Windows Suspect Process With Authentication Traffic
Description
This analytic identifies executables running from public or temporary locations that are communicating over windows domain authentication ports/protocol. The ports/protocols include LDAP(389), LDAPS(636), and Kerberos(88). Authentications from applications running from user controlled locations may not be malicious, however actors often attempt to access domain resources after initial compromise from executables in these locations.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Network_Traffic
- Last Updated: 2023-06-13
- Author: Steven Dick
- ID: 953322db-128a-4ce9-8e89-56e039e33d98
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
- Installation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port IN ("88","389","636") AND All_Traffic.app IN ("*\\users\\*", "*\\programdata\\*", "*\\temp\\*", "*\\Windows\\Tasks\\*", "*\\appdata\\*", "*\\perflogs\\*") by All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user,All_Traffic.dest,All_Traffic.dest_ip,All_Traffic.dest_port
| `drop_dm_object_name(All_Traffic)`
| rex field=app ".*\\\(?<process_name>.*)$"
| rename app as process
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_suspect_process_with_authentication_traffic_filter`
Macros
The SPL above uses the following Macros:
windows_suspect_process_with_authentication_traffic_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- All_Traffic.app
- All_Traffic.src
- All_Traffic.src_ip
- All_Traffic.user
- All_Traffic.dest
- All_Traffic.dest_ip
- All_Traffic.dest_port
How To Implement
To implement this analytic, Sysmon should be installed in the environment and generating network events for userland and/or known public writable locations.
Known False Positives
Known applications running from these locations for legitimate purposes. Targeting only kerberos (port 88) may significantly reduce noise.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
25.0 | 50 | 50 | The process $process_name$ on $src$ has been communicating with $dest$ on $dest_port$. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- Most attacker toolkits offer some degree of interaction with AD/LDAP.
- https://attack.mitre.org/techniques/T1069/002/
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1