detection.wiki

Detection rules › Splunk

Windows Admin Permission Discovery

Author
Teoderick Contreras, Splunk
Source
upstream

The following analytic identifies the creation of a suspicious file named 'win.dat' in the root directory (C:). It leverages data from the Endpoint.Filesystem datamodel to detect this activity. This behavior is significant as it is commonly used by malware like NjRAT to check for administrative privileges on a compromised host. If confirmed malicious, this activity could indicate that the malware has administrative access, allowing it to perform high-privilege actions, potentially leading to further system compromise and persistence.

MITRE ATT&CK coverage

TacticTechniques
DiscoveryT1069.001 Permission Groups Discovery: Local Groups

Event coverage

ProviderEvent IDTitle
Sysmon11FileCreate

Stages and Predicates

Stage 1: tstats

tstats WHERE Filesystem.file_name IN ("*.bat", "*.cmd", "*.com", "*.dat", "*.dll", "*.exe", "*.js", "*.lnk", "*.pif", "*.sys", "*.vbe", "*.vbs") BY Filesystem.action, Filesystem.dest, Filesystem.file_access_time, Filesystem.file_create_time, Filesystem.file_hash, Filesystem.file_modify_time, Filesystem.file_name, Filesystem.file_path, Filesystem.file_acl, Filesystem.file_size, Filesystem.process_guid, Filesystem.process_id, Filesystem.user, Filesystem.vendor_product

Stage 2: search

search

Stage 3: eval

eval ... using (file_path)

Stage 4: eval

eval ... using (dropped_file_path)

Stage 5: eval

eval ... using (dropped_file_path)

Stage 6: where

where dropped_file_path_split_count=2 root_drive like "C:"

Stage 7: search

search

Stage 8: search

search

Stage 9: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Filesystem.file_namein
  • "*.bat" corpus 4 (splunk 4)
  • "*.cmd" corpus 4 (splunk 4)
  • "*.com" corpus 4 (splunk 4)
  • "*.dat" corpus 2 (splunk 2)
  • "*.dll" corpus 6 (splunk 6)
  • "*.exe" corpus 7 (splunk 7)
  • "*.js" corpus 5 (splunk 5)
  • "*.lnk" corpus 2 (splunk 2)
  • "*.pif" corpus 5 (splunk 5)
  • "*.sys" corpus 4 (splunk 4)
  • "*.vbe" corpus 5 (splunk 5)
  • "*.vbs" corpus 5 (splunk 5)
dropped_file_path_split_counteq
  • 2 corpus 2 (splunk 2)
root_drivelike
  • "C:"