Try in Splunk Security Cloud
Description
Monitor for activities and techniques associated with insider threats and specifically focusing on malicious insiders operating with in a corporate environment.
Narrative
Insider Threats are best defined by CISA: “Insider threat incidents are possible in any sector or organization. An insider threat is typically a current or former employee, third-party contractor, or business partner. In their present or former role, the person has or had access to an organization’s network systems, data, or premises, and uses their access (sometimes unwittingly). To combat the insider threat, organizations can implement a proactive, prevention-focused mitigation program to detect and identify threats, assess risk, and manage that risk - before an incident occurs.” An insider is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems. These are the common insiders that create insider threats: Departing Employees, Security Evaders, Malicious Insiders, and Negligent Employees. This story aims at detecting the malicious insider.
Detections
Name |
Technique |
Type |
Anomalous usage of Archive Tools |
Archive via Utility, Archive Collected Data |
Anomaly |
Detect PowerShell Applications Spawning cmd exe |
Command and Scripting Interpreter |
Anomaly |
Detect Prohibited Browsers Spawning cmd exe |
Command and Scripting Interpreter |
Anomaly |
Detect Prohibited Office Applications Spawning cmd exe |
Command and Scripting Interpreter |
Anomaly |
Detect RClone Command-Line Usage |
Automated Exfiltration |
TTP |
Detect Remote Access Software Usage DNS |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage File |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage FileInfo |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage Process |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage Traffic |
Remote Access Software |
Anomaly |
Detect Remote Access Software Usage URL |
Remote Access Software |
Anomaly |
Fsutil Zeroing File |
Indicator Removal |
TTP |
Grant Permission Using Cacls Utility |
File and Directory Permissions Modification |
TTP |
Gsuite Drive Share In External Email |
Exfiltration to Cloud Storage, Exfiltration Over Web Service |
Anomaly |
Gsuite Outbound Email With Attachment To External Domain |
Exfiltration Over Unencrypted Non-C2 Protocol, Exfiltration Over Alternative Protocol |
Hunting |
Hiding Files And Directories With Attrib exe |
Windows File and Directory Permissions Modification, File and Directory Permissions Modification |
TTP |
High Frequency Copy Of Files In Network Share |
Transfer Data to Cloud Account |
Anomaly |
Potential password in username |
Local Accounts, Credentials In Files |
Hunting |
Sdelete Application Execution |
Data Destruction, File Deletion, Indicator Removal |
Anomaly |
WevtUtil Usage To Clear Logs |
Indicator Removal, Clear Windows Event Logs |
TTP |
Wevtutil Usage To Disable Logs |
Indicator Removal, Clear Windows Event Logs |
TTP |
Windows Curl Upload to Remote Destination |
Ingress Tool Transfer |
TTP |
Windows Multiple Users Fail To Authenticate Wth ExplicitCredentials |
Password Spraying, Brute Force |
TTP |
Windows Multiple Users Failed To Authenticate From Process |
Password Spraying, Brute Force |
TTP |
Windows Remote Access Software Hunt |
Remote Access Software |
Hunting |
Windows Unusual Count Of Users Fail To Auth Wth ExplicitCredentials |
Password Spraying, Brute Force |
Anomaly |
Windows Unusual Count Of Users Failed To Authenticate From Process |
Password Spraying, Brute Force |
Anomaly |
Reference
source | version: 1