Detection at the Apex: A Better Threat Detection Strategy
Detection at the Apex: A Better Threat Detection Strategy
An effective threat detection strategy requires having the right detections and an understanding of adversarial behaviors.
The Pyramid of Pain has laid out detection schemes showing the degradation of alerts when detections are focused solely on single indicators. For effective threat detection, alerting should be created with a focus on rule efficacy and confidence. Based on the Conti and Quantum ransomware campaign, we’ll flip the Pyramid of Pain by demonstrating the need for correlation-based threat detection to improve rule efficacy, eliminate chasing dynamic indicators and reduce alert fatigue.
In this webinar, we will show you how to establish a detection strategy centered on the threat actors’ tactics, techniques, and procedures (TTPs) to detect threats effectively. We’ll also show you how to incorporate sequenced-based detections based on reported research from breaches and malware campaigns.
An effective threat detection strategy requires having the right detections and an understanding of adversarial behaviors.
The Pyramid of Pain has laid out detection schemes showing the degradation of alerts when detections are focused solely on single indicators. For effective threat detection, alerting should be created with a focus on rule efficacy and confidence. Based on the Conti and Quantum ransomware campaign, we’ll flip the Pyramid of Pain by demonstrating the need for correlation-based threat detection to improve rule efficacy, eliminate chasing dynamic indicators and reduce alert fatigue.
In this webinar, we will show you how to establish a detection strategy centered on the threat actors’ tactics, techniques, and procedures (TTPs) to detect threats effectively. We’ll also show you how to incorporate sequenced-based detections based on reported research from breaches and malware campaigns.
Scroll down below the video to access 5 complimentary threat detection snippets.
adfind.txt
```Index and Source```
index=* source IN (WinEventLog:Security,XmlWinEventLog:Security)
```Generating search for adfind```
("EventCode=4688" OR "<EventID>4688<") "adfind"
```Normalize Fields OPTIONAL```
| eval
process_path=coalesce(process_path, New_Process_Name, Process_Name, ProcessName, NewProcessName, Application_Name, Application, Path),
process=coalesce(process,Process_Command_Line, CommandLine, process_path),
parent_process_path=coalesce(parent_process_path, parent_process_name_tmp, Creator_Process_Name, ParentProcessName),
user=coalesce(user, src_user, SubjectUserName)
| rex field=process_path "(?i)\x5c(?<process_name>[^\x5c]+)$"
| rex field=parent_process_path "(?i)\x5c(?<parent_process_name>[^\x5c]+)$"
```Filter down to required fields```
| table _time, host, user, parent_process_name, process_name, process
```Group the events into a bucket by host```
| bin span=1s _time
| stats values(*) as * by host, _time
**********************************************************************************
IcedID.txt
```Index and Source```
index=* source IN (WinEventLog:Security,XmlWinEventLog:Security)
```Generating search for ipconfig or nltest```
("EventCode=4688" OR "<EventID>4688<") "ipconfig" OR "nltest"
```Normalize Fields OPTIONAL```
| eval
process_path=coalesce(process_path, New_Process_Name, Process_Name, ProcessName, NewProcessName, Application_Name, Application, Path),
process=coalesce(process,Process_Command_Line, CommandLine, process_path),
parent_process_path=coalesce(parent_process_path, parent_process_name_tmp, Creator_Process_Name, ParentProcessName),
user=coalesce(user, src_user, SubjectUserName)
| rex field=process_path "(?i)\x5c(?<process_name>[^\x5c]+)$"
| rex field=parent_process_path "(?i)\x5c(?<parent_process_name>[^\x5c]+)$"
```Filter down to required fields```
| table _time, host, user, parent_process_name, process_name, process
```Group the events into a bucket by host```
| bin span=60s _time
| stats values(*) as * by host, _time
```Filter looking for both ipconfig and nltest seen on the same host based on the above time bucket```
| where match(process, "(?i)ipconfig") and match(process, "(?i)nltest")
**********************************************************************************
wmic.txt
```Index and Source```
index=* source IN (WinEventLog:Security,XmlWinEventLog:Security)
```Generating search for wmic with explicit credentials```
(("EventCode=4688" OR "<EventID>4688<") "wmic" "/password") OR (("EventCode=4648" OR "<EventID>4648<") "wmic")
```Normalize Fields OPTIONAL```
| eval
process_path=coalesce(process_path, New_Process_Name, Process_Name, ProcessName, NewProcessName, Application_Name, Application, Path),
process=coalesce(process,Process_Command_Line, CommandLine, process_path),
parent_process_path=coalesce(parent_process_path, parent_process_name_tmp, Creator_Process_Name, ParentProcessName),
user=coalesce(user, src_user, SubjectUserName)
| rex field=process_path "(?i)\x5c(?<process_name>[^\x5c]+)$"
| rex field=parent_process_path "(?i)\x5c(?<parent_process_name>[^\x5c]+)$"
```Filter down to required fields```
| table _time, host, user, parent_process_name, process_name, process
```Group the events into a bucket by host```
| bin span=1s _time
| stats values(*) as * by host, _time
**********************************************************************************
Schtask Created.txt
```Index and Source```
index=* source IN (WinEventLog:Security,XmlWinEventLog:Security)
```Generating search for schedule task creation events```
("EventCode=4698" OR "<EventID>4698<")
```Normalize Fields OPTIONAL```
| eval
process_path=coalesce(process_path, New_Process_Name, Process_Name, ProcessName, NewProcessName, Application_Name, Application, Path),
process=coalesce(process,Process_Command_Line, CommandLine, process_path),
parent_process_path=coalesce(parent_process_path, parent_process_name_tmp, Creator_Process_Name, ParentProcessName)
| rex field=process_path "(?i)\x5c(?<process_name_tmp>[^\x5c]+)$"
| rex field=parent_process_path "(?i)\x5c(?<parent_process_name_tmp>[^\x5c]+)$"
| eval
parent_process_name=coalesce(parent_process_name, parent_process_name_tmp),
process_name=coalesce(process_name, process_name_tmp, Name),
user=coalesce(user, src_user, SubjectUserName),
task_name=coalesce(Task_Name, TaskName)
```Filter down to required fields```
| table _time, host, user, parent_process_name, process_name, process, task_name
```Group the events into a bucket by host and user```
| bin span=1s _time
| stats values(*) as * by host, _time
```One strategy to reduce events is to count task names per execution time```
| eventstats count by task_name
```Filter for Rarer tasks```
| where count < 10
**********************************************************************************
Rundll32.txt
```Index and Source```
index=* source IN (WinEventLog:Security,XmlWinEventLog:Security)
```Generating search for rundll32 executing a dll file```
("EventCode=4688" OR "<EventID>4688<") "rundll32" ".dll" "explorer.exe"
```Normalize Fields OPTIONAL```
| eval
process_path=coalesce(process_path, New_Process_Name, Process_Name, ProcessName, NewProcessName, Application_Name, Application, Path),
process=coalesce(process,Process_Command_Line, CommandLine, process_path),
parent_process_path=coalesce(parent_process_path, parent_process_name_tmp, Creator_Process_Name, ParentProcessName),
user=coalesce(user, src_user, SubjectUserName)
| rex field=process_path "(?i)\x5c(?<process_name>[^\x5c]+)$"
| rex field=parent_process_path "(?i)\x5c(?<parent_process_name>[^\x5c]+)$"
```Filter down to required fields and events by parent and process names```
| table _time, host, user, parent_process_name, process_name, process
| where match(parent_process_name, "(?i)explorer.exe") and match(process_name, "(?i)rundll32.exe")
```Group the events into a bucket by host```
| bin span=1s _time
| stats values(*) as * by host, _time
```Count process command line per execution time```
| eventstats count by process
```Filter for Rarer command lines```
| where count < 10
**********************************************************************************
nslookup.txt
```Index and Source```
index=* source IN (WinEventLog:Security,XmlWinEventLog:Security)
```Generating search for nslookup```
("EventCode=4688" OR "<EventID>4688<") "nslookup"
```Normalize Fields OPTIONAL```
| eval
process_path=coalesce(process_path, New_Process_Name, Process_Name, ProcessName, NewProcessName, Application_Name, Application, Path),
process=coalesce(process,Process_Command_Line, CommandLine, process_path),
parent_process_path=coalesce(parent_process_path, parent_process_name_tmp, Creator_Process_Name, ParentProcessName),
user=coalesce(user, src_user, SubjectUserName)
| rex field=process_path "(?i)\x5c(?<process_name>[^\x5c]+)$"
| rex field=parent_process_path "(?i)\x5c(?<parent_process_name>[^\x5c]+)$"
```Filter down to required fields```
| table _time, host, user, parent_process_name, process_name, process
```Group the events into a bucket by host looking for distinct count of process by host within 60s```
| bin span=60s _time
| stats values(*) as * dc(process) as dc_process by host, _time
```Filter for nslookup events with a potentially abnormal count```
| where match(process, "(?i)nslookup") and dc_process > 1
Chat with our team to receive a free maturity assessment
You May Also Like
Ready to learn more about Anvilogic?
Kickstart your security operations
Anvilogic provided the necessary threat detection automation for our small SOC, adding a significant force-multiplier advantage for my team.
