Detect Modify Registry with this “Free Splunk” Rule

Detect Modify Registry with this “Free Splunk” Rule Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. Access to specific areas of the Registry depends on account permissions, some requiring administrator-level…

Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations

Detect Indirect Command Execution With this Free Splunk Rule

Detect Indirect Command Execution With this Free Splunk Rule Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, For files, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem…

Install Root Certificate With this Free Splunk Rule

Install Root Certificate With this Free Splunk Rule

Install Root Certificate With this Free Splunk Rule Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary-controlled web servers. Root certificates are used in public-key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in…