint/windows_detect-network_scanner_behavior.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: Windows Detect Network Scanner Behavior
id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7
version: 1
date: '2024-12-26'
author: Steven Dick
status: production
type: Anomaly
description: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.
data_source:
- Sysmon EID 3
search: '| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m
| `drop_dm_object_name(All_Traffic)`
| rex field=app ".*\\\(?<process_name>.*)$"
| where port_count > 10 OR dest_count > 10
| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_detect_network_scanner_behavior_filter`'
how_to_implement: This detection relies on Sysmon EID3 events being ingested AND tagged into the networking datamodel.
known_false_positives: Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed.
references:
- https://attack.mitre.org/techniques/T1595
tags:
asset_type: Endpoint
confidence: 50
impact: 50
message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$
mitre_attack_id:
- T1595
- T1595.001
- T1595.002
- T1423
observable:
- name: src
type: system
role:
- Victim
- name: user
type: user
role:
- Victim
- name: process_name
type: process_name
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- All_Traffic.dest_port
- host
- All_Traffic.app
- All_Traffic.src
- All_Traffic.src_ip
- All_Traffic.user
- _time
risk_score: 25
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog
Loading