Skip to main content

Recognizing improper use of system administration tools

  • Updated

Scenario: System administrators in your organization sometimes use tools like PsExec and DCOM to manage systems remotely. However, because your entire organization recently began working from home, you have more concerns around the security of these tools. You want to investigate usage of these tools to make sure that bad actors aren't using them to move laterally within your network. 

How Splunk software can help

You can use Splunk software to examine Windows security logs for unusual authentication events and then investigate events taken by those logged-in users. 

What you need 

The following technologies, data, and integrations are useful in successfully implementing this use case.

People

The best person to implement this use case is a security analyst or threat hunter who is familiar with endpoint data. This person might come from your team, a Splunk partner, or Splunk onDemand Services.

Time

Detecting suspicious lateral movement with legitimate sysadmin tools using Splunk software can last from several hours to several days, depending on the size of your organization.

Technologies 

The following technologies, data, and integrations are useful in successfully implementing this use case: 

  • Splunk Enterprise or Splunk Cloud
  • Data normalized to the following CIM models:

How to use Splunk software for this use case

You can run many investigations with Splunk software to detect suspicious lateral movement with legitimate sysadmin tools. Depending on what information you have available, you might find it useful to identify some or all of the following: 

Other steps you can take

To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case: 

  • Developing and maintaining authentication baselines for users
  • Eliminating outdated or unpatched systems in your environment
  • Enforcing least-privileged user policies to limit access to systems and resources
  • Enforcing robust password management policies and multi-factor authentication

Related resources 

These additional Splunk resources might help you understand and implement this use case:

How to assess your results

Measuring impact and benefit is critical to assessing the value of security operations. The following are example metrics that can be useful to monitor when implementing this use case:

  • Time to detection: The time between when an adversary gained access to your network to when you detected their presence
  • Lateral movement blocked: Number of times an adversary was unsuccessful at gaining access to systems through lateral movement

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.

The information provided in Splunk Lantern is intended for informational and educational purposes only. All information is provided in good faith, however, Splunk disclaims any and all representations and warranties, express and implied, regarding the information provided, including without limitation any warranties and representations regarding the completeness, adequacy or accuracy of the information. You agree to take full responsibility for the results arising from the use of the information provided.