Windows Common Abused Cmd Shell Risk Behavior
Description
The following correlation identifies instances where four or more distinct detection analytics are associated with malicious command line behavior that is known to be exploited by multiple threat actors, adversaries, or red teamers on a specific host. By leveraging the Command Line Interface (CLI), attackers can execute malicious commands, gain access to sensitive data, install backdoors, and engage in various nefarious activities. The impact of such compromise can be severe, as attackers may gain unauthorized control over the compromised system, enabling them to exfiltrate valuable information, escalate privileges, or launch further attacks within the network. If this detection is triggered, there is a high level of confidence in the occurrence of suspicious command line activities on the host.
- Type: Correlation
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Risk
- Last Updated: 2023-12-27
- Author: Teoderick Contreras, Splunk
- ID: e99fcc4f-c6b0-4443-aa2a-e3c85126ec9a
Annotations
ATT&CK
ATT&CK
| ID | Technique | Tactic |
|---|---|---|
| T1222 | File and Directory Permissions Modification | Defense Evasion |
| T1049 | System Network Connections Discovery | Discovery |
| T1033 | System Owner/User Discovery | Discovery |
| T1529 | System Shutdown/Reboot | Impact |
| T1016 | System Network Configuration Discovery | Discovery |
| T1059 | Command and Scripting Interpreter | Execution |
Kill Chain Phase
- Exploitation
- Actions On Objectives
- Installation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Cmdline Tool Not Executed In CMD Shell*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Net Localgroup Discovery*", "*Create local admin accounts using net exe*", "*Local Account Discovery with Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count >= 4
| `windows_common_abused_cmd_shell_risk_behavior_filter`
Macros
The SPL above uses the following Macros:
windows_common_abused_cmd_shell_risk_behavior_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- All_Risk.analyticstories
- All_Risk.risk_object_type
- All_Risk.risk_object
- All_Risk.annotations.mitre_attack.mitre_tactic
- source
How To Implement
Splunk Enterprise Security is required to utilize this correlation. In addition, modify the source_count value to your environment. In our testing, a count of 4 or 5 was decent in a lab, but the number may need to be increased base on internal testing. In addition, based on false positives, modify any analytics to be anomaly and lower or increase risk based on organization importance.
Known False Positives
False positives will be present based on many factors. Tune the correlation as needed to reduce too many triggers.
Associated Analytic Story
- Azorult
- Volt Typhoon
- Sandworm Tools
- Windows Post-Exploitation
- FIN7
- Qakbot
- Netsh Abuse
- DarkCrystal RAT
- Windows Defense Evasion Tactics
- CISA AA23-347A
- Disabling Security Tools
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 49.0 | 70 | 70 | series of process commandline being abused by threat actor have been identified on $risk_object$ |
Reference
- https://www.splunk.com/en_us/blog/security/from-macros-to-no-macros-continuous-malware-improvements-by-qakbot.html
- https://www.splunk.com/en_us/blog/security/dark-crystal-rat-agent-deep-dive.html
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1