From cd2a742df9468e53f8797f58330ed7499d61f466 Mon Sep 17 00:00:00 2001 From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com> Date: Sun, 6 Apr 2025 11:49:47 +0000 Subject: [PATCH] page(threat-hunting): CobaltStrike detection through network share discovery --- source/threat-hunting/index.md | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md index 7f899e0..4aa7100 100644 --- a/source/threat-hunting/index.md +++ b/source/threat-hunting/index.md @@ -1085,19 +1085,26 @@ SPL: | table Time, index, host, EventCode, EventDescription, parent_process, process, user, Name, Email ``` -## Possible ShareFinder/Sharphound Usage +## Possible ShareFinder/Sharphound/CobaltStrike Usage -Description: SharedFinder/Netscan/Sharphound is commonly used to discover shares in a network. -References: [1](https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/#htoc-file-share-access), [2](https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/#discovery), [3](https://thedfirreport.com/2024/08/26/blacksuit-ransomware/#credential-access) +Description: SharedFinder/Netscan/Sharphound/CobaltStrike is commonly used to discover shares in a network. +References: [1](https://thedfirreport.com/2023/01/23/sharefinder-how-threat-actors-discover-file-shares/#htoc-file-share-access), [2](https://thedfirreport.com/2024/01/29/buzzing-on-christmas-eve-trigona-ransomware-in-3-hours/#discovery), [3](https://thedfirreport.com/2024/08/26/blacksuit-ransomware/#credential-access), [4](https://www.unh4ck.com/detection-engineering-and-threat-hunting/lateral-movement/detecting-conti-cobaltstrike-lateral-movement-techniques-part-1#cobaltstrike-jump-psexec_psh) SPL: ```spl -index="windows" source="XmlWinEventLog:Security" EventCode=5145 (ShareName IN ("\\\\*\\C", "\\\\*\\ADMIN", "\\\\*\\IPC") OR RelativeTargetName="delete.me") +index="windows" source="XmlWinEventLog:Security" EventCode=5145 RelativeTargetName IN ("delete.me", "MSSE-*", "status_*", "postex_ssh_*", "msagent_*", "postex_*", "mojo*", "wkssvc*", "ntsvcs*", "DserNamePipe*", "SearchTextHarvester*", "scerpc*", "mypipe-*", "windows.update.manager*") | rex field=SubjectUserName "(?[^\d+]+)" | eval dst_asset=Computer, lookup_username=upper(lookup_username) | lookup ldap_assets ip AS IpAddress OUTPUT dns AS src_asset -| lookup ad_users sAMAccountName AS lookup_username OUTPUT displayName, company, department, mail, telephoneNumber, mobile -| table _time, src_asset, dst_asset, ShareName, SubjectUserName, displayName, mail, department, company +| lookup ad_users sAMAccountName AS lookup_username OUTPUT displayName +| table _time, src_asset, dst_asset, ShareName, SubjectUserName, displayName +``` + +With [additional mapping](https://gitlab.com/curben/splunk-scripts/-/commit/cc3e156a75519dbb3a23e0fb833c87b46c0b9409) to Endpoint Filesystem data model: + +```spl +| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Filesystem WHERE index="windows" Filesystem.signature_id=5145 Filesystem.file_target IN ("delete.me", "MSSE-*", "status_*", "postex_ssh_*", "msagent_*", "postex_*", "mojo*", "wkssvc*", "ntsvcs*", "DserNamePipe*", "SearchTextHarvester*", "scerpc*", "mypipe-*", "windows.update.manager*") BY index, host, Filesystem.file_target, Filesystem.file_name, Filesystem.file_path, Filesystem.signature_id, Filesystem.signature, Filesystem.src, Filesystem.user, _time span=1s +| rename Filesystem.* AS *, signature_id AS EventCode, signature AS EventDescription, file_name AS ShareName, file_path AS ShareLocalPath, file_target AS RelativeTargetName ``` ## PowerShell Web Downloads