
Cybersecurity is like an endless game of cat and mouse. Over time, the mouse becomes increasingly creative in his attempts to curate a smorgasbord of cheese and crumbs while continuing to evade detection by his feline predator. In parallel, the cat becomes craftier in his pursuit. It’s not so different when it comes to threat actors attempting to compromise your network. Just like the mouse, your adversaries continually evolve their tactics.
One such maneuver, “Command and Control” (C2), is particularly insidious. It involves establishing a channel for communication between the compromised network and a server controlled by a threat actor. Using one of a number of communications protocols, it sends out a periodic beacon that keeps the session (and therefore control of the server) alive.
Internet Control Message Protocol (ICMP) is often used to implement C2. Because it is part of the Internet Protocol Suite, it is ubiquitous among IP-compatible hosts. However—unlike other Internet protocols, such as TCP or UDP—it is not commonly monitored. While firewalls can block TCP traffic, ICMP traffic is often permitted. As a result, it is an attractive
One of the Analytic Stories in this week’s release of the Splunk Enterprise Security Content Update (
Let us know how these searches work for you by clicking on the “Feedback Center” link in the green bar at the top of the page in the ESCU app.
Keep An Eye on Your Window Registry Files
Another new Analytic Story in this week’s ESCU release is focused on detecting changes to Windows registry files that are initiated locally or from remote locations. This type of activity may indicate that an attacker has infiltrated your system.
The registry is a key component of the Windows operating system. It is composed of a hierarchical database containing settings, options, and values for executables, making it a prime target for threat actors intent upon upgrading their account privileges, maintaining persistence, or moving laterally within the environment. Among a number of other techniques, the attacker may
Considering the frequency of this attack technique, it makes sense to keep
Install the Latest Version of
The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities, so download Splunk ES Content Update v1.0.17 now.