From d4a2b3eaee5ebc9faf03c99c266ebab516ec7216 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Fri, 27 Dec 2024 08:16:02 -0500 Subject: [PATCH 01/10] Add files via upload --- ...s_with_netexec_command_line_parameters.yml | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 detections/endpoint/windows_process_with_netexec_command_line_parameters.yml diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml new file mode 100644 index 0000000000..18c798ca47 --- /dev/null +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -0,0 +1,68 @@ +name: Windows Process With NetExec Command Line Parameters +id: adbff89c-c1f2-4a2e-88a4-b5e645856510 +version: 1 +date: '2024-12-19' +author: nobody +status: production +type: TTP +description: The following analytic detects the use of NetExec (formally CrackmapExec) through command line parameters. This is a toolset for post-exploitation enumeration and attack within Active Directory environments. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as NetExec is used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network. +data_source: +- Windows Security EID 4688 +- Sysmon EID 1 +search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND Processes.process IN ("* -p *","* -u *","* -x *","* --*") BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name +|`drop_dm_object_name(Processes)` +| `security_content_ctime(firstTime)` +| `security_content_ctime(lastTime)` +| `windows_process_with_netexec_command_line_parameters_filter`' +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed. +references: +- https://www.netexec.wiki/ +- https://www.johnvictorwolfe.com/2024/07/21/the-successor-to-crackmapexec/ +- https://attack.mitre.org/software/S0488/ +tags: + analytic_story: + - Active Directory Kerberos Attacks + - Active Directory Privilege Escalation + asset_type: Endpoint + confidence: 100 + impact: 80 + message: NetExec command line parameters were used on $dest$ by $user$ + mitre_attack_id: + - T1550 + - T1550.003 + - T1558 + - T1558.003 + - T1558.004 + observable: + - name: user + type: user + role: + - Victim + - name: dest + type: system + role: + - Victim + - name: parent_process_name + type: process + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - _time + - Processes.process + - Processes.user + - Processes.dest + - Processes.process_name + - Processes.parent_process_name + risk_score: 80 + security_domain: endpoint +tests: +- name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/netexec_toolkit_usage/netexec_toolkit_usage.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog \ No newline at end of file From a53cfeb9557d1a761f703588225aaccddbcfe66e Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 30 Dec 2024 16:41:28 -0500 Subject: [PATCH 02/10] Update detections/endpoint/windows_process_with_netexec_command_line_parameters.yml Update detection description with recommendation Co-authored-by: Nasreddine Bencherchali --- .../windows_process_with_netexec_command_line_parameters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index 18c798ca47..5b49a59189 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -5,7 +5,7 @@ date: '2024-12-19' author: nobody status: production type: TTP -description: The following analytic detects the use of NetExec (formally CrackmapExec) through command line parameters. This is a toolset for post-exploitation enumeration and attack within Active Directory environments. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as NetExec is used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network. +description: The following analytic detects the use of NetExec (formally CrackmapExec) a toolset used for post-exploitation enumeration and attack within Active Directory environments through command line parameters. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as NetExec is used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network. data_source: - Windows Security EID 4688 - Sysmon EID 1 From 2fcd0ecef13d5d3c29527970edc9e9c5f5099f26 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 30 Dec 2024 16:55:10 -0500 Subject: [PATCH 03/10] Update windows_process_with_netexec_command_line_parameters.yml Update detection logic to include "nxc.exe" for process_name or original_file_name as detection points as requested. Reduce confidence as requested. --- ...ndows_process_with_netexec_command_line_parameters.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index 5b49a59189..c803a4e492 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -9,7 +9,7 @@ description: The following analytic detects the use of NetExec (formally Crackma data_source: - Windows Security EID 4688 - Sysmon EID 1 -search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND Processes.process IN ("* -p *","* -u *","* -x *","* --*") BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name +search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND Processes.process IN ("* -p *","* -u *","* -x *","* -M *","* --*")) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -25,7 +25,7 @@ tags: - Active Directory Kerberos Attacks - Active Directory Privilege Escalation asset_type: Endpoint - confidence: 100 + confidence: 80 impact: 80 message: NetExec command line parameters were used on $dest$ by $user$ mitre_attack_id: @@ -58,11 +58,11 @@ tags: - Processes.dest - Processes.process_name - Processes.parent_process_name - risk_score: 80 + risk_score: 64 security_domain: endpoint tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/netexec_toolkit_usage/netexec_toolkit_usage.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational - sourcetype: XmlWinEventLog \ No newline at end of file + sourcetype: XmlWinEventLog From 771f42392fe5ac3ce141ac2958de2844f9c0530d Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 31 Dec 2024 08:51:56 -0500 Subject: [PATCH 04/10] Update windows_process_with_netexec_command_line_parameters.yml --- .../windows_process_with_netexec_command_line_parameters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index c803a4e492..d2a8f9730a 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -15,7 +15,7 @@ search: '| tstats `security_content_summariesonly` values(Processes.parent_proc | `security_content_ctime(lastTime)` | `windows_process_with_netexec_command_line_parameters_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed. +known_false_positives: Although unlikely, legitimate applications may use the same command line parameters as NetExec. Filter as needed. references: - https://www.netexec.wiki/ - https://www.johnvictorwolfe.com/2024/07/21/the-successor-to-crackmapexec/ From 6e06a19329d819475411fcdbbc35b995f32930e8 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 31 Dec 2024 08:58:52 -0500 Subject: [PATCH 05/10] Update windows_process_with_netexec_command_line_parameters.yml --- .../windows_process_with_netexec_command_line_parameters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index d2a8f9730a..ae218f6e15 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -9,7 +9,7 @@ description: The following analytic detects the use of NetExec (formally Crackma data_source: - Windows Security EID 4688 - Sysmon EID 1 -search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND Processes.process IN ("* -p *","* -u *","* -x *","* -M *","* --*")) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name +search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND ((Processes.process = "* -p *" AND Processes.process = "* -u *") OR Processes.process IN ("* -x *","* -M *","* --*"))) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` From c1d7d2cc75c77f309772695d35c3c9c4f27dfb97 Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:01:24 -0500 Subject: [PATCH 06/10] Update windows_process_with_netexec_command_line_parameters.yml --- ...ndows_process_with_netexec_command_line_parameters.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index ae218f6e15..bb962793d6 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -7,8 +7,8 @@ status: production type: TTP description: The following analytic detects the use of NetExec (formally CrackmapExec) a toolset used for post-exploitation enumeration and attack within Active Directory environments through command line parameters. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as NetExec is used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network. data_source: -- Windows Security EID 4688 -- Sysmon EID 1 +- Windows Security Event ID 4688 +- Sysmon Event ID 1 search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND ((Processes.process = "* -p *" AND Processes.process = "* -u *") OR Processes.process IN ("* -x *","* -M *","* --*"))) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` @@ -36,11 +36,11 @@ tags: - T1558.004 observable: - name: user - type: user + type: User role: - Victim - name: dest - type: system + type: Hostname role: - Victim - name: parent_process_name From 35368173c0fa10c398881f87513ea5d5b5e73a38 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 6 Jan 2025 14:41:11 -0800 Subject: [PATCH 07/10] observable type --- .../windows_process_with_netexec_command_line_parameters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index bb962793d6..5e2a8680f1 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -44,7 +44,7 @@ tags: role: - Victim - name: parent_process_name - type: process + type: Process role: - Attacker product: From 263db169600b80ebc04f696c1609b89422d93ca4 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 6 Jan 2025 14:42:03 -0800 Subject: [PATCH 08/10] author update --- .../windows_process_with_netexec_command_line_parameters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index 5e2a8680f1..5b7ee6db5d 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -2,7 +2,7 @@ name: Windows Process With NetExec Command Line Parameters id: adbff89c-c1f2-4a2e-88a4-b5e645856510 version: 1 date: '2024-12-19' -author: nobody +author: Steven Dick, Github Community status: production type: TTP description: The following analytic detects the use of NetExec (formally CrackmapExec) a toolset used for post-exploitation enumeration and attack within Active Directory environments through command line parameters. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as NetExec is used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network. From 662b542299f9fc24e6f36995d4a1b6abe4fdb992 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Tue, 7 Jan 2025 17:44:25 +0100 Subject: [PATCH 09/10] Apply suggestions from code review --- .../windows_process_with_netexec_command_line_parameters.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index 5b7ee6db5d..0154465d51 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -9,6 +9,7 @@ description: The following analytic detects the use of NetExec (formally Crackma data_source: - Windows Security Event ID 4688 - Sysmon Event ID 1 +- CrowdStrike ProcessRollup2 search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process_name IN ("nxc.exe") OR Processes.original_file_name IN ("nxc.exe") OR (Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND ((Processes.process = "* -p *" AND Processes.process = "* -u *") OR Processes.process IN ("* -x *","* -M *","* --*"))) BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name |`drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` From 50fd37accd1cfff791bfdccc5d3bc9edf378085c Mon Sep 17 00:00:00 2001 From: Steven Dick <38897662+nterl0k@users.noreply.github.com> Date: Tue, 7 Jan 2025 15:49:16 -0500 Subject: [PATCH 10/10] Update windows_process_with_netexec_command_line_parameters.yml Adding drilldowns --- ...process_with_netexec_command_line_parameters.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml index 0154465d51..b59ae667e6 100644 --- a/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml +++ b/detections/endpoint/windows_process_with_netexec_command_line_parameters.yml @@ -21,6 +21,19 @@ references: - https://www.netexec.wiki/ - https://www.johnvictorwolfe.com/2024/07/21/the-successor-to-crackmapexec/ - https://attack.mitre.org/software/S0488/ +drilldown_searches: +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$","$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +- name: Investigate processes on $dest$ + search: '| from datamodel:Endpoint.Processes | search dest=$dest$ process_name = $process_name$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ tags: analytic_story: - Active Directory Kerberos Attacks