security-content/detections/create_or_delete_network_shares.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
asset_type: Endpoint
confidence: medium
creation_date: '2018-06-14'
data_metadata:
  data_models:
    - Endpoint
  data_source:
    - Endpoint Intel
  providing_technologies:
    - Carbon Black Response
    - CrowdStrike Falcon
    - Sysmon
    - Tanium
    - Ziften
description: This search looks for the creation or deletion of hidden shares using
  net.exe.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest,process_name
        rule_description: Net.exe was used to create or delete hidden network shares
          by $user$ on $dest$
        rule_title: Hidden File shares created/deleted on $dest$
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 50
      macros:
        - create_or_delete_windows_shares_filter
      schedule:
        cron_schedule: 5 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count values(Processes.user) as user values(Processes.parent_process)
        as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
        where (Processs.process_name=net.exe OR Processes.process_name=net1.exe) by
        Processes.process Processes.process_name Processes.dest
        | `drop_dm_object_name(Processes)`
        | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | search (process=*share* OR process=*delete*)
        | `create_or_delete_windows_shares_filter`'
      suppress:
        suppress_fields: dest,process_name
        suppress_period: 86400s
eli5: In this search, we are looking for the command-line execution of net.exe with
  command-line parameters such as `net`, `share`, or `delete` that may correspond to
  the creation/deletion of windows drive shares. Net.exe is a built-in command-line tool
  on Windows that can be used to create, delete, and manage shared resources on the computer,
  both locally and remotely. Though this tool is used by Microsoft administrators to manage the network shares,
  attackers also leverage it to create and delete (hidden) file shares by appending
  "$" after the name of the share. Since the creation/deletion of hidden shares is a
  special case of detecting share creation/deletion we have commented out
  the regex that adds that additional matching criteria. If only hidden share detection is desired
  add `| regex process="\S+[$]"` before the last pipe in the search.
entities:
  - dest
how_to_implement: You must be ingesting data that records process activity from your
  hosts to populate the Endpoint data model in the Processes node. You must also be
  ingesting logs with both the process name and command line from your endpoints.
  The command-line arguments are mapped to the "process" field in the Endpoint data
  model.
id: qw9919ed-fe5f-492c-b139-151bb162140e
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fecf2918-670d-4f1c-872b-3d7317a41bf9
    name: Get Parent Process Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
    name: Get Process Info
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
known_false_positives: Administrators often leverage net.exe to create or delete network
  shares. You should verify that the activity was intentional and is legitimate.
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
mappings:
  cis20:
    - CIS 8
  kill_chain_phases:
    - Actions on Objectives
  mitre_attack:
    - Lateral Movement
  mitre_technique_id:
    - T1077
    - T1126
  nist:
    - PR.PT
    - DE.CM
modification_date: '2020-01-20'
name: Create or delete windows shares using net.exe
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
references:
  - https://attack.mitre.org/techniques/T1077/
  - https://attack.mitre.org/techniques/T1126/
security_domain: endpoint
spec_version: 2
type: splunk
version: '4.0'