⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION

We have not been able to test, simulate or build datasets for it, use at your own risk!

Try in Splunk Security Cloud

Description

This search detects SIGRed via Splunk Stream.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2020-07-28
  • Author: Shannon Davis, Splunk
  • ID: babd8d10-d073-11ea-87d0-0242ac130003

ATT&CK

ID Technique Tactic
T1203 Exploitation for Client Execution Execution
`stream_dns` 
| spath "query_type{}" 
| search "query_type{}" IN (SIG,KEY) 
| spath protocol_stack 
| search protocol_stack="ip:tcp:dns" 
| append [search `stream_tcp` bytes_out>65000] 
| `detect_windows_dns_sigred_via_splunk_stream_filter` 
| stats count by flow_id 
| where count>1 
| fields - count

Associated Analytic Story

How To Implement

You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.

Required field

  • _time

Kill Chain Phase

  • Exploitation

Known False Positives

unknown

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1