Custom detection rule with the MITRE ATT&CK framework in Splunk

Threat Detection Engineering

• Threat Detection: Detecting a Webserver Attack
• Threat Intelligence for SOC
• Detection Engineering vs Threat Hunting
• Yara 101
• Threat Intelligence Tools – Abuse.ch
• Threat Intelligence Tools – URLScan.io
• Custom detection rule with the MITRE ATT&CK framework in Splunk
• Investigate SQLi attacks using Splunk
• Splunk: Search Processing Language (SPL) Basics
• Practical Threat Hunting using Elastic SIEM: Hunting for Stuxbot
• MITRE Framework
• SOC Tools and Useful Links
• ELASTIC SIEM: Kibana Query Language (KQL) 
• SOC Home LAB: Elastic SIEM Installation
• MISP (Malware Information Sharing Platform)

Views: 44

Let’s walk through a practical example of creating a custom detection rule with the MITRE ATT&CK framework in Splunk.

Example:
Let’s say we want to create a detection rule for the technique T1566.001 – “Phishing: Spearphishing Attachment” from the MITRE ATT&CK framework. This technique involves targeted phishing attacks where attackers send malicious attachments via email to specific individuals.

Steps:

1. Understand the Technique:
   Read and understand the T1566.001 technique from the MITRE ATT&CK framework. This will help you gain insights into the behavior and indicators associated with this technique.
2. Identify Log Sources:
   Determine which log sources in your Splunk environment can provide relevant information about email-related activities. In this case, you might consider email logs, such as SMTP logs, Exchange logs, or logs from your email security gateway.
3. Write a Search Query:
   Using Splunk’s SPL, create a search query that identifies potential indicators of a spearphishing attachment. For example:

index=email_logs sourcetype=smtp
| search attachment_type=* AND (sender_domain=* OR recipient_domain=*)
| stats count by sender_domain, recipient_domain, attachment_type, subject, _time

In this query, we search for email logs with the source type “smtp.” We filter for events that have an attachment type and either a sender domain or a recipient domain. We then aggregate the results by relevant fields such as sender domain, recipient domain, attachment type, subject, and time.

4. Validate and Refine the Query:
   Run the search query against your email logs in Splunk and verify that it returns the expected results. Assess if the query accurately detects instances of spearphishing attachments. If needed, refine the query by adjusting filters, adding additional conditions, or including more context-specific information.
5. Create a Correlation Rule:
   Once the search query is validated, create a correlation rule in Splunk to generate alerts when the query matches specific conditions. For example, you can configure the rule to trigger an alert when the count of spearphishing attachments exceeds a certain threshold within a specific time frame.

# Correlation Rule for T1566.001 - Phishing: Spearphishing Attachment

# Step 1: Identify emails with suspicious attachments
sourcetype=mail | search subject="Phishing" attachment="*.exe" OR attachment="*.js" OR attachment="*.docm"

# Step 2: Look for suspicious email senders
| lookup suspicious_emails.csv sender AS from OUTPUTNEW is_suspicious
| search is_suspicious="true"

# Step 3: Correlate with failed login attempts
| stats count AS event_count by user, from
| where event_count > 3

# Step 4: Generate an alert for potential spearphishing activity
| eval alert="Potential spearphishing activity detected: $event_count events from $user with suspicious sender $from"
| table user, from, event_count, alert

4. Configure Alerting and Response:
   Define the appropriate alerting mechanism for the correlation rule. You can set up email notifications, integrate with a SIEM system, or trigger an automated response. Determine who should receive the alerts and what actions should be taken upon detection of a spearphishing attachment.
5. Monitor, Fine-tune, and Maintain:
   Continuously monitor the effectiveness of the detection rule. Analyze the alerts generated by the rule, investigate false positives or false negatives, and make necessary adjustments to improve its accuracy. Stay updated with the latest threat intelligence and adjust the rule as new techniques or indicators emerge.

Remember, this is just a simplified example. In real-world scenarios, you would consider additional factors like threat intelligence feeds, behavioral analytics, and other log sources to enhance the detection capabilities.

It’s crucial to have a deep understanding of the MITRE ATT&CK framework, the specific technique you’re targeting, and your environment’s unique characteristics to create effective detection rules.