ID | Technique | Tactic |
---|---|---|
T1087 | Account Discovery | Discovery |
T1087.002 | Domain Account | Discovery |
T1204 | User Execution | Execution |
T1204.002 | Malicious File | Execution |
Detection: Windows Suspect Process With Authentication Traffic
Description
The following analytic detects executables running from public or temporary locations that are communicating over Windows domain authentication ports/protocols such as LDAP (389), LDAPS (636), and Kerberos (88). It leverages network traffic data to identify processes originating from user-controlled directories. This activity is significant because legitimate applications rarely run from these locations and attempt domain authentication, making it a potential indicator of compromise. If confirmed malicious, attackers could leverage this to access domain resources, potentially leading to further exploitation and lateral movement within the network.
Search
1
2| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("88","389","636") AND All_Traffic.app IN ("*\\users\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port
3| `drop_dm_object_name(All_Traffic)`
4| rex field=app ".*\\\(?<process_name>.*)$"
5| rename app as process
6| `security_content_ctime(firstTime)`
7| `security_content_ctime(lastTime)`
8| `windows_suspect_process_with_authentication_traffic_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
Sysmon EventID 3 | Windows | 'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Macros Used
Name | Value |
---|---|
security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
windows_suspect_process_with_authentication_traffic_filter | search * |
windows_suspect_process_with_authentication_traffic_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Risk Event | True |
Implementation
To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations.
Known False Positives
Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$. | 25 | 50 | 50 |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 3