Skip to content
logo
Mars’ Blog | 记录·分享·回顾
RSS信息流RedBlue
Recently Updated
04-10: 如何选择网络安全框架
04-10: 绕过ChatGPT的限制,并使用它来做免杀木马
04-10: Security.News@202302
04-09: 关于这个站点
04-09: 置顶_网络安全事件汇总
04-09: ChatGPT来临,未来我们可能只需要Prompt工程师:如何制作清晰有效的Prompt
04-09: 理解PHP内存管理
04-09: WordPress 3.8.2 cookie伪造漏洞及Python使用urllib2出现30x跳转的问题
04-09: 折纸作品
04-09: 摄影作品

Categories

关于这个站点
博客
安全知识库
Blue Team基础设施
Blue Team能力建设
命令与控制 C2
威胁检测规则
Elastic Rules
SIGMA Rules
Splunk Rules
安全架构
安全规范&模型
应急响应
文件分析
检测工程
欺骗防御
Red Team基础设施
Red Team能力建设
专题研究
学习资源
实践参考
行业观察
安全通讯 Security.News
知识管理
置顶_网络安全事件汇总

Tags

AMD (2)
AWS (3)
Blue Team基础设施 (10)
Blue Team能力建设 (17)
DNS Tunnel隧道检测
基于统计学的C2流量检测
Elastic Rules
SIGMA Rules
如何选择网络安全框架
Splunk Rules
2021 CWE Top 25 软件脆弱点
认证强度成熟度模型 CASMM
Windows.Linux.MacOS Cheat Sheet
常用目录
长亭的webshell检测漫画挺有意思
应急响应方法论&框架
如何提升威胁检测能力?——Palantir威胁检测框架介绍
如何提升威胁检测能力?——Palantir威胁检测框架介绍
长亭欺骗解决方案
阿里云云原生蜜罐
默安科技欺骗防御体系
Bug Bounty (1)
Bypass (1)
CASMM (1)
CIA (1)
CSP (1)
CWE (1)
ChatGPT (2)
Cheat Sheet (1)
Cisco (2)
CloudFlare (1)
Cloudflare (3)
Coinbase (1)
Conti (2)
CrowdStrike (1)
DNS (2)
EDR (2)
EDR商业化产品 (1)
EDR能力评估 (2)
Elastic (1)
Extrahop (1)
Facebook (1)
Fast (1)
Gigamon (2)
Github (1)
Godaddy (1)
Google (7)
ICMP隧道 (1)
Lapsus$ (4)
LastPass (1)
Lastpass (1)
MFA (1)
MITRE (3)
Mandiant (2)
Microsoft (4)
NIST (1)
NSA (2)
Optus (1)
PHP (3)
Palantir (1)
Palo Alto Networks (2)
Prompt (1)
Python (1)
REvil (1)
RSAC (1)
Red Canary (1)
Red Team基础设施 (4)
Red Team能力建设 (5)
Redirector (2)
SIGMA (1)
SMTP (2)
SOAR (1)
SQLmap (1)
SQL注入 (2)
SolarWinds (2)
SpecterOps (1)
Splunk (1)
Splunk Rules
Synopsys (1)
TTPs (1)
TTPs动态 (3)
Twilio (1)
Twillo (1)
Twitter (1)
Uber (2)
Web应用防火墙 (2)
WordPress (1)
log4j (5)
netscout (1)
webshell (2)
web安全 (2)
专题研究 (10)
供应链安全 (2)
入侵检测 (2)
内存管理 (1)
创新沙盒 (1)
初始访问 Initial Access (3)
加密流量 (1)
勒索软件 (1)
博客 (14)
友商动态 (2)
反序列化 (1)
可视化 (1)
命令与控制 C2 (6)
域名 (1)
奇安信 (1)
威胁检测 (3)
威胁检测规则 (3)
Elastic Rules
SIGMA Rules
Splunk Rules
学习资源 (5)
安全事件 (6)
安全加固 (1)
安全可视化 (1)
安全报告 (1)
安全数据 (1)
安全架构 (3)
安全框架 (1)
安全演习 (1)
安全规范&模型 (2)
安全通讯 Security.News (6)
实践参考 (4)
应急响应 (3)
开源 (1)
思维导图 (6)
指标 (1)
数据外传 Exfiltration (1)
数据泄露 (1)
文件分析 (1)
方法论 (1)
日常折腾 (2)
最佳实践 (2)
机器学习 (3)
架构 (2)
框架 (3)
检测工程 (2)
欺骗防御 (3)
流量检测 (1)
爬虫 (1)
知识管理 (1)
系统设计 (2)
红蓝对抗 (1)
终端基础设施 (5)
绕过 Bypass (1)
绕过MFA (1)
网络基础设施 (2)
能力评估 (2)
蜜罐 (1)
行业动态 (5)
行业实践 (2)
行业报告 (2)
行业观察 (8)
误报率 (1)
钓鱼 (6)
长亭 (2)
阿里云 (3)
隐私 (1)
雾帜智能 (1)
面试 (1)
风险评估 (1)
默安科技 (1)
On this page

Splunk Rules

On this page

1. 介绍

Splunk提供映射到ATT&CK/KILL CHAIN/CIS Controls TTPs相关的USE CASE和检测规则, 它们包括检测规则、搜索语法、机器学习算法和 Splunk Phantom 剧本——所有这些都旨在协同工作以检测、调查和响应威胁。

2. 覆盖范围

要查看使用ATT&CK标记的所有内容的最新检测覆盖图,请访问:https://mitremap.splunkresearch.com 包含目前检测覆盖范围的技术的快照。 蓝色的阴影越深,对这种特定技术的检测就越多;该地图在每次发布时自动更新,并从 generate-coverage-map.py 生成。

3. 检测规则

包含了终端、网络和云相关的200多种检测规则,示例如下:

name: Eventvwr UAC Bypass
  id: 9cf8fe08-7ad8-11eb-9819-acde48001122
  version: 1
  date: '2021-03-01'
  author: Michael Haag, Splunk
  type: TTP
  datamodel:
  - Endpoint
  description: The following search identifies Eventvwr bypass by identifying the registry
    modification into a specific path that eventvwr.msc looks to (but is not valid)
    upon execution. A successful attack will include a suspicious command to be executed
    upon eventvwr.msc loading. Upon triage, review the parallel processes that have
    executed. Identify any additional registry modifications on the endpoint that may
    look suspicious. Remediate as necessary.
  search: '| tstats `security_content_summariesonly` count values(Registry.registry_key_name)
    as registry_key_name values(Registry.registry_path) as registry_path min(_time)
    as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry where  Registry.registry_path="*mscfile\\shell\\open\\command\\*"  by
    Registry.user, Registry.dest , Registry.registry_value_name| `security_content_ctime(lastTime)`
    | `security_content_ctime(firstTime)` | `drop_dm_object_name(Registry)` | `eventvwr_uac_bypass_filter`'
  how_to_implement: To successfully implement this search you need to be ingesting information
    on process that include the name of the process responsible for the changes from
    your endpoints into the `Endpoint` datamodel in the `Registry` node.
  known_false_positives: Some false positives may be present and will need to be filtered.
  references:
  - https://blog.malwarebytes.com/malwarebytes-news/2021/02/lazyscripter-from-empire-to-double-rat/
  - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md
  - https://attack.mitre.org/techniques/T1548/002
  - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
  tags:
    analytic_story:
    - Windows Defense Evasion Tactics
    - IcedID
    automated_detection_testing: passed
    confidence: 100
    context:
    - Source:Endpoint
    - Stage:Defense Evasion
    dataset:
    - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1548.002/atomic_red_team/windows-sysmon.log
    impact: 80
    kill_chain_phases:
    - Exploitation
    - Privilege Escalation
    message: Registry values were modified to bypass UAC using Event Viewer on $dest$
      by $user$.
    mitre_attack_id:
    - T1548.002
    - T1548
    observable:
    - name: user
      type: User
      role:
      - Victim
    - name: dest
      type: Hostname
      role:
      - Victim
    product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
    required_fields:
    - _time
    - Registry.registry_key_name
    - Registry.registry_path
    - Registry.user
    - Registry.dest
    - Registry.registry_value_name
    risk_score: 80
    security_domain: endpoint

完整内容见:

4. USE CASEs

  • ProxyShell的示例如下:

    name: ProxyShell
      id: 413bb68e-04e2-11ec-a835-acde48001122
      version: 1
      date: '2021-08-24'
      author: Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk
      type: batch
      description: ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
      narrative: 'During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. \
        1. CVE-2021-34473 - Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) \
        1. CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) \
        1. CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) \
        Upon successful exploitation, the remote attacker will have `SYSTEM` privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.'
      references:
        - https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/
        - https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
        - https://www.youtube.com/watch?v=FC6iHw258RI
        - https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do
        - https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf
      tags:
        analytic_story:
        - ProxyShell
        category:
        - Adversary Tactics
        - Ransomware
        product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
        usecase: Advanced Threat Detection

5. 攻击样本数据 Attack Data Repository

  • 无需准备攻击环境/工具, 快速验证检测规则的覆盖和有效性。
  • 数据使用YML,格式如下:
字段描述
id唯一标识UUID
name作者名称
date最后修改日期
datasetdataset关联URLs
description简介
environment运行环境
technique对应的ATT&CK手法
references参考信息
sourcetypes来源类型

示例如下:

id: 405d5889-16c7-42e3-8865-1485d7a5b2b6
author: Patrick Bareiss
date: '2020-10-08'
description: 'Atomic Test Results: Successful Execution of test T1003.001-1 Windows
Credential Editor Successful Execution of test T1003.001-2 Dump LSASS.exe Memory
using ProcDump Return value unclear for test T1003.001-3 Dump LSASS.exe Memory using
comsvcs.dll Successful Execution of test T1003.001-4 Dump LSASS.exe Memory using
direct system calls and API unhooking Return value unclear for test T1003.001-6
Offline Credential Theft With Mimikatz Return value unclear for test T1003.001-7
LSASS read with pypykatz '
environment: attack_range
technique:
- T1003.001
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-powershell.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-security.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-sysmon.log
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.001/atomic_red_team/windows-system.log
references:
- https://attack.mitre.org/techniques/T1003/001/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md
- https://github.com/splunk/security-content/blob/develop/tests/T1003_001.yml
sourcetypes:
- XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
- WinEventLog:Microsoft-Windows-PowerShell/Operational
- WinEventLog:System
- WinEventLog:Security

6. 参考资料

Tags

Edit this page
Last updated on 4/9/2023