Detection: Windows Suspect Process With Authentication Traffic

Updated Date: 2024-05-15 ID: 953322db-128a-4ce9-8e89-56e039e33d98 Author: Steven Dick Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.

Search

1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id  from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("88","389","636")  AND All_Traffic.app IN ("*\\users\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*")  by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port 
3| `drop_dm_object_name(All_Traffic)`  
4| rex field=app ".*\\\(?<process_name>.*)$" 
5| rename app as process 
6| `security_content_ctime(firstTime)`  
7| `security_content_ctime(lastTime)` 
8| `windows_suspect_process_with_authentication_traffic_filter`

Data Source

Name	Platform	Sourcetype	Source	Supported App
Sysmon EventID 3	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`	N/A

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
windows_suspect_process_with_authentication_traffic_filter	`search *`

windows_suspect_process_with_authentication_traffic_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1087	Account Discovery	Discovery
T1087.002	Domain Account	Discovery
T1204	User Execution	Execution
T1204.002	Malicious File	Execution

KillChainPhase.EXPLOITAITON

KillChainPhase.INSTALLATION

NistCategory.DE_AE

Cis18Value.CIS_10

FIN13

APT41

BRONZE BUTLER

Chimera

Dragonfly

FIN13

FIN6

Fox Kitten

Ke3chang

LAPSUS$

MuddyWater

OilRig

Poseidon Group

Sandworm Team

Scattered Spider

ToddyCat

Turla

Volt Typhoon

Wizard Spider

menuPass

LAPSUS$

Scattered Spider

APT-C-36

APT12

APT19

APT28

APT29

APT30

APT32

APT33

APT37

APT38

APT39

Ajax Security Team

Andariel

Aoqin Dragon

BITTER

BRONZE BUTLER

BlackTech

CURIUM

Cobalt Group

Confucius

Dark Caracal

DarkHydrus

Darkhotel

Dragonfly

EXOTIC LILY

Earth Lusca

Elderwood

Ember Bear

FIN4

FIN6

FIN7

FIN8

Ferocious Kitten

Gallmaker

Gamaredon Group

Gorgon Group

HEXANE

Higaisa

Inception

IndigoZebra

Indrik Spider

Kimsuky

Lazarus Group

LazyScripter

Leviathan

Machete

Magic Hound

Malteiro

Mofang

Molerats

MuddyWater

Mustang Panda

Naikon

Nomadic Octopus

OilRig

PLATINUM

PROMETHIUM

Patchwork

RTM

Rancor

Sandworm Team

SideCopy

Sidewinder

Silence

TA2541

TA459

TA505

TA551

The White Company

Threat Group-3390

Tonto Team

Transparent Tribe

Tropic Trooper

WIRTE

Whitefly

Windshift

Wizard Spider

admin@338

menuPass

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations.

Known False Positives

Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise.

Associated Analytic Story

Active Directory Discovery

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$.	25	50	50

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`xmlwineventlog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`	`xmlwineventlog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 2