Skip to main content

 

Splunk Lantern

Detecting masquerading

 

In masquerading, adversaries leverage valid employee accounts to gain access to internal systems. As they collect credentials, they also deploy tools and techniques to maintain persistence and evade defenses. For example:

  • Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.
  • An attacker tries might try to use different version of a system command without overriding original, or they might try to avoid some detection running the process from a different folder.
  • They might run executable or scripts from file paths in Windows that don't commonly host these. 
  • They might launch processes from files that have double extensions in the file name. This is typically done to obscure the "real" file extension and make it appear as though the file being accessed is a data file, as opposed to executable content.

Masquerade attacks can be triggered either by someone within the organization or by an outsider if the organization is connected to a public network. The amount of access masquerade attackers get depends on the level of authorization they've managed to attain. You want to be able to detect masquerading.

How to use Splunk software for this use case

To deploy this use case, you need to import the Splunk ES Content Updates into your Splunk Security Essentials or Splunk Enterprise Security deployment. This extensive content library empowers you to deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture. Some of the detections that can help you with this use case include:

Next steps

File integrity monitoring (FIM) can also assist in identifying masquerading. FIM can help you detect unauthorized changes made to files, directories, network devices, operating systems, and more. This can be accomplished by establishing a “baseline” for a file state and monitoring for changes made to that state. It’s a great way to quickly identify file discrepancies, modifications, and additions.

These additional Splunk resources might help you understand and implement this specific use case:

Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.com if you require assistance.