Try in Splunk Security Cloud


From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization’s enterprise network. During incident response activities, multiple utilities were utilized.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-10-05
  • Author: Michael Haag, Splunk
  • ID: db408f93-e915-4215-9962-5fada348bdd7


CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.


Name Technique Type
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Create or delete windows shares using net exe Indicator Removal, Network Share Connection Removal TTP
Detect Renamed WinRAR Archive via Utility, Archive Collected Data Hunting
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Network Discovery Using Route Windows App System Network Configuration Discovery, Internet Connection Discovery Hunting


source | version: 1