Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nterl0k - T1595 - Generic Scanning Behavior #3253

Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

Nterl0k - T1595 - Generic Scanning Behavior #3253

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
f1d2c7d
Add files via upload
nterl0k Dec 26, 2024
a0e6f0f
minor update to data_source
patel-bhavin Jan 3, 2025
39842b9
build error fixes
patel-bhavin Jan 3, 2025
9ee8526
update mitre
patel-bhavin Jan 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 76 additions & 0 deletions detections/endpoint/windows_detect_network_scanner_behavior.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
name: Windows Detect Network Scanner Behavior
id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7
version: 1
date: '2024-12-26'
author: Steven Dick
status: production
type: Anomaly
description: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.
data_source:
- Sysmon EventID 3
search: '| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m
| `drop_dm_object_name(All_Traffic)`
| rex field=app ".*\\\(?<process_name>.*)$"
| where port_count > 10 OR dest_count > 10
| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_detect_network_scanner_behavior_filter`'
how_to_implement: This detection relies on Sysmon EventID 3 events being ingested AND tagged into the Network_Traffic datamodel.
known_false_positives: Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed.
references:
- https://attack.mitre.org/techniques/T1595
drilldown_searches:
- name: View the detection results for - "$src$" and "$user$"
search: '%original_detection_search% | search src = "$src$" user = "$user$"'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
- name: View risk events for the last 7 days for - "$src$" and "$user$"
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
earliest_offset: $info_min_time$
latest_offset: $info_max_time$
tags:
analytic_story:
- Network Discovery
- Windows Discovery Techniques
asset_type: Endpoint
confidence: 50
impact: 50
message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$
mitre_attack_id:
- T1595
- T1595.001
- T1595.002
observable:
- name: src
type: IP Address
role:
- Victim
- name: user
type: User
role:
- Victim
- name: process_name
type: Process
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- All_Traffic.dest_port
- host
- All_Traffic.app
- All_Traffic.src
- All_Traffic.src_ip
- All_Traffic.user
- _time
risk_score: 25
security_domain: network
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog
Loading