Detection: Windows Suspect Process With Authentication Traffic

Description

The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.

1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id  from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("88","389","636")  AND All_Traffic.app IN ("*\\users\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*")  by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port 
3| `drop_dm_object_name(All_Traffic)`  
4| rex field=app ".*\\\(?<process_name>.*)$" 
5| rename app as process 
6| `security_content_ctime(firstTime)`  
7| `security_content_ctime(lastTime)` 
8| `windows_suspect_process_with_authentication_traffic_filter`

Data Source

Name Platform Sourcetype Source Supported App
Sysmon EventID 3 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' N/A

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_suspect_process_with_authentication_traffic_filter search *
windows_suspect_process_with_authentication_traffic_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1087 Account Discovery Discovery
T1087.002 Domain Account Discovery
T1204 User Execution Execution
T1204.002 Malicious File Execution
KillChainPhase.EXPLOITAITON
KillChainPhase.INSTALLATION
NistCategory.DE_AE
Cis18Value.CIS_10
FIN13
APT41
BRONZE BUTLER
Chimera
Dragonfly
FIN13
FIN6
Fox Kitten
Ke3chang
LAPSUS$
MuddyWater
OilRig
Poseidon Group
Sandworm Team
Scattered Spider
ToddyCat
Turla
Volt Typhoon
Wizard Spider
menuPass
LAPSUS$
Scattered Spider
APT-C-36
APT12
APT19
APT28
APT29
APT30
APT32
APT33
APT37
APT38
APT39
Ajax Security Team
Andariel
Aoqin Dragon
BITTER
BRONZE BUTLER
BlackTech
CURIUM
Cobalt Group
Confucius
Dark Caracal
DarkHydrus
Darkhotel
Dragonfly
EXOTIC LILY
Earth Lusca
Elderwood
Ember Bear
FIN4
FIN6
FIN7
FIN8
Ferocious Kitten
Gallmaker
Gamaredon Group
Gorgon Group
HEXANE
Higaisa
Inception
IndigoZebra
Indrik Spider
Kimsuky
Lazarus Group
LazyScripter
Leviathan
Machete
Magic Hound
Malteiro
Mofang
Molerats
MuddyWater
Mustang Panda
Naikon
Nomadic Octopus
OilRig
PLATINUM
PROMETHIUM
Patchwork
RTM
Rancor
Sandworm Team
SideCopy
Sidewinder
Silence
TA2541
TA459
TA505
TA551
The White Company
Threat Group-3390
Tonto Team
Transparent Tribe
Tropic Trooper
WIRTE
Whitefly
Windshift
Wizard Spider
admin@338
menuPass

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations.

Known False Positives

Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$. 25 50 50
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational xmlwineventlog
Integration ✅ Passing Dataset XmlWinEventLog:Microsoft-Windows-Sysmon/Operational xmlwineventlog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 2