Detection rules › Splunk
Common Recon Commands in Short Burst (Sysmon)
Most initial access broker malware run several discovery commands in a short time span to gather information after gaining access to a system. While these commands are used routinely in legitimate activity, several executions in rapid succession may indicate automated reconnaissance activities from malicious actors. This use case detects several common reconnaissance/discovery commands executed in a short time period (default 2 minutes).
MITRE ATT&CK coverage
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '33080.59641'
title: Common Recon Commands in Short Burst
description: Most initial access broker malware run several discovery commands in
a short time span to gather information after gaining access to a system. While
these commands are used routinely in legitimate activity, several executions in
rapid succession may indicate automated reconnaissance activities from malicious
actors. This use case detects several common reconnaissance/discovery commands executed
in a short time period (default 2 minutes).
logic_format: Splunk
logic: ' `get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<")
("whoami" OR ("net" ("group" OR "use")) OR "/Domain" OR "systeminfo" OR "nltest"
OR "/dclist" OR "/domain_trusts" OR "ipconfig" OR "arp" OR "tasklist" OR "ping"
OR "quser" OR "tasklist" OR "netstat" OR "netsh" OR "driverquery" OR "cmdkey" OR
"tracert") | where (!match(process, "(?i)\x5cSplunkUniversalForwarder\x5c(etc|bin)\x5c")
and !match(parent_process, "(?i)\x5cSplunkUniversalForwarder\x5c(etc|bin)\x5c"))
and (match(process, "(?i)whoami|systeminfo|ipconfig|arp|nltest|dclist|domain_trusts|tasklist|quser|tasklist|netstat|netsh|driverquery|cmdkey|tracert|net1?(\.exe)?\s+(group|use)($|\s|\.exe)")
OR match(process_name, "(?i)(whoami|systeminfo|ipconfig|arp|nltest|tasklist|net1?|quser|tasklist|netstat|netsh|driverquery|cmdkey|tracert)\.exe"))
and !match(user, "\$$") | table _time, host, user process, process_*, parent_process,
parent_process_* | bin span=120s | stats values(*) as * by _time, host | streamstats
dc(process) as dc_process, dc(process_name) as dc_process_name by _time, host| where
dc_process > 3 and dc_process_name > 1 '
techniques:
- discovery:system owner/user discovery
- discovery:account discovery
- discovery:process discovery
- discovery:system information discovery
- discovery:system service discovery
- defense-evasion:virtualization/sandbox evasion:system checks
- discovery:system network connections discovery
technique_id:
- T1033
- T1087
- T1057
- T1082
- T1007
- T1497.001
- T1049
data_category:
- Windows Sysmon
references:
- https://kostas-ts.medium.com/ursnif-vs-italy-il-pdf-del-destino-5c83d6281072
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` (TERM(EventCode=1) OR "<EventID>1<") ("whoami" OR ("net" ("group" OR "use")) OR "/Domain" OR "systeminfo" OR "nltest" OR "/dclist" OR "/domain_trusts" OR "ipconfig" OR "arp" OR "tasklist" OR "ping" OR "quser" OR "tasklist" OR "netstat" OR "netsh" OR "driverquery" OR "cmdkey" OR "tracert")
Stage 2: where
| where (!match(process, "(?i)\x5cSplunkUniversalForwarder\x5c(etc|bin)\x5c") and !match(parent_process, "(?i)\x5cSplunkUniversalForwarder\x5c(etc|bin)\x5c")) and (match(process, "(?i)whoami|systeminfo|ipconfig|arp|nltest|dclist|domain_trusts|tasklist|quser|tasklist|netstat|netsh|driverquery|cmdkey|tracert|net1?(\.exe)?\s+(group|use)($|\s|\.exe)") OR match(process_name, "(?i)(whoami|systeminfo|ipconfig|arp|nltest|tasklist|net1?|quser|tasklist|netstat|netsh|driverquery|cmdkey|tracert)\.exe")) and !match(user, "\$$")
Stage 3: table
| table _time, host, user process, process_*, parent_process, parent_process_*
Stage 4: bucket
| bin span=120s
Stage 5: stats
| stats values(*) as * by _time, host
Stage 6: streamstats
| streamstats dc(process) as dc_process, dc(process_name) as dc_process_name by _time, host
Stage 7: where
| where dc_process > 3 and dc_process_name > 1
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
parent_process | match | "(?i)\x5cSplunkUniversalForwarder\x5c(etc|bin)\x5c" |
process | match | "(?i)\x5cSplunkUniversalForwarder\x5c(etc|bin)\x5c" |
user | match | "\$$" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
dc_process | gt |
|
dc_process_name | gt |
|
process | match |
|
process_name | match |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | TERM |
| 1 | "<EventID>1<" |
| 1 | "whoami" |
| 1 | "net" |
| 1 | "group" |
| 1 | "use" |
| 1 | "/Domain" |
| 1 | "systeminfo" |
| 1 | "nltest" |
| 1 | "/dclist" |
| 1 | "/domain_trusts" |
| 1 | "ipconfig" |
| 1 | "arp" |
| 1 | "tasklist" |
| 1 | "ping" |
| 1 | "quser" |
| 1 | "tasklist" |
| 1 | "netstat" |
| 1 | "netsh" |
| 1 | "driverquery" |
| 1 | "cmdkey" |
| 1 | "tracert" |