Scenario: In some cyber attacks, adversaries leverage valid employee accounts to gain access to internal systems. As they collect credentials, they also deploy tools to maintain persistence and evade defenses. A common tool that certain adversaries use is procdump.exe. Procdump.exe is a Microsoft command line utility that is used to monitor applications and can create crash dumps. Adversaries use procdump to dump credentials. To obfuscate the existence of procdump.exe on a server, the adversary renames their copies of procdump.exe to something that appears legitimate. This technique is known as masquerading and is fairly common with certain utilities because the existence of that utility on certain systems may trigger alarms for organizations. You want to be able to detect this technique.
To succeed in implementing this use case, you need the following dependencies, resources, and information.
- People: Threat hunter
- Splunk Enterprise or Splunk Cloud Platform
- Data: Endpoint data
How to use Splunk software for this use case
Depending on what information you have available, you might find it useful to identify some or all of the following:
File integrity monitoring (FIM) can also assist in identifying masquerading. FIM can help you detect unauthorized changes made to files, directories, network devices, operating systems, and more. This can be accomplished by establishing a “baseline” for a file state and monitoring for changes made to that state. It’s a great way to quickly identify file discrepancies, modifications, and additions.
The content in this use case comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. These additional Splunk resources might help you understand and implement this specific use case: