Detect Windows DNS Sigred Via Splunk Stream

Description

This search detects SIGRed via Splunk Stream.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search detects SIGRed via Splunk Stream.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

Exploitation for Client Execution

Exploitation for Client Execution

MITRE Threat Groups

APT12
APT28
APT29
APT32
APT33
APT37
APT41
BRONZE BUTLER
BlackTech
Cobalt Group
Elderwood
Frankenstein
Inception
Lazarus Group
Leviathan
MuddyWater
Patchwork
Sandworm Team
TA459
The White Company
Threat Group-3390
Tropic Trooper
admin@338

Data Sources

DNS

   Help

Detect Windows DNS Sigred Via Splunk Stream Help

You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.

   Search

Open in Search