forked from sar2901/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinvestigate_pass_the_ticket_attempts.yml
31 lines (31 loc) · 1.22 KB
/
investigate_pass_the_ticket_attempts.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
name: Investigate Pass the Ticket Attempts
id: 990007ad-d798-4b29-ab2f-f0034144c937
version: 1
date: '2019-12-10'
author: Patrick Bareiss, Splunk
type: Investigation
datamodel: []
description: This search hunts for dumped kerberos ticket from LSASS memory.
search: '`wineventlog_security` EventCode=4768 OR EventCode=4769 | rex field=user
"(?<new_user>[^\@]+)" | stats count BY new_user, dest, EventCode | stats max(count)
AS max_count sum(count) AS sum_count BY new_user, dest| search dest=$dest$ | where
sum_count/max_count!=2 | rename new_user AS user '
how_to_implement: To successfully implement this search you need to be ingesting windows
security logs. This search uses an input macro named `wineventlog_security`. We
strongly recommend that you specify your environment-specific configurations (index,
source, sourcetype, etc.) for Windows Security logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
known_false_positives: ''
references: []
tags:
analytic_story:
- Credential Dumping
product:
- Splunk Phantom
required_fields:
- _time
- EventCode
- user
- dest
security_domain: endpoint