Try in Splunk Security Cloud

Description

Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.

  • Product: Splunk Behavioral Analytics, Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel:
  • Last Updated: 2021-03-04
  • Author: Michael Hart, Splunk
  • ID: f7aba570-7d59-11eb-825e-acde48001122

Narrative

Attackers may not have much if any insight into their target’s environment before the initial compromise. Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives. This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.

Detections

Name Technique Type
Reconnaissance and Access to Accounts Groups and Policies via PowerSploit modules Valid Accounts, Account Discovery, Domain Policy Modification TTP
Reconnaissance and Access to Accounts and Groups via Mimikatz modules Valid Accounts, Account Discovery, Domain Policy Modification TTP
Reconnaissance and Access to Active Directoty Infrastructure via PowerSploit modules Trusted Relationship, Domain Trust Discovery, Gather Victim Network Information, Gather Victim Org Information, Active Scanning TTP
Reconnaissance and Access to Computers and Domains via PowerSploit modules Gather Victim Host Information, Gather Victim Network Information, Account Discovery TTP
Reconnaissance and Access to Computers via Mimikatz modules Gather Victim Host Information TTP
Reconnaissance and Access to Operating System Elements via PowerSploit modules System Service Discovery, Query Registry, Network Service Scanning, Windows Management Instrumentation, Process Discovery, File and Directory Discovery, Software Discovery, Software TTP
Reconnaissance and Access to Processes and Services via Mimikatz modules System Service Discovery, Network Service Scanning, Process Discovery TTP
Reconnaissance and Access to Shared Resources via Mimikatz modules SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive TTP
Reconnaissance and Access to Shared Resources via PowerSploit modules SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive TTP
Reconnaissance of Access and Persistence Opportunities via PowerSploit modules Scheduled Task/Job, Exploitation for Privilege Escalation, Valid Accounts, Create or Modify System Process, Boot or Logon Autostart Execution, Hijack Execution Flow TTP
Reconnaissance of Connectivity via PowerSploit modules SMB/Windows Admin Shares, Network Share Discovery, Data from Network Shared Drive TTP
Reconnaissance of Credential Stores and Services via Mimikatz modules Credentials, Domain Properties, Network Trust Dependencies, Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation TTP
Reconnaissance of Defensive Tools via PowerSploit modules Vulnerability Scanning, Software TTP
Reconnaissance of Privilege Escalation Opportunities via PowerSploit modules Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation TTP
Reconnaissance of Process or Service Hijacking Opportunities via Mimikatz modules Create or Modify System Process, Process Injection, Hijack Execution Flow TTP

Reference

source | version: 1