| ID | Technique | Tactic |
|---|---|---|
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1049 | System Network Connections Discovery | Discovery |
| T1033 | System Owner/User Discovery | Discovery |
| T1529 | System Shutdown/Reboot | Impact |
| T1016 | System Network Configuration Discovery | Discovery |
| T1059 | Command and Scripting Interpreter | Execution |
Detection: Windows Common Abused Cmd Shell Risk Behavior
Description
The following analytic identifies instances where four or more distinct detection analytics are associated with malicious command line behavior on a specific host. This detection leverages the Command Line Interface (CLI) data from various sources to identify suspicious activities. This behavior is significant as it often indicates attempts to execute malicious commands, access sensitive data, install backdoors, or perform other nefarious actions. If confirmed malicious, attackers could gain unauthorized control, exfiltrate information, escalate privileges, or launch further attacks within the network, leading to severe compromise.
Search
1
2| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Cmdline Tool Not Executed In CMD Shell*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Net Localgroup Discovery*", "*Create local admin accounts using net exe*", "*Local Account Discovery with Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
3| `drop_dm_object_name(All_Risk)`
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| where source_count >= 4
7| `windows_common_abused_cmd_shell_risk_behavior_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| N/A | N/A | N/A | N/A | N/A |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| windows_common_abused_cmd_shell_risk_behavior_filter | search * |
windows_common_abused_cmd_shell_risk_behavior_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.ACTIONS_ON_OBJECTIVES
KillChainPhase.EXPLOITAITON
KillChainPhase.INSTALLATION
NistCategory.DE_AE
Cis18Value.CIS_10
APT1
APT3
APT32
APT38
APT41
APT5
Andariel
BackdoorDiplomacy
Chimera
Earth Lusca
FIN13
GALLIUM
HEXANE
Ke3chang
Lazarus Group
Magic Hound
MuddyWater
Mustang Panda
OilRig
Poseidon Group
Sandworm Team
TeamTNT
Threat Group-3390
ToddyCat
Tropic Trooper
Turla
Volt Typhoon
admin@338
menuPass
APT19
APT3
APT32
APT37
APT38
APT39
APT41
Chimera
Dragonfly
Earth Lusca
FIN10
FIN7
FIN8
GALLIUM
Gamaredon Group
HAFNIUM
HEXANE
Ke3chang
Lazarus Group
LuminousMoth
Magic Hound
MuddyWater
OilRig
Patchwork
Sandworm Team
Sidewinder
Stealth Falcon
Threat Group-3390
Tropic Trooper
Volt Typhoon
Windshift
Wizard Spider
ZIRCONIUM
APT37
APT38
Lazarus Group
APT1
APT19
APT3
APT32
APT41
Chimera
Darkhotel
Dragonfly
Earth Lusca
FIN13
GALLIUM
HAFNIUM
HEXANE
Higaisa
Ke3chang
Kimsuky
Lazarus Group
Magic Hound
Moses Staff
MuddyWater
Mustang Panda
Naikon
OilRig
SideCopy
Sidewinder
Stealth Falcon
TeamTNT
Threat Group-3390
Tropic Trooper
Turla
Volt Typhoon
Wizard Spider
ZIRCONIUM
admin@338
menuPass
APT19
APT32
APT37
APT39
Dragonfly
FIN5
FIN6
FIN7
Fox Kitten
Ke3chang
OilRig
Stealth Falcon
Whitefly
Windigo
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | False |
This configuration file applies to all detections of type Correlation. These correlations will generate Notable Events.
Implementation
Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.
Known False Positives
False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| series of process commandline being abused by threat actor have been identified on $risk_object$ | 49 | 70 | 70 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | risk |
stash |
| Integration | ✅ Passing | Dataset | risk |
stash |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2