Try in Splunk Security Cloud

Description

This analytic will identify a suspicious command-line that disables a user account using the net.exe utility native to Windows. This technique may used by the adversaries to interrupt availability of such users to do their malicious act.

  • Type: TTP
  • Product: Splunk Behavioral Analytics
  • Datamodel: Endpoint
  • Last Updated: 2021-06-21
  • Author: Teoderick Contreras, Splunk
  • ID: ba858b08-d26c-11eb-af9b-acde48001122

ATT&CK

ID Technique Tactic
T1489 Service Stop Impact

| from read_ssa_enriched_events() 
| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"), "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) 
| where cmd_line IS NOT NULL AND like(cmd_line, "%/active:no%") AND (process_name="net1.exe" OR process_name="net.exe") 
| eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name, "process_path", process_path]) 
| into write_ssa_detected_events();

Associated Analytic Story

How To Implement

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed net.exe/net1.exe may be used.

Required field

  • _time
  • dest_device_id
  • process_name
  • parent_process_name
  • process_path
  • dest_user_id
  • process

Kill Chain Phase

  • Exploitation

Known False Positives

network operator may use this approach to quickly disable an account but not a common practice.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2