curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

page(threat-hunting): New Network Share detected

This commit is contained in:
Ming Di Leom 2025-04-06 11:43:44 +00:00
parent fb69f36eb2
commit b7abc47a5c
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
source/threat-hunting/index.md
View File

@ -1024,6 +1024,17 @@ SPL:
| table Time, index, host, Domain, user, EventCode, LogonType, LogonTitle, LogonResult, source_ip, Destination, subject_user, Name, AccountDescription
```
## New Network Share detected
Description: Requires additional data model [mapping](https://gitlab.com/curben/splunk-scripts/-/commit/cc3e156a75519dbb3a23e0fb833c87b46c0b9409).
References: [1](https://thedfirreport.com/2025/03/31/fake-zoom-ends-in-blacksuit-ransomware/#impact)
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Filesystem WHERE index="windows" Filesystem.signature_id=5142 BY index, host, Filesystem.file_target, Filesystem.file_name, Filesystem.file_path, Filesystem.signature_id, Filesystem.signature, Filesystem.src, Filesystem.user, _time span=1s
| rename Filesystem.* AS *, signature_id AS EventCode, signature AS EventDescription, file_name AS ShareName, file_path AS ShareLocalPath, file_target AS RelativeTargetName
```
## OneNote IOC
References: [1](https://redcanary.com/blog/intelligence-insights-february-2023/)