Try in Splunk Security Cloud
Description
Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.
- Product: Splunk Behavioral Analytics, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Network_Traffic
- Last Updated: 2021-03-04
- Author: Michael Hart, Splunk
- ID: f7aba570-7d59-11eb-825e-acde48001122
Narrative
Attackers may not have much if any insight into their target’s environment before the initial compromise. Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives. This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.
Detections
Name |
Technique |
Type |
Detect AzureHound Command-Line Arguments |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
Detect AzureHound File Modifications |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
Detect SharpHound Command-Line Arguments |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
Detect SharpHound File Modifications |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
Detect SharpHound Usage |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
Net Localgroup Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
Network Traffic to Active Directory Web Services Protocol |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
Hunting |
System Information Discovery Detection |
System Information Discovery |
TTP |
Windows SOAPHound Binary Execution |
Domain Account, Local Groups, Domain Trust Discovery, Local Account, Account Discovery, Domain Groups, Permission Groups Discovery |
TTP |
Reference
source | version: 1