Here's What's New in ESCU - April 13, 2018

This week's new Enterprise Security Content Updates (ESCU) app is hot off the presses, complete with two new cloud-security stories and several new searches. Read on for some highlights. (TL;DR? Download the Splunk ES Content Update from Splunkbase now!)

Unusual AWS EC2 Modifications

If threat actors gain access to your AWS console, they can spin up or modify instances and move laterally, infecting servers and otherwise wreaking havoc across your network. So it's vital to stay alert to changes that may indicate that your environment has been compromised. 

One important factor to stay vigilant of is user behavior. For example, it's unusual—sometimes even suspicious—for unknown users to start spinning up instances within your AWS environment. Likewise, if a known user starts modifying instances in ways that are outside of her customary pattern, this could also be an indication that you may need to take a closer look. 

This Analytic Story can help you stay alert to these issues by monitoring for EC2 instances that have been created or changed, either by users that have never previously performed these activities or by known users who modify or create instances in a way they have not done in the past. While these situations are not always malicious, they may warrant deeper investigation.  

Searches included:

  1. A detection search for EC2 instances modified by users who have not previously performed such activities
  2. A contextual search that queries AWS description logs and returns all the information about a specific instance via the instanceId field
  3. An investigative search that lists all the logged CloudTrail activities by a specific user ARN  

Data sources required:

  • •  AWS CloudTrail logs

Disabling Security Tools

Attackers employ a variety of tactics in order to avoid detection and operate without barriers. This often involves modifying the configuration of security tools to get around them or explicitly disabling them to prevent them from running. Other times, attackers attempt various tricks to prevent specific programs from running, such as adding the certificates with which the security tools are signed to a blacklist (which would prevent them from running).

This Analytic Story searches for activity consistent with attackers attempting to disable various security mechanisms. Such activity may involve suspicious registry activity (as this is where much of the configuration for Windows and various other programs is stored) or explicit attempts to shut down security-related services. 

Searches included:

  1. A search that attempts to add a certificate to the untrusted store and another that attempts to stop the security service
  2. Detection of processes launching netsh
  3. Detection of suspicious reg.exe processes
  4. Searches for the names of processes and parent processes

Data sources required:

  • •  Logs with the process name, command-line arguments, and parent process from your endpoints

Update the Enterprise Security Content Update app now on Splunkbase to ensure you always have the latest analytics!

The Security Research Team is devoted to delivering actionable intelligence to Splunk's customers, in an unceasing effort to safeguard them against modern enterprise risks. Composed of elite researchers, engineers, and consultants who have served in both public and private sector organizations, this innovative team of digital defenders monitors emerging cybercrime trends and techniques, then translates them into practical analytics that Splunk users can operationalize within their environments. Download Splunk Enterprise Security Content Update in Splunkbase to learn more.

Join the Discussion