Analytics Story: Compromised Windows Host

Date: 2024-04-18 ID: 95c15513-180b-4534-9e34-a085a26ce481 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Compromised Windows Host attacks. A compromised Windows host refers to a computer system running the Windows operating system that has been infiltrated or attacked by unauthorized parties. Such compromises often result in security breaches, data theft, malware infections, or unauthorized access, posing risks to sensitive information and system integrity.

Why it matters

In a scenario of digital compromise, a Windows host becomes the target of sophisticated cyber attacks. Utilizing advanced persistent threat (APT) techniques, attackers bypass security measures and exploit system vulnerabilities to gain unauthorized access. Once inside the network, they execute a series of malicious activities, including exfiltrating sensitive data, deploying malware, and undermining the integrity of the cybersecurity infrastructure.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Crowdstrike Admin Weak Password Policy	Brute Force	TTP
Crowdstrike Admin With Duplicate Password	Brute Force	TTP
Crowdstrike High Identity Risk Severity	Brute Force	TTP
Crowdstrike Medium Identity Risk Severity	Brute Force	TTP
Crowdstrike Medium Severity Alert	Brute Force	Anomaly
Crowdstrike Multiple LOW Severity Alerts	Brute Force	Anomaly
Crowdstrike Privilege Escalation For Non-Admin User	Brute Force	Anomaly
Crowdstrike User Weak Password Policy	Brute Force	Anomaly
Crowdstrike User with Duplicate Password	Brute Force	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼

References

Source: GitHub | Version: 1