GitHub Repo

Analytics Story: Compromised Windows Host

Date: 2024-04-18 ID: 95c15513-180b-4534-9e34-a085a26ce481 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Compromised Windows Host attacks. A compromised Windows host refers to a computer system running the Windows operating system that has been infiltrated or attacked by unauthorized parties. Such compromises often result in security breaches, data theft, malware infections, or unauthorized access, posing risks to sensitive information and system integrity.

Why it matters

In a scenario of digital compromise, a Windows host becomes the target of sophisticated cyber attacks. Utilizing advanced persistent threat (APT) techniques, attackers bypass security measures and exploit system vulnerabilities to gain unauthorized access. Once inside the network, they execute a series of malicious activities, including exfiltrating sensitive data, deploying malware, and undermining the integrity of the cybersecurity infrastructure.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect HTML Help Spawn Child Process Compiled HTML File TTP
Detect Rundll32 Application Control Bypass - advpack Rundll32 TTP
Detect Rundll32 Application Control Bypass - setupapi Rundll32 TTP
Detect Rundll32 Application Control Bypass - syssetup Rundll32 TTP
Windows Change Default File Association For No File Ext Change Default File Association TTP
Add or Set Windows Defender Exclusion Disable or Modify Tools TTP
Attacker Tools On Endpoint OS Credential Dumping, Match Legitimate Resource Name or Location, Active Scanning TTP
Batch File Write to System32 Malicious File TTP
BCDEdit Failure Recovery Modification Inhibit System Recovery TTP
Certutil exe certificate extraction None TTP
Clear Unallocated Sector Using Cipher App File Deletion TTP
Clop Common Exec Parameter User Execution TTP
Clop Ransomware Known Service Name Create or Modify System Process TTP
CMD Echo Pipe - Escalation Windows Command Shell, Windows Service TTP
ConnectWise ScreenConnect Path Traversal Windows SACL Exploit Public-Facing Application TTP
Conti Common Exec parameter User Execution TTP
Control Loading from World Writable Directory Control Panel TTP
Creation of Shadow Copy NTDS TTP
Creation of Shadow Copy with wmic and powershell NTDS TTP
Credential Dumping via Copy Command from Shadow Copy NTDS TTP
Credential Dumping via Symlink to Shadow Copy NTDS TTP
Crowdstrike Admin Weak Password Policy Brute Force TTP
Crowdstrike Admin With Duplicate Password Brute Force TTP
Crowdstrike High Identity Risk Severity Brute Force TTP
Crowdstrike Medium Identity Risk Severity Brute Force TTP
Crowdstrike Medium Severity Alert Brute Force Anomaly
Crowdstrike Multiple LOW Severity Alerts Brute Force Anomaly
Crowdstrike Privilege Escalation For Non-Admin User Brute Force Anomaly
Crowdstrike User Weak Password Policy Brute Force Anomaly
Crowdstrike User with Duplicate Password Brute Force Anomaly
Curl Download and Bash Execution Ingress Tool Transfer TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Detect AzureHound Command-Line Arguments Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Detect Certify Command Line Arguments Steal or Forge Authentication Certificates, Ingress Tool Transfer TTP
Detect Exchange Web Shell External Remote Services, Exploit Public-Facing Application, Web Shell TTP
Detect HTML Help URL in Command Line Compiled HTML File TTP
Detect HTML Help Using InfoTech Storage Handlers Compiled HTML File TTP
Detect mshta inline hta execution Mshta TTP
Detect MSHTA Url in Command Line Mshta TTP
Detect Regasm Spawning a Process Regsvcs/Regasm TTP
Detect Regsvcs Spawning a Process Regsvcs/Regasm TTP
Detect Regsvr32 Application Control Bypass Regsvr32 TTP
DNS Exfiltration Using Nslookup App Exfiltration Over Alternative Protocol TTP
DSQuery Domain Discovery Domain Trust Discovery TTP
Dump LSASS via comsvcs DLL LSASS Memory TTP
Dump LSASS via procdump LSASS Memory TTP
Enumerate Users Local Group Using Telegram Account Discovery TTP
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
FodHelper UAC Bypass Modify Registry, Bypass User Account Control TTP
GPUpdate with no Command Line Arguments with Network Process Injection TTP
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification TTP
Icacls Deny Command File and Directory Permissions Modification Anomaly
Impacket Lateral Movement Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Kerberoasting spn request with RC4 encryption Kerberoasting TTP
Malicious Powershell Executed As A Service Service Execution TTP
Remote Process Instantiation via DCOM and PowerShell Distributed Component Object Model TTP
Remote Process Instantiation via WMI and PowerShell Windows Management Instrumentation TTP
Resize ShadowStorage volume Inhibit System Recovery TTP
Rundll32 Control RunDLL World Writable Directory Rundll32 TTP
Rundll32 Shimcache Flush Modify Registry TTP
Rundll32 with no Command Line Arguments with Network Rundll32 TTP
Ryuk Wake on LAN Command Windows Command Shell TTP
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Schtasks scheduling job on remote system Scheduled Task TTP
SearchProtocolHost with no Command Line with Network Process Injection TTP
SecretDumps Offline NTDS Dumping Tool NTDS TTP
ServicePrincipalNames Discovery with SetSPN Kerberoasting TTP
Services Escalate Exe Abuse Elevation Control Mechanism TTP
Shim Database Installation With Suspicious Parameters Application Shimming TTP
Short Lived Scheduled Task Scheduled Task TTP
Single Letter Process On Endpoint Malicious File TTP
SLUI RunAs Elevated Bypass User Account Control TTP
SLUI Spawning a Process Bypass User Account Control TTP
Spoolsv Spawning Rundll32 Print Processors TTP
Spoolsv Writing a DLL Print Processors TTP
Suspicious Computer Account Name Change Domain Accounts TTP
Suspicious Copy on System32 Rename Legitimate Utilities Anomaly
Wget Download and Bash Execution Ingress Tool Transfer TTP
Windows AD Cross Domain SID History Addition SID-History Injection TTP
Windows AD Domain Controller Promotion Rogue Domain Controller TTP
Windows AD Domain Replication ACL Addition Domain or Tenant Policy Modification TTP
Windows AD Privileged Account SID History Addition SID-History Injection TTP
Windows AD Replication Request Initiated by User Account DCSync TTP
Windows AD Replication Request Initiated from Unsanctioned Location DCSync TTP
Windows AD Same Domain SID History Addition SID-History Injection TTP
Windows AD Short Lived Domain Controller SPN Attribute Rogue Domain Controller TTP
Windows AD Short Lived Server Object Rogue Domain Controller TTP
Windows Alternate DataStream - Process Execution NTFS File Attributes TTP
Windows Application Whitelisting Bypass Attempt via Rundll32 Rundll32 TTP
Windows Change File Association Command To Notepad Change Default File Association TTP
Windows COM Hijacking InprocServer32 Modification Component Object Model Hijacking TTP
Windows Command and Scripting Interpreter Path Traversal Exec Command and Scripting Interpreter TTP
Windows Command Shell DCRat ForkBomb Payload Windows Command Shell TTP
Windows Computer Account With SPN Steal or Forge Kerberos Tickets TTP
Windows ConHost with Headless Argument Hidden Window, Run Virtual Instance TTP
Windows Credential Dumping LSASS Memory Createdump LSASS Memory TTP
Windows Credentials from Password Stores Creation Credentials from Password Stores TTP
Windows Credentials from Password Stores Deletion Credentials from Password Stores TTP
Windows Curl Download to Suspicious Path Ingress Tool Transfer TTP
Windows Curl Upload to Remote Destination Ingress Tool Transfer TTP
Windows Disable Windows Event Logging Disable HTTP Logging IIS Components, Disable Windows Event Logging TTP
Windows DISM Remove Defender Disable or Modify Tools TTP
Windows DLL Search Order Hijacking with iscsicpl DLL TTP
Windows Domain Admin Impersonation Indicator Steal or Forge Kerberos Tickets TTP
Windows Event Log Cleared Clear Windows Event Logs TTP
Windows Excessive Disabled Services Event Disable or Modify Tools TTP
Windows Execute Arbitrary Commands with MSDT System Binary Proxy Execution TTP
Windows File Download Via CertUtil Ingress Tool Transfer TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows InstallUtil Remote Network Connection InstallUtil Anomaly
Windows InstallUtil Uninstall Option InstallUtil TTP
Windows InstallUtil URL in Command Line InstallUtil TTP
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets TTP
Windows KrbRelayUp Service Creation Windows Service TTP
Windows Masquerading Explorer As Child Process DLL TTP
Windows Masquerading Msdtc Process Masquerading TTP
Windows Mimikatz Binary Execution OS Credential Dumping TTP
Windows Modify System Firewall with Notable Process Path Disable or Modify System Firewall TTP
Windows MOF Event Triggered Execution via WMI Windows Management Instrumentation Event Subscription TTP
Windows MSIExec Spawn WinDBG Msiexec TTP
Windows Office Product Dropped Cab or Inf File Spearphishing Attachment TTP
Windows Office Product Dropped Uncommon File Spearphishing Attachment Anomaly
Windows Office Product Spawned Control Spearphishing Attachment TTP
Windows Office Product Spawned MSDT Spearphishing Attachment TTP
Windows Office Product Spawned Rundll32 With No DLL Spearphishing Attachment TTP
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
Windows PaperCut NG Spawn Shell Command and Scripting Interpreter, Exploit Public-Facing Application, External Remote Services TTP
Windows Parent PID Spoofing with Explorer Parent PID Spoofing TTP
Windows Privilege Escalation User Process Spawn System Process Exploitation for Privilege Escalation, Abuse Elevation Control Mechanism, Access Token Manipulation TTP
Windows Raccine Scheduled Task Deletion Disable or Modify Tools TTP
Windows Rasautou DLL Execution Dynamic-link Library Injection, System Binary Proxy Execution TTP
Windows Regsvr32 Renamed Binary Regsvr32 TTP
Windows Remote Assistance Spawning Process Process Injection TTP
Windows Remote Service Rdpwinst Tool Execution Remote Desktop Protocol TTP
Windows Scheduled Task with Highest Privileges Scheduled Task TTP
Windows Security Account Manager Stopped Service Stop TTP
Windows Security And Backup Services Stop Inhibit System Recovery TTP
Windows Sensitive Registry Hive Dump Via CommandLine Security Account Manager TTP
Windows Service Create SliverC2 Service Execution TTP
Windows Service Create with Tscon Windows Service, RDP Hijacking TTP
Windows Snake Malware Service Create Kernel Modules and Extensions, Service Execution TTP
Windows SOAPHound Binary Execution Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Windows Spearphishing Attachment Onenote Spawn Mshta Spearphishing Attachment TTP
Windows Special Privileged Logon On Multiple Hosts Account Discovery, SMB/Windows Admin Shares, Network Share Discovery TTP
Windows SpeechRuntime COM Hijacking DLL Load Distributed Component Object Model TTP
Windows SpeechRuntime Suspicious Child Process Distributed Component Object Model TTP
Windows Steal Authentication Certificates - ESC1 Authentication Steal or Forge Authentication Certificates, Use Alternate Authentication Material TTP
Windows Suspicious Child Process Spawned From WebServer Web Shell TTP
Windows System Binary Proxy Execution Compiled HTML File Decompile Compiled HTML File TTP
Windows UAC Bypass Suspicious Escalation Behavior Bypass User Account Control TTP
Windows WinDBG Spawning AutoIt3 Command and Scripting Interpreter TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Winhlp32 Spawning a Process Process Injection TTP
WinRAR Spawning Shell Application Ingress Tool Transfer TTP
WMIC XSL Execution via URL XSL Script Processing TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 1102 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4624 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4627 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4662 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4672 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4699 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4738 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4741 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4742 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4768 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4769 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4781 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4798 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4887 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 5136 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 5137 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 5141 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log System 104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log System 7036 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Windows Event Log System 7040 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Windows Event Log System 7045 Windows icon Windows XmlWinEventLog XmlWinEventLog:System

References

Source: GitHub | Version: 1