Detection rules › Splunk
Common Active Directory Commands (Windows Event Log)
Detects the possible execution of specific AD commands on hosts
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1007 System Service Discovery, T1087.002 Account Discovery: Domain Account |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Security-Auditing | Event ID 4688 | A new process has been created. |
Rule body yaml
id: '1073.1112'
title: Common Active Directory Commands
description: 'Detects the possible execution of specific AD commands on hosts. Threat
Actor Association: APT29/Nobelium/Cozy Bear, APT41, FIN6, FIN10, Carbanak, CL-STA-0043,
Lapsus$, Lazarus, MuddyWater, Sandworm Team, TA428, Turla, UNC2596, Vice Society,
Volt Typhoon (Bronze Silhouette, Vanguard Panda), Witchetty, Wizard Spider Software
Association: Akira, ALPHV/BlackCat, AvosLocker, Bazarloader, BianLian, Black Basta,
Clop, Conti, Cuba, Havex, IcedID, Insekt, Lockbit, Revil, Ryuk, Snatch, WASTEDLOCKER
Tags: TrendingThreat, Russia, Ukraine'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_winevent` ((TERM(EventCode=4688) OR
"<EventID>4688<" OR Type=Process) ("csvde.exe" OR "dsacls.exe" OR "dcpromo.exe"
OR "dcdiag.exe" OR "dsamain.exe" OR "dsmgmt.exe" OR "ldifde.exe" OR "ldp.exe" OR
"netdom.exe" OR "nltest.exe" OR "setspn.exe" OR "dsquery" OR ("net" AND ("/domain"
OR "/dom" OR "computer" )) OR "whoami /groups")) | table _time, host, user, dvc,
event_id, host, parent_process_id, parent_process_name, parent_process_path, process,
process_id, process_name, process_path, signature_id, tag, user_id | bin span=300s
| stats values(*) as * by _time, host |eventstats dc(process_name) as dc_process_name
by host, _time | where dc_process_name > 0 '
techniques:
- discovery:account discovery:domain account
- discovery:system service discovery
technique_id:
- T1087.002
- T1007
data_category:
- Windows event logs
references:
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_winevent` ((TERM(EventCode=4688) OR "<EventID>4688<" OR Type=Process) ("csvde.exe" OR "dsacls.exe" OR "dcpromo.exe" OR "dcdiag.exe" OR "dsamain.exe" OR "dsmgmt.exe" OR "ldifde.exe" OR "ldp.exe" OR "netdom.exe" OR "nltest.exe" OR "setspn.exe" OR "dsquery" OR ("net" AND ("/domain" OR "/dom" OR "computer" )) OR "whoami /groups"))
Stage 2: table
| table _time, host, user, dvc, event_id, host, parent_process_id, parent_process_name, parent_process_path, process, process_id, process_name, process_path, signature_id, tag, user_id
Stage 3: bucket
| bin span=300s
Stage 4: stats
| stats values(*) as * by _time, host
Stage 5: eventstats
| eventstats dc(process_name) as dc_process_name by host, _time
Stage 6: where
| where dc_process_name > 0
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
dc_process_name | gt |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>4688<" |
| 1 | "csvde.exe" |
| 1 | "dsacls.exe" |
| 1 | "dcpromo.exe" |
| 1 | "dcdiag.exe" |
| 1 | "dsamain.exe" |
| 1 | "dsmgmt.exe" |
| 1 | "ldifde.exe" |
| 1 | "ldp.exe" |
| 1 | "netdom.exe" |
| 1 | "nltest.exe" |
| 1 | "setspn.exe" |
| 1 | "dsquery" |
| 1 | "net" |
| 1 | "/domain" |
| 1 | "/dom" |
| 1 | "computer" |
| 1 | "whoami /groups" |