Detect Modify Registry with this “Free Splunk” Rule

Detect Modify Registry with this “Free Splunk” Rule Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. Access to specific areas of the Registry depends on account permissions, some requiring administrator-level…

Monitor and analyze logs from host-based detection mechanisms, such as Sysmon, for events such as process creations

Detect Indirect Command Execution With this Free Splunk Rule

Detect Indirect Command Execution With this Free Splunk Rule Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, For files, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem…

Install Root Certificate With this Free Splunk Rule

Install Root Certificate With this Free Splunk Rule

Install Root Certificate With this Free Splunk Rule Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary-controlled web servers. Root certificates are used in public-key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in…

Indicator Removal

Detect Deobfuscate/Decode Files or Information with this free Splunk Detection Rule

Detect Indicator Removal on Host Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however, standard operating system logs are captured as Windows events or Linux/macOS files such as Bash History and /var/log/*. These actions may…

decode files

Detect Deobfuscate/Decode Files or Information with this free Splunk Detection Rule

Detect Deobfuscate/Decode Files or Information Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from the analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware, Scripting, PowerShell, or by using utilities…