forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathaccount_harvesting.yml
More file actions
105 lines (105 loc) · 4.27 KB
/
account_harvesting.yml
File metadata and controls
105 lines (105 loc) · 4.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
asset_type: Account
confidence: medium
creation_date: '2018-07-12'
data_metadata:
data_source:
- Network Communications
data_sourcetypes:
- stream:http
providing_technologies:
- Splunk Stream
description: This search is used to identify the creation of multiple user accounts
using the same email domain name.
detect:
splunk:
correlation_rule:
notable:
nes_fields: src_user
rule_description: This search is used to identify multiple created accounts
tied to a specific email domain. Such activity is often indicative of account
harvesting. A list of $src_user$ accounts were created.
rule_title: 'Web Fraud Detection: Possible Account Harvesting'
risk:
risk_object: src_user
risk_object_type:
- user
risk_score: 40
schedule:
cron_schedule: 0 1 * * *
earliest_time: -1445m@m
latest_time: -10m@m
search: sourcetype=stream:http http_content_type=text* uri="/magento2/customer/account/loginPost/"
| rex field=cookie "form_key=(?<SessionID>\w+)" | rex field=form_data "login\[username\]=(?<Username>[^&|^$]+)"
| search Username=* | rex field=Username "@(?<email_domain>.*)"|stats dc(Username)
as UniqueUsernames list(Username) as src_user by email_domain|where UniqueUsernames>
25
suppress:
suppress_fields: user
suppress_period: 3600s
eli5: When a fraudster is setting the stage for a campaign, they will often create
many user accounts on the website. This is a simple example of how to detect a many-account
creation hosted on a Magento2 e-commerce platform, where the fraudster is using
email addresses from a single email domain.
entities:
- src_user
how_to_implement: We start with a dataset that provides visibility into the email
address used for the account creation. In this example, we are narrowing our search
down to the single web page that hosts the Magento2 e-commerce platform (via URI)
used for account creation, the single http content-type to grab only the user's
clicks, and the http field that provides the username (form_data), for performance
reasons. After we have the username and email domain, we look for numerous account
creations per email domain. Common data sources used for this detection are customized
Apache logs or Splunk Stream.
id: 31337aaa-941d-4ada-81ac-q2a17be5bf0d
investigations:
- id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
name: Get Notable History
type: splunk
- id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
name: Get Notable Info
type: splunk
- id: bc91a8cf-35e7-4bb2-1120-e756cc06fd89
name: Get Web Session Information via session_id
type: splunk
- id: 5df39b3f-447d-4869-b673-8f45ad4616fe
name: Get Emails From Specific Sender
type: splunk
known_false_positives: As is common with many fraud-related searches, we are usually
looking to attribute risk or synthesize relevant context with loosely written detections
that simply detect anamolous behavior. This search will need to be customized to
fit your environment—improving its fidelity by counting based on something
much more specific, such as a device ID that may be present in your dataset. Consideration
for whether the large number of registrations are occuring from a first-time seen
domain may also be important. Extending the search window to look further back
in time, or even calculating the average per hour/day for each email domain to look
for an anomalous spikes, will improve this search. You can also use Shannon entropy
or Levenshtein Distance (both courtesy of URL Toolbox) to consider the randomness
or similarity of the email name or email domain, as the names are often machine-generated.
maintainers:
- company: Splunk
email: Mayhem@splunk.com
name: Jim Apger
mappings:
cis20:
- CIS 16
kill_chain_phases:
- Actions on Objectives
mitre_attack:
- Persistence
- Create Account
nist:
- DE.CM
- DE.DP
modification_date: '2018-10-08'
name: Web Fraud - Account Harvesting
original_authors:
- company: Splunk
email: Mayhem@splunk.com
name: Jim Apger
references:
- https://splunkbase.splunk.com/app/2734/
- https://splunkbase.splunk.com/app/1809/
security_domain: threat
spec_version: 2
type: splunk
version: '1.0'