Professional Documents
Culture Documents
Mitre Attack.
Mitre Attack.
MITRE ATT&CK
Stephanie Abeyie
Maryville University
MITRE ATT&CK
Description
Network Service Scanning (T1046) is a strategic phase within the cyber attack lifecycle
where threat actors actively use surveillance to pinpoint and catalogue services operating on
remote systems. Adversaries use a complex method to dissect the target network's sophisticated
architecture by probing open ports and services (Strom et al., 2018). By doing this, they gather
vital knowledge that forms the basis for further assaults, ranging from exploiting known
The challenge is promptly identifying and countering these probing operations in the vast
field of network security. In this context, Splunk, a powerful security information and event
management (SIEM) solution, is helpful. Security researchers may create complex queries using
scrutinizing source and destination IP addresses, and employing statistical analyses to identify
patterns indicative of scanning behaviour (Xiong et al., 2022). The query may, for instance,
screen for situations when the total number of connection attempts from a single source IP to
numerous destination IPs exceeds a set threshold within a certain period. This level should be set
index=network_logs sourcetype=firewall
Detection in Splunk
delicate balance between sensitivity and specificity, analysts must constantly improve their
queries. Too sensitive or particular searches risk missing real threats, while being too sensitive
might overwhelm security professionals with false positives. It is a subtle procedure that needs
constant improvement to adjust to the changing subtleties of a network's typical activity and the
Description
authentication credentials from the operating system, paving the way for unauthorized access to
sensitive information. In this complex attack approach, attackers use various techniques to gather
credentials from a targeted machine, including memory scraping, keyloggers, or specialist tools
like Mimikatz (Strom et al., 2018). Once obtained, these credentials provide threat actors access
to a powerful arsenal that allows them to travel laterally across the network and elevate
Detection in Splunk
Splunk, a complete security information and event management (SIEM) tool, is essential in
spotting indications of this nefarious behaviour. Security analysts can use customized Splunk
queries to examine Windows security event logs for indications of activity involving credentials.
A robust Splunk query for detecting Credential Dumping might involve filtering for
specific Event IDs that correlate with credential access or usage (Xiong et al., 2022). For
example, insights into possible credential dumping issues can be gained by concentrating on
EventCode 4672 (representing special rights provided to a new logon) and EventCode 4624
(showing a successful account login). However, the inquiry's efficacy depends on ongoing
index=windows_logs sourcetype=win_security
EventCode=4672 OR EventCode=4624
References
Strom, B. E., Applebaum, A., Miller, D. P., Nickels, K. C., Pennington, A. G., & Thomas, C. B.
(2018). Mitre att&ck: Design and philosophy. In Technical report. The MITRE
Corporation.
Xiong, W., Legrand, E., Åberg, O., & Lagerström, R. (2022). Cyber security threat modeling
based on the MITRE Enterprise ATT&CK Matrix. Software and Systems Modeling,
21(1), 157-177.