Concentration of Discovery Tools by Filename

Description

It's uncommon to see many host discovery tools launched on an endpoint, except in very specific situations. This search will identify tools by filename, and look for many launches. (MITRE CAR Reference)

(unless your company specifically does this)


Use Case

Advanced Threat Detection, Security Monitoring

Category

Scanning, Endpoint Compromise

Security Impact

These days, there are a lot of executables one can install and run on a Windows machine in order to cause mischief. The thing is, many amateur hackers will run a lot of these tools in succession (or automated scripts will run them, too). By correlating the process names being executed on endpoints with a list of 'known discovery tool executable names' we can detect this suspicious activity.

Alert Volume

Low (?)

SPL Difficulty

Basic

Journey

Stage 3

MITRE ATT&CK Tactics

Discovery

MITRE ATT&CK Techniques

Account Discovery
Permission Groups Discovery
Process Discovery
System Network Configuration Discovery
System Owner/User Discovery
System Information Discovery
System Service Discovery

MITRE Threat Groups

APT1
APT18
APT19
APT28
APT3
APT32
APT37
APT38
APT39
APT41
BRONZE BUTLER
Darkhotel
Deep Panda
Dragonfly 2.0
FIN10
FIN6
Gamaredon Group
Honeybee
Ke3chang
Kimsuky
Lazarus Group
Magic Hound
Molerats
MuddyWater
Naikon
OilRig
Patchwork
Poseidon Group
Soft Cell
Sowbug
Stealth Falcon
Threat Group-3390
Tropic Trooper
Turla
Winnti Group
admin@338
menuPass

Kill Chain Phases

Exploitation

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

The hardest part of implementing this correctly, once you have process launch logs ingested, will be to make sure that the fields correctly set.

  • In the live version, we start with index=* which is bad Splunk form (but makes it a little bit easier to get started). You should make sure that you specify the index where your process launch logs live (index=oswinsec if you follow our best practices, and the documentation in this app).
  • The next field you have to worry about is the sourcetype, which should be pretty standard.
  • The EventCode field is the last field you have to think about, which if you use our SplunkTAwindows on your Search Head, will also work automatically for you (again, docs are key!)

Once you have the search itself running, then you need only schedule it (click "Schedule Alert") and have Splunk email you, create a ticket in Enterprise Security or Service Now, or take some other action for you.

   Known False Positives

The most likely source of false positives for this script would be normal admin activity, particularly if you have login scripts (or periodic scripts) that enumerate information about hosts, they could show up here. The easy way to filter out these situations is to look at that scripted fingerprint and filter that out. For example, using | where (which has eval-style syntax different from | search) you could filter out | where mvcount(filename)=4 AND filename="net.exe" AND filename="ipconfig.exe" AND filename="sc.exe" AND filename="tasklist.exe".

   How To Respond

This alert is intended to corroborate other suspicious actions in most environments, rather than being a major flag on its own. You might send this alert to your alert manager as a low or information alert so that you can search for the asset and find it later. More advanced organizations might send this alert into the ES Risk Framework (so that you can aggregate low level risk elements) or to Splunk UBA (so that the threat models can incorporate this event into their calculations).

   Help

Concentration of Discovery Tools by Filename Help

This example leverages the Simple Search assistant. Our dataset is a collection of Windows process launch logs (Event ID 4688), though you could also use any other process launch logs from EDR tools. It then filters for a set of filenames that are known to be discovery related (from a lookup called tools.csv) and uses the transaction command to group them by time. If there's a single transaction with many events, it surfaces those.

SPL for Concentration of Discovery Tools by Filename

Demo Data

First we pull in our demo dataset. This could be any EDR data source that provides process launch information.
From line one we have our process launch logs, now we need to filter that down to just the potential discovery tools. We do this via a subsearch. A subsearch goes and runs another search, and then takes those results and inserts them into the main search. You can copy-paste that subsearch into a new search window and see what the results look like -- there's a single field called "search" that has a bunch of file names with ORs between them. That will effectively be inserted into our main search, giving us a really long search string without having to maintain a really long search.
From Line 1-2, we have a list of suspicious process launches. Now we want to see if many of those fire around the same time. Transaction is great for that -- it lets us group together events that all have the same value for a field, in this case the same host. maxpause=5m lets us continue grouping together any events that have no more than 5 minutes between each one.
From line 1-3, we have grouping of suspicious process launches, now we're going to look and see how many different unique programs were launched using mvcount, which gives us the # of events for a multi-value field.
Finally we clean up a few fields that transaction adds, so that we get a nice clean display.

Live Data

First we pull in our demo dataset. This could be any EDR data source that provides process launch information.
From line one we have our process launch logs, now we need to filter that down to just the potential discovery tools. We do this via a subsearch. A subsearch goes and runs another search, and then takes those results and inserts them into the main search. You can copy-paste that subsearch into a new search window and see what the results look like -- there's a single field called "search" that has a bunch of file names with ORs between them. That will effectively be inserted into our main search, giving us a really long search string without having to maintain a really long search.
From Line 1-2, we have a list of suspicious process launches. Now we want to see if many of those fire around the same time. Transaction is great for that -- it lets us group together events that all have the same value for a field, in this case the same host. maxpause=5m lets us continue grouping together any events that have no more than 5 minutes between each one.
From line 1-3, we have grouping of suspicious process launches, now we're going to look and see how many different unique programs were launched using mvcount, which gives us the # of events for a multi-value field.
Finally we clean up a few fields that transaction adds, so that we get a nice clean display.