Detection: Windows Post Exploitation Risk Behavior

Description

The following analytic identifies four or more distinct post-exploitation behaviors on a Windows system. It leverages data from the Risk data model in Splunk Enterprise Security, focusing on multiple risk events and their associated MITRE ATT&CK tactics and techniques. This activity is significant as it indicates potential malicious actions following an initial compromise, such as persistence, privilege escalation, or data exfiltration. If confirmed malicious, this behavior could allow attackers to maintain control, escalate privileges, and further exploit the compromised environment, leading to significant security breaches and data loss.

1
2| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories IN ("*Windows Post-Exploitation*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic 
3| `drop_dm_object_name(All_Risk)` 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| where source_count >= 4 
7| `windows_post_exploitation_risk_behavior_filter`

Data Source

No data sources specified for this detection.

Macros Used

Name Value
security_content_ctime convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)
windows_post_exploitation_risk_behavior_filter search *
windows_post_exploitation_risk_behavior_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1012 Query Registry Discovery
T1049 System Network Connections Discovery Discovery
T1069 Permission Groups Discovery Discovery
T1016 System Network Configuration Discovery Discovery
T1003 OS Credential Dumping Credential Access
T1082 System Information Discovery Discovery
T1115 Clipboard Data Collection
T1552 Unsecured Credentials Credential Access
KillChainPhase.EXPLOITAITON
NistCategory.DE_AE
Cis18Value.CIS_10
APT32
APT39
APT41
Chimera
Daggerfly
Dragonfly
Fox Kitten
Indrik Spider
Kimsuky
Lazarus Group
OilRig
Stealth Falcon
Threat Group-3390
Turla
Volt Typhoon
ZIRCONIUM
APT1
APT3
APT32
APT38
APT41
APT5
Andariel
BackdoorDiplomacy
Chimera
Earth Lusca
FIN13
GALLIUM
HEXANE
INC Ransom
Ke3chang
Lazarus Group
Magic Hound
MuddyWater
Mustang Panda
OilRig
Poseidon Group
Sandworm Team
TeamTNT
Threat Group-3390
ToddyCat
Tropic Trooper
Turla
Volt Typhoon
admin@338
menuPass
APT3
APT41
FIN13
TA505
Volt Typhoon
APT1
APT19
APT3
APT32
APT41
Chimera
Darkhotel
Dragonfly
Earth Lusca
FIN13
GALLIUM
HAFNIUM
HEXANE
Higaisa
Ke3chang
Kimsuky
Lazarus Group
Magic Hound
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Naikon
OilRig
Play
SideCopy
Sidewinder
Stealth Falcon
TeamTNT
Threat Group-3390
Tropic Trooper
Turla
Volt Typhoon
Wizard Spider
ZIRCONIUM
admin@338
menuPass
APT28
APT32
APT39
Axiom
Ember Bear
Leviathan
Poseidon Group
Sowbug
Suckfly
Tonto Team
APT18
APT19
APT3
APT32
APT37
APT38
APT41
Aquatic Panda
Blue Mockingbird
CURIUM
Chimera
Confucius
Daggerfly
Darkhotel
FIN13
FIN8
Gamaredon Group
HEXANE
Higaisa
Inception
Ke3chang
Kimsuky
Lazarus Group
Magic Hound
Malteiro
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Mustard Tempest
OilRig
Patchwork
Play
RedCurl
Rocke
Sandworm Team
SideCopy
Sidewinder
Sowbug
Stealth Falcon
TA2541
TeamTNT
ToddyCat
Tropic Trooper
Turla
Volt Typhoon
Windigo
Windshift
Winter Vivern
Wizard Spider
ZIRCONIUM
admin@338
APT38
APT39
Volt Typhoon

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event False
This configuration file applies to all detections of type Correlation. These correlations will generate Notable Events.

Implementation

Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.

Known False Positives

False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
An increase of Windows Post Exploitation behavior has been detected on $risk_object$ 49 70 70
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset wpe stash
Integration ✅ Passing Dataset wpe stash

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 3