Skip to main content
 
 
Splunk Lantern

Recognizing improper use of system administration tools

 

System administrators in your organization sometimes use tools like PsExec and DCOM to manage systems remotely. However, because your entire organization recently began working from home, you have more concerns around the security of these tools. You want to investigate usage of these tools to make sure that bad actors aren't using them to move laterally within your network. 

Data required 

System log data

How to use Splunk software for this use case

You can run many investigations with Splunk software to detect suspicious lateral movement with legitimate sysadmin tools. You can examine Windows security logs for unusual authentication events and then investigate events taken by those logged-in users. Depending on what information you have available, you might find it useful to identify some or all of the following: 

To deploy this use case, you can also use Splunk Security Essentials (SSE), a free application with an extensive security content library. This library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture.

Next steps

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Developing and maintaining authentication baselines for users
  • Eliminating outdated or unpatched systems in your environment
  • Enforcing least-privileged user policies to limit access to systems and resources
  • Enforcing robust password management policies and multi-factor authentication

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Time to detection: The time between when an adversary gained access to your network to when you detected their presence
  • Lateral movement blocked: Number of times an adversary was unsuccessful at gaining access to systems through lateral movement

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.