Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nterl0k - T1550 - NetExec Usage Detection #3255

Open
wants to merge 11 commits into
base: develop
Choose a base branch
from
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: Windows Process With NetExec Command Line Parameters
id: adbff89c-c1f2-4a2e-88a4-b5e645856510
version: 1
date: '2024-12-19'
author: nobody
status: production
type: TTP
description: The following analytic detects the use of NetExec (formally CrackmapExec) through command line parameters. This is a toolset for post-exploitation enumeration and attack within Active Directory environments. It leverages Endpoint Detection and Response (EDR) data to identify specific command-line arguments associated with actions like ticket manipulation, kerberoasting, and password spraying. This activity is significant as NetExec is used by adversaries to exploit Kerberos for privilege escalation and lateral movement. If confirmed malicious, this could lead to unauthorized access, persistence, and potential compromise of sensitive information within the network.
nterl0k marked this conversation as resolved.
Show resolved Hide resolved
data_source:
- Windows Security EID 4688
- Sysmon EID 1
search: '| tstats `security_content_summariesonly` values(Processes.parent_process) as Processes.parent_process, values(Processes.process) as Processes.process values(Processes.process_current_directory) AS process_current_directory, values(Processes.process_id) as Processes.process_id, values(Processes.process_guid) as Processes.process_guid, count min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes where Processes.process IN ("* smb *","* ssh *","* ldap *","* ftp *","* wmi *","* winrm *","* rdp *","* vnc *","* mssql *","* nfs *") AND Processes.process IN ("* -p *","* -u *","* -x *","* --*") BY _time span=1h Processes.user Processes.dest Processes.process_name Processes.parent_process_name
|`drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_process_with_netexec_command_line_parameters_filter`'
nterl0k marked this conversation as resolved.
Show resolved Hide resolved
how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
known_false_positives: Although unlikely, legitimate applications may use the same command line parameters as Rubeus. Filter as needed.
references:
- https://www.netexec.wiki/
- https://www.johnvictorwolfe.com/2024/07/21/the-successor-to-crackmapexec/
- https://attack.mitre.org/software/S0488/
tags:
analytic_story:
- Active Directory Kerberos Attacks
- Active Directory Privilege Escalation
asset_type: Endpoint
confidence: 100
nterl0k marked this conversation as resolved.
Show resolved Hide resolved
impact: 80
message: NetExec command line parameters were used on $dest$ by $user$
mitre_attack_id:
- T1550
- T1550.003
- T1558
- T1558.003
- T1558.004
observable:
- name: user
type: user
role:
- Victim
- name: dest
type: system
role:
- Victim
- name: parent_process_name
type: process
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.process
- Processes.user
- Processes.dest
- Processes.process_name
- Processes.parent_process_name
risk_score: 80
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1550/netexec_toolkit_usage/netexec_toolkit_usage.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: XmlWinEventLog
Loading