Try in Splunk Security Cloud

Description

The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Traffic
  • Last Updated: 2024-05-15
  • Author: Steven Dick
  • ID: 953322db-128a-4ce9-8e89-56e039e33d98

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1087 Account Discovery Discovery
T1087.002 Domain Account Discovery
T1204 User Execution Execution
T1204.002 Malicious File Execution
Kill Chain Phase
  • Exploitation
  • Installation
NIST
  • DE.AE
CIS20
  • CIS 10
CVE 


1
2
3
4
5
6
7
8



| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id  from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("88","389","636")  AND All_Traffic.app IN ("*\\users\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*")  by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port 
| `drop_dm_object_name(All_Traffic)`  
| rex field=app ".*\\\(?<process_name>.*)$" 
| rename app as process 
| `security_content_ctime(firstTime)`  
| `security_content_ctime(lastTime)` 
| `windows_suspect_process_with_authentication_traffic_filter`

Macros

The SPL above uses the following Macros:

:information_source: windows_suspect_process_with_authentication_traffic_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • All_Traffic.app
  • All_Traffic.src
  • All_Traffic.src_ip
  • All_Traffic.user
  • All_Traffic.dest
  • All_Traffic.dest_ip
  • All_Traffic.dest_port

How To Implement

To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations.

Known False Positives

Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
25.0 50 50 The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2