|
| 1 | +name: Windows Detect Network Scanner Behavior |
| 2 | +id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7 |
| 3 | +version: 1 |
| 4 | +date: '2024-12-26' |
| 5 | +author: Steven Dick |
| 6 | +status: production |
| 7 | +type: Anomaly |
| 8 | +description: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation. |
| 9 | +data_source: |
| 10 | +- Sysmon EventID 3 |
| 11 | +search: '| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m |
| 12 | +| `drop_dm_object_name(All_Traffic)` |
| 13 | +| rex field=app ".*\\\(?<process_name>.*)$" |
| 14 | +| where port_count > 10 OR dest_count > 10 |
| 15 | +| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name |
| 16 | +| `security_content_ctime(firstTime)` |
| 17 | +| `security_content_ctime(lastTime)` |
| 18 | +| `windows_detect_network_scanner_behavior_filter`' |
| 19 | +how_to_implement: This detection relies on Sysmon EventID 3 events being ingested AND tagged into the Network_Traffic datamodel. |
| 20 | +known_false_positives: Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed. |
| 21 | +references: |
| 22 | +- https://attack.mitre.org/techniques/T1595 |
| 23 | +drilldown_searches: |
| 24 | +- name: View the detection results for - "$src$" and "$user$" |
| 25 | + search: '%original_detection_search% | search src = "$src$" user = "$user$"' |
| 26 | + earliest_offset: $info_min_time$ |
| 27 | + latest_offset: $info_max_time$ |
| 28 | +- name: View risk events for the last 7 days for - "$src$" and "$user$" |
| 29 | + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' |
| 30 | + earliest_offset: $info_min_time$ |
| 31 | + latest_offset: $info_max_time$ |
| 32 | +tags: |
| 33 | + analytic_story: |
| 34 | + - Network Discovery |
| 35 | + - Windows Discovery Techniques |
| 36 | + asset_type: Endpoint |
| 37 | + confidence: 50 |
| 38 | + impact: 50 |
| 39 | + message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$ |
| 40 | + mitre_attack_id: |
| 41 | + - T1595 |
| 42 | + - T1595.001 |
| 43 | + - T1595.002 |
| 44 | + observable: |
| 45 | + - name: src |
| 46 | + type: IP Address |
| 47 | + role: |
| 48 | + - Victim |
| 49 | + - name: user |
| 50 | + type: User |
| 51 | + role: |
| 52 | + - Victim |
| 53 | + - name: process_name |
| 54 | + type: Process |
| 55 | + role: |
| 56 | + - Attacker |
| 57 | + product: |
| 58 | + - Splunk Enterprise |
| 59 | + - Splunk Enterprise Security |
| 60 | + - Splunk Cloud |
| 61 | + required_fields: |
| 62 | + - All_Traffic.dest_port |
| 63 | + - host |
| 64 | + - All_Traffic.app |
| 65 | + - All_Traffic.src |
| 66 | + - All_Traffic.src_ip |
| 67 | + - All_Traffic.user |
| 68 | + - _time |
| 69 | + risk_score: 25 |
| 70 | + security_domain: network |
| 71 | +tests: |
| 72 | +- name: True Positive Test |
| 73 | + attack_data: |
| 74 | + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log |
| 75 | + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| 76 | + sourcetype: XmlWinEventLog |
0 commit comments