security-content/detections/execution_of_nirsoft_tools.yml at develop · jwindley-splunk/security-content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
asset_type: Endpoint
confidence: medium
creation_date: '2018-09-11'
data_metadata:
  data_models:
    - Endpoint
  data_source:
    - Endpoint Intel
  providing_technologies:
    - Carbon Black Response
    - CrowdStrike Falcon
    - Sysmon
    - Tanium
    - Ziften
description: This search looks for specific command-line arguments that may indicate
  the execution of tools made by Nirsoft, which are legitimate, but may be abused
  by attackers.
detect:
  splunk:
    correlation_rule:
      notable:
        nes_fields: dest, user, process
        rule_description: This search looks for specific arguments passed via the
          command line and detects execution of tools built by NirSoft, which are
          often abused by attackers.
        rule_title: Potential abuse of NirSoft tools on $dest$
      risk:
        risk_object: dest
        risk_object_type:
          - system
        risk_score: 80
      schedule:
        cron_schedule: 0 * * * *
        earliest_time: -70m@m
        latest_time: -10m@m
      search: '| tstats `security_content_summariesonly` count min(_time) values(Processes.process)
        as process max(_time) as lastTime from datamodel=Endpoint.Processes where
        (Processes.process="* /stext *" OR Processes.process="* /scomma *" ) by Processes.parent_process
        Processes.process_name Processes.user | `drop_dm_object_name(Processes)` |
        `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`'
      suppress:
        suppress_fields: dest, process
        suppress_period: 28800s
eli5: The search looks for process-creation events accompanied by specific command-line
  arguments ("scomma" and "stext"). These parameters may be leveraged by a set of
  free, legitimate tools built by NirSoft. Attackers have been seen abusing the tools'
  capabilities to steal passwords, set up key loggers, recover account information
  from mail clients, and conduct other nefarious activities. The search will identify
  the count, the first and last times a process is executed, the command-line arguments,
  and the parent process.
entities:
  - dest
how_to_implement: You must be ingesting endpoint data that tracks process activity,
  including parent-child relationships from your endpoints to populate the Endpoint
  data model in the Processes node. The command-line arguments are mapped to the "process"
  field in the Endpoint data model.
id: 1297fb80-f42a-4q4a-9c8b-78c061417cf6
investigations:
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd76
    name: Get Authentication Logs For Endpoint
    type: splunk
  - id: fecf2918-670d-4f1c-872b-3d7317a41bf9
    name: Get Parent Process Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d55
    name: Get Risk Modifiers For User
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd71
    name: Get Process Info
    type: splunk
  - id: 3d6c3213-5fff-4a1e-b57d-b24c262171e7
    name: Get Notable History
    type: splunk
  - id: f3fb4d1b-5f33-4b01-b541-c7af9534c242
    name: Get Notable Info
    type: splunk
  - id: fdcfb369-1725-4c24-824a-22972d7f0d65
    name: Get Risk Modifiers For Endpoint
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd74
    name: Get User Information from Identity Table
    type: splunk
  - id: bc91a8cf-35e7-4bb2-8140-e756cc06fd22
    name: Investigate Web Activity From Host
    type: splunk
known_false_positives: While legitimate, these NirSoft tools are prone to abuse. You
  should verfiy that the tool was used for a legitimate purpose.
maintainers:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
mappings:
  cis20:
    - CIS 3
  kill_chain_phases:
    - Installation
    - Actions on Objectives
  mitre_attack:
    - Discovery
    - Execution
    - Lateral Movement
    - Third-party Software
    - Account Discovery
  nist:
    - PR.IP
modification_date: '2018-12-03'
name: Detection of tools built by NirSoft
original_authors:
  - company: Splunk
    email: bpatel@splunk.com
    name: Bhavin Patel
references: []
security_domain: endpoint
spec_version: 2
type: splunk
version: '2.0'