heroui logo

Windows Post Exploitation Risk Behavior

Splunk Security Content

View Source
Summary
This rule analyzes post-exploitation behaviors on Windows systems, specifically identifying at least four distinct actions indicative of malicious activity following an initial compromise. It employs the Risk data model in Splunk Enterprise Security, concentrating on multiple risk events tied to associated MITRE ATT&CK tactics and techniques. The presence of numerous risk events—such as persistence mechanisms, privilege escalation attempts, and potential data exfiltration actions—raises a flag for harmful behavior that allows attackers to maintain control and enhance privileges in a compromised environment. This rule's detection capability is critical for early identification of advanced threats which may lead to significant security breaches or data losses if not addressed promptly.
Categories
  • Windows
  • Endpoint
Data Sources
  • Windows Registry
  • Process
  • Application Log
ATT&CK Techniques
  • T1012
  • T1049
  • T1069
  • T1016
  • T1003
  • T1082
  • T1115
  • T1552
Created: 2024-11-13