Try in Splunk Security Cloud

Description

This detection identifies reconnaissance of credential stores and use of CryptoAPI services by Mimikatz modules.

  • Type: TTP
  • Product: Splunk Behavioral Analytics
  • Datamodel:
  • Last Updated: 2020-11-03
  • Author: Stanislav Miskovic, Splunk
  • ID: 5facee5b-79e4-47ab-b0e6-c625acc0554f

ATT&CK

ID Technique Tactic                        
T1589.001 Credentials Reconnaissance   T1590.001 Domain Properties Reconnaissance   T1590.003 Network Trust Dependencies Reconnaissance   T1068 Exploitation for Privilege Escalation Privilege Escalation
T1078 Valid Accounts Defense Evasion, Persistence, Privilege Escalation, Initial Access                        
T1098 Account Manipulation Persistence                        

| from read_ssa_enriched_events()

| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=ucast(map_get(input_event, "process"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) 
| where cmd_line != null AND ( match_regex(cmd_line, /(?i)crypto::capi/)=true OR match_regex(cmd_line, /(?i)crypto::cng/)=true OR match_regex(cmd_line, /(?i)crypto::providers/)=true OR match_regex(cmd_line, /(?i)crypto::stores/)=true OR match_regex(cmd_line, /(?i)crypto::sc/)=true )

| eval start_time = timestamp, end_time = timestamp, entities = mvappend( ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id,  "cmd_line", cmd_line]) 
| into write_ssa_detected_events();

Associated Analytic Story

How To Implement

You must be ingesting Windows Security logs from devices of interest, including the event ID 4688 with enabled command line logging.

Required field

  • _time
  • process
  • dest_device_id
  • dest_user_id

Kill Chain Phase

  • Actions on Objectives

Known False Positives

None identified.

RBA

Risk Score Impact Confidence Message
80.0 80 100 Mimikatz malware is searching for and accessing credential stores. Operation is performed at the device $dest_device_id$, by the account $dest_user_id$ via command $cmd_line$

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1