The search looks for a Windows Security Account Manager (SAM) was stopped via command-line. This is consistent with Ryuk infections across a fleet of endpoints.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2020-11-06
- Author: Rod Soto, Jose Hernandez, Splunk
- ID: 69c12d59-d951-431e-ab77-ec426b8d65e6
Kill Chain Phase
- CIS 8
1 2 3 4 5 6 | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes WHERE ("Processes.process_name"="net*.exe" "Processes.process"="*stop \"samss\"*") BY "Processes.dest", "Processes.user", "Processes.process" | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `windows_security_account_manager_stopped_filter`
The SPL above uses the following Macros:
windows_security_account_manager_stopped_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Supported Add-on (TA)
List of Splunk Add-on’s tested to work with the analytic.
List of fields required to use this analytic.
How To Implement
You must be ingesting data that records the process-system activity from your hosts to populate the Endpoint Processes data-model object. If you are using Sysmon, you will need a Splunk Universal Forwarder on each endpoint from which you want to collect data.
Known False Positives
SAM is a critical windows service, stopping it would cause major issues on an endpoint this makes false positive rare. AlthoughNo false positives have been identified.
Associated Analytic Story
|70.0||70||100||The Windows Security Account Manager (SAM) was stopped via cli by $user$ on $dest$ by this command: $processs$|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1