Scribd Logo
Upload

Welcome to Scribd!

  • Mitre Attack.

    Uploaded by

    Ace Writer1
    16 views4 pages
    1) Network Service Scanning involves adversaries probing open ports and services on remote systems to map out the target network's architecture and locate vulnerabilities. Splunk can help identify this behavior by analyzing firewall and network traffic logs to find abnormal patterns of connection attempts. 2) Credential Dumping is when attackers extract authentication credentials from systems to gain unauthorized access. Splunk can detect this tactic by filtering Windows security logs for specific event IDs related to credential access and suspicious account logins. 3) Analysts must constantly refine their Splunk queries to balance sensitivity and specificity when detecting threats, as networks and attacks evolve over time.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    1) Network Service Scanning involves adversaries probing open ports and services on remote systems to map out the target network's architecture and locate vulnerabilities. Splunk can help identify this behavior by analyzing firewall and network traffic logs to find abnormal patterns of connection attempts. 2) Credential Dumping is when attackers extract authentication credentials from systems to gain unauthorized access. Splunk can detect this tactic by filtering Windows security logs for specific event IDs related to credential access and suspicious account logins. 3) Analysts must constantly refine their Splunk queries to balance sensitivity and specificity when detecting threats, as networks and attacks evolve over time.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    16 views4 pages

    Mitre Attack.

    Uploaded by

    Ace Writer1
    1) Network Service Scanning involves adversaries probing open ports and services on remote systems to map out the target network's architecture and locate vulnerabilities. Splunk can help identify this behavior by analyzing firewall and network traffic logs to find abnormal patterns of connection attempts. 2) Credential Dumping is when attackers extract authentication credentials from systems to gain unauthorized access. Splunk can detect this tactic by filtering Windows security logs for specific event IDs related to credential access and suspicious account logins. 3) Analysts must constantly refine their Splunk queries to balance sensitivity and specificity when detecting threats, as networks and attacks evolve over time.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 4

    1

    MITRE ATT&CK

    Stephanie Abeyie

    Maryville University

    ISYS 680: SECURITY LOG MANAGEMENT & ANALYSIS

    Prof Randall Magiera

    October 15, 2023


    2

    MITRE ATT&CK

    T1046 - Network Service Scanning:

    Description

    Network Service Scanning (T1046) is a strategic phase within the cyber attack lifecycle

    where threat actors actively use surveillance to pinpoint and catalogue services operating on

    remote systems. Adversaries use a complex method to dissect the target network's sophisticated

    architecture by probing open ports and services (Strom et al., 2018). By doing this, they gather

    vital knowledge that forms the basis for further assaults, ranging from exploiting known

    vulnerabilities to locating weak points for lateral movement.

    The challenge is promptly identifying and countering these probing operations in the vast

    field of network security. In this context, Splunk, a powerful security information and event

    management (SIEM) solution, is helpful. Security researchers may create complex queries using

    Splunk to examine firewall data and network traffic logs.

    A well-constructed Splunk query might involve aggregating connection attempts,

    scrutinizing source and destination IP addresses, and employing statistical analyses to identify

    patterns indicative of scanning behaviour (Xiong et al., 2022). The query may, for instance,

    screen for situations when the total number of connection attempts from a single source IP to

    numerous destination IPs exceeds a set threshold within a certain period. This level should be set

    to reduce false positives depending on the organization's regular network behaviour.


    3

    index=network_logs sourcetype=firewall

    | stats count by src_ip, dest_ip

    | where count > threshold

    Detection in Splunk

    Splunk's detection system is not a one-size-fits-all approach. In order to maintain a

    delicate balance between sensitivity and specificity, analysts must constantly improve their

    queries. Too sensitive or particular searches risk missing real threats, while being too sensitive

    might overwhelm security professionals with false positives. It is a subtle procedure that needs

    constant improvement to adjust to the changing subtleties of a network's typical activity and the

    dynamic nature of cyber attacks.

    T1003 - Credential Dumping

    Description

    Credential Dumping (T1003) is a sophisticated tactic employed by adversaries to extract

    authentication credentials from the operating system, paving the way for unauthorized access to

    sensitive information. In this complex attack approach, attackers use various techniques to gather

    credentials from a targeted machine, including memory scraping, keyloggers, or specialist tools

    like Mimikatz (Strom et al., 2018). Once obtained, these credentials provide threat actors access

    to a powerful arsenal that allows them to travel laterally across the network and elevate

    privileges while posing serious hazards to an organization's security integrity.


    4

    Detection in Splunk

    To minimize potential harm, cybersecurity experts must identify credential dumping.

    Splunk, a complete security information and event management (SIEM) tool, is essential in

    spotting indications of this nefarious behaviour. Security analysts can use customized Splunk

    queries to examine Windows security event logs for indications of activity involving credentials.

    A robust Splunk query for detecting Credential Dumping might involve filtering for

    specific Event IDs that correlate with credential access or usage (Xiong et al., 2022). For

    example, insights into possible credential dumping issues can be gained by concentrating on

    EventCode 4672 (representing special rights provided to a new logon) and EventCode 4624

    (showing a successful account login). However, the inquiry's efficacy depends on ongoing

    improvement and adaptation to new threats.

    index=windows_logs sourcetype=win_security

    EventCode=4672 OR EventCode=4624

    (EventID=10 OR EventID=11 OR EventID=12 OR EventID=13)

    References
    Strom, B. E., Applebaum, A., Miller, D. P., Nickels, K. C., Pennington, A. G., & Thomas, C. B.

    (2018). Mitre att&ck: Design and philosophy. In Technical report. The MITRE

    Corporation.

    Xiong, W., Legrand, E., Åberg, O., & Lagerström, R. (2022). Cyber security threat modeling

    based on the MITRE Enterprise ATT&CK Matrix. Software and Systems Modeling,

    21(1), 157-177.

    You might also like