Add files via upload

detections/endpoint/windows_detect-network_scanner_behavior.yml

@@ -0,0 +1,65 @@
+name: Windows Detect Network Scanner Behavior
+id: 78e678d2-bf64-4fe6-aa52-2f7b11dddee7
+version: 1
+date: '2024-12-26'
+author: Steven Dick
+status: production
+type: Anomaly
+description: The following analytic detects when an application is used to connect a large number of unique ports/targets within a short time frame. Network enumeration may be used by adversaries as a method of discovery, lateral movement, or remote execution. This analytic may require significant tuning depending on the organization and applications being actively used, highly recommended to pre-populate the filter macro prior to activation.
+data_source: 
+- Sysmon EID 3
+search: '| tstats `security_content_summariesonly` count latest(All_Traffic.dest_port) as dest_port dc(All_Traffic.dest_port) as port_count dc(All_Traffic.dest) as dest_count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.process_id) as process_id from datamodel=Network_Traffic.All_Traffic where sourcetype=XmlWinEventLog All_Traffic.app = "*\\*" All_Traffic.dest_port < 32000 NOT All_Traffic.dest_port IN (8443,8080,5353,3268,443,389,88,80,53,25) by host,All_Traffic.app,All_Traffic.src,All_Traffic.src_ip,All_Traffic.user _time span=5m
+| `drop_dm_object_name(All_Traffic)`
+| rex field=app ".*\\\(?<process_name>.*)$"
+| where port_count > 10 OR dest_count > 10
+| stats latest(src) as src, latest(src_ip) as src_ip, max(dest_count) as dest_count, max(port_count) as port_count, latest(dest_port) as dest_port, min(firstTime) as firstTime, max(lastTime) as lastTime, max(count) as count by host,user,app,process_name
+| `security_content_ctime(firstTime)`
+| `security_content_ctime(lastTime)`
+| `windows_detect_network_scanner_behavior_filter`'
+how_to_implement: This detection relies on Sysmon EID3 events being ingested AND tagged into the networking datamodel.
+known_false_positives: Various, could be noisy depending on processes in the organization and sysmon configuration used. Adjusted port/dest count thresholds as needed.
+references:
+- https://attack.mitre.org/techniques/T1595
+tags:
+  asset_type: Endpoint
+  confidence: 50
+  impact: 50
+  message: A process exhibiting network scanning behavior [$process_name$] was detected on $src$
+  mitre_attack_id: 
+  - T1595
+  - T1595.001
+  - T1595.002
+  - T1423
+  observable: 
+  - name: src
+    type: system
+    role:
+    - Victim
+  - name: user
+    type: user
+    role:
+    - Victim
+  - name: process_name
+    type: process_name
+    role:
+    - Attacker
+  product: 
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields: 
+  - All_Traffic.dest_port
+  - host
+  - All_Traffic.app
+  - All_Traffic.src
+  - All_Traffic.src_ip
+  - All_Traffic.user 
+  - _time
+  risk_score: 25
+  security_domain: network
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1595/sysmon_scanning_events/sysmon_scanning_events.log
+    source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
+    sourcetype: XmlWinEventLog