Enrich IOC using SOAR with OpenCTI, VirusTotal and Shuffler

MALICIOUS FILE DETECTED

Splunk SOAR Playbook: Malicious File Detected

Automate triage, enrichment, containment, notification and recovery steps when a malicious file alert is received from an EDR.

Environment

Splunk All in one instance

Windows (Splunk UF)

Shuffler SOAR (Cloud or On premise)

OpenCTI (Cloud or On premise)

VirusTotal API

Slack

Playbook Trigger

Trigger:

Container created with label "Windows Mimikatz Binary Execution - Rule"
Source (Splunk Detection)

Input Fields:

Receive all fields in raw log trigger alert
Add annotation with rule detect mimikatz

# Example
"analytic_story": ("CISA AA22-320A,CISA AA23-347A,Compromised Windows Host,Credential Dumping,Flax Typhoon,Sandworm Tools,Volt Typhoon")
"cis20": ("CIS 10")
"kill_chain_phases": ("Exploitation")
"mitre_attack": ("T1003")
"nist": ("DE.CM")
"tactics": ("Credential Access")

Collect into index soc_risk

Artifact:

{
	"search_name": "EBD - Windows Mimikatz Binary Execution - Rule",
	"dest": "WinSrv22.luongdv.test",
	"firstTime": "2025-07-23T10:30:38",
	"risk_object": "WinSrv22.luongdv.test",
	"risk_object_type": "system",
	"threat_object": "powershell.exe",
	"threat_object_type": "parent_process_name",
	"process_name": "mimikatz.exe",
	"process_hash": "SHA1=D1F7832035C3E8A73CC78AFD28CFD7F4CECE6D20,MD5=E930B05EFE23891D19BC354A4209BE3E,SHA256=92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50,IMPHASH=1355327F6CA3430B3DDBE6E0ACDA71EA",
	"severity": "informational",
	"link_alert": "https://192.168.35.150:8000/en-US/app/search/search?sid=scheduler__admin_dGhkX2ZpbmRpbmdfYmFzZWRfZGV0ZWN0aW9u__RMD5274c121f254c8a17_at_1753241460_248",
}

Playbook Workflow

Enrichment Phare

Block1: Hash Reputation check with OpenCTI

Action: file reputation
App: OpenCTI
Input: process_hash
Output: Indicator ID, Name, Observables, killChainPhases, OpenCTI Score, Tags, v.v.

# Variables
{
  "search": "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50"
}

Result raw log

{
  "data": {
    "indicators": {
      "edges": [
        {
          "node": {
            "id": "e4778c3e-6cd2-4a97-931d-882d7d5c0126",
            "standard_id": "indicator--4922d1d4-3df6-5cc4-bcb7-c7ed420ab841",
            "is_inferred": false,
            "revoked": false,
            "confidence": 100,
            "lang": "en",
            "created": "2024-10-21T20:43:52.000Z",
            "modified": "2024-10-22T14:48:27.596Z",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "pattern": "[file:hashes.'SHA-256' = '92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50']",
            "name": "92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50",
            "description": null,
            "valid_from": "2024-10-22T14:45:36.320Z",
            "valid_until": "2025-07-24T12:05:08.155Z",
            "x_opencti_score": 50,
            "x_opencti_detection": false,
            "x_opencti_main_observable_type": "Unknown",
            "createdBy": {
              "identity_class": "organization",
              "name": "*** Redacted ***"
            },
            "objectMarking": [
              {
                "definition_type": "TLP",
                "definition": "TLP:CLEAR"
              }
            ],
            "objectLabel": [
              {
                "value": "osint"
              },
              {
                "value": "t1486 - data encrypted for impact"
              },
              {
                "value": "t1133 - external remote services"
              },
              {
                "value": "t1555 - credentials from password stores"
              },
              {
                "value": "t1574.002 - dll side-loading"
              },
              {
                "value": "t1057 - process discovery"
              },
              {
                "value": "t1558 - steal or forge kerberos tickets"
              },
              {
                "value": "t1563 - remote service session hijacking"
              }
            ],
            "killChainPhases": [],
            "externalReferences": {
              "edges": []
            },
            "observables": {
              "edges": [
                {
                  "node": {
                    "id": "3a163e26-93c4-4dd9-a6d3-61af4052c99d",
                    "standard_id": "file--75dac703-7cc2-5f0b-a5bf-2bb5e8437d57",
                    "entity_type": "StixFile",
                    "observable_value": "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50",
                    "hashes": [
                      {
                        "algorithm": "SHA-256",
                        "hash": "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50"
                      },
                      {
                        "algorithm": "MD5",
                        "hash": "e930b05efe23891d19bc354a4209be3e"
                      }
                    ],
                    "size": 1250056,
                    "name": "windows_update100.exe",
                    "name_enc": null,
                    "magic_number_hex": null,
                    "mime_type": null,
                    "ctime": null,
                    "mtime": null,
                    "atime": null,
                    "x_opencti_additional_names": [
                      "windows_update.exe",
                      "mimikatz.exe",
                      "DeadPotato-master/Resources/mimikatz.exe",
                      "H:\\kendo\\scaronong\\/mimikatz.exe",
                      "mimikatz",
                      "mimikatz-master/x64/mimikatz.exe",
                      "FilelessPELoader-main/mimikatz.exe",
                      "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50.exe",
                      "C:\\Users\\user\\Desktop\\out.exe",
                      "out.exe",
                      "mimi.exe",
                      "H:\\kendo\\yy/mimikatz.exe",
                      "x64/mimikatz.exe",
                      "mimikatz (1).exe",
                      "mimikatz-debian-2.2.0-20200229-1parrot1/x64/mimikatz.exe",
                      "windows_update (2).exe",
                      "C:\\Users\\adminaccount\\Downloads\\mimikatz.exe",
                      "mimikatz(1).exe",
                      "winutils.exe",
                      "mimikatz-debian-1-2.2.0-20200229-1parrot2/x64/mimikatz.exe",
                      "mpasbase.vdm",
                      "spoolsv.exe",
                      "mimikatzx64.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\zumxllar.ar1\\mimikatz.exe",
                      "master.exe",
                      "/tmp/cache/extracted_files/d1f7832035c3e8a73cc78afd28cfd7f4cece6d20.bin",
                      "c:\\windows\\system32\\scf751w2yllunglolntb6y9wq1597xe2t5lr9dhrza.exe",
                      "eq14atcrgon0uty16hd0hmxj1dg19di4wofmrm8wl.exe",
                      "C:\\Windows\\11k6fus6guj100xastc2c6dm3b41s91acx3yq9qxos.exe",
                      "n4v4m40l92rtw6957mis3p1ho6459ntf3dn2l4t23tzr.exe",
                      "C:\\ProgramData\\ogkmf7m3n3xdq85difql4f63xfsj75dlk19xffmlkm0o84ovb.exe",
                      "C:\\Windows\\Temp\\2.exe",
                      "mimikatz.exe.copy0",
                      "windows_update - Copy.exe",
                      "mimikatz-upstream-2.2.0-20200229/x64/mimikatz.exe",
                      "Mizedo64.exe",
                      "out",
                      "cnp.trojan",
                      "🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥.exe",
                      "◻️.exe",
                      "test.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\03dulnbn.ne0\\Mizedo64.exe",
                      "%HOME%\\unpack\\mimikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\53wh542w.d1c\\mimikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\nnv0hh3l.v04\\mimikatz.exe",
                      "mimikatz.exe.crdownload",
                      "notmimikatz.exe",
                      "ad/mimikatz.exe",
                      "D:/test\\\\mimikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\4ohx5kmf.gvr\\ad\\mimikatz.exe",
                      "mimikatz.bin",
                      "autoupdater.exe",
                      "mmk.mp3",
                      "C:\\Windows\\mimikatz.exe",
                      "Danger.exe",
                      "ikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\jvpvvqk0.bdf\\cmifc-main\\x64\\ikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\qclkufmt.pvf\\x64\\mimikatz.exe",
                      "cmifc-main/x64/ikatz.exe",
                      "windows_patch.exe",
                      "Unconfirmed 869316.crdownload",
                      "сентябрь 2023(570)/92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\zfptlmhs.k2y\\Mizedo64.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\s0zcolno.x0h\\Mizedo64.exe",
                      "mimikatzWindows-master/x64/mimikatz.exe",
                      "c:\\Tools\\mimikatz\\x64\\mimikatz.exe",
                      "Youtube-main/Active Directory/Tools/mimikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\24cpddoq.woi\\Youtube-main\\Active Directory\\Tools\\mimikatz.exe",
                      "Microsoft.exe",
                      "data/web32.exe",
                      "C:\\test\\mimikatz-master\\x64\\mimikatz.exe",
                      "nomimikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\pfy2dakv.ivm\\mimikatz.exe",
                      "test02-mimikatz.pdf",
                      "mimikatzjgfwijgijwr.exe",
                      "mimikatz_original.exe",
                      "$R1DB59L.exe",
                      "mi64.exe",
                      "USBCoreMm.exe",
                      "C:\\Users\\georg\\Downloads\\mimikatz.exe",
                      "mumu.exe",
                      "NotaVirus.exe",
                      "usr/share/mimikatz/x64/mimikatz.exe",
                      "usr/share/windows-resources/mimikatz/x64/mimikatz.exe",
                      "test.zip",
                      "Mimikatz x64.exe",
                      "mimikatz (2).exe",
                      "C:\\Users\\AAMIR\\Downloads\\mimikatz.exe",
                      "C:\\Users\\user\\Desktop\\Files\\master.exe",
                      "sifreliokuma64.exe",
                      "mi.exe",
                      "mmk.exe",
                      "mimikatz.exe.png",
                      "%TEMP%\\svchost.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\svchost.exe",
                      "%TEMP%\\file.exe",
                      "c:\\users\\oqxzraykm\\desktop\\file.exe",
                      "C:\\Users\\user\\Desktop\\file.exe",
                      "file.exe"
                    ],
                    "obsContent": null
                  }
                }
              ],
              "pageInfo": {
                "globalCount": 1
              }
            }
          },
          "cursor": "WzkzLjIyMTU1LCJpbmRpY2F0b3ItLTQ5MjJkMWQ0LTNkZjYtNWNjNC1iY2I3LWM3ZWQ0MjBhYjg0MSJd"
        },
        {
          "node": {
            "id": "ff066c33-d880-4235-8415-5da463b8b58a",
            "standard_id": "indicator--26c73b34-9774-593e-9895-95250dfe6905",
            "is_inferred": false,
            "revoked": true,
            "confidence": 100,
            "lang": "en",
            "created": "2024-09-02T20:58:29.797Z",
            "modified": "2025-07-23T04:23:52.850Z",
            "pattern_type": "stix",
            "pattern_version": "2.1",
            "pattern": "[file:hashes.'SHA-256' = '92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50']",
            "name": "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50",
            "description": "Created by VirusTotal connector as the positive count was >= 10",
            "valid_from": "2024-09-02T20:52:33.000Z",
            "valid_until": "2025-06-20T08:02:17.557Z",
            "x_opencti_score": 20,
            "x_opencti_detection": false,
            "x_opencti_main_observable_type": "StixFile",
            "createdBy": {
              "identity_class": "organization",
              "name": "*** Redacted ***"
            },
            "objectMarking": [
              {
                "definition_type": "TLP",
                "definition": "TLP:CLEAR"
              }
            ],
            "objectLabel": [
              {
                "value": "ransomware"
              },
              {
                "value": "russia"
              },
              {
                "value": "phishing"
              },
              {
                "value": "belarus"
              },
              {
                "value": "lockbit"
              },
              {
                "value": "babuk"
              },
              {
                "value": "cve-2023-38831"
              },
              {
                "value": "vasa locker"
              },
              {
                "value": "phantomdl"
              },
              {
                "value": "phantomcore"
              },
              {
                "value": "babyk"
              },
              {
                "value": "hacktivists"
              },
              {
                "value": "cobalt strike"
              },
              {
                "value": "shamoon"
              },
              {
                "value": "facefish"
              },
              {
                "value": "chaos"
              },
              {
                "value": "lockbit 3.0"
              },
              {
                "value": "cve-2021-26855"
              },
              {
                "value": "hacktivism"
              },
              {
                "value": "cobint"
              },
              {
                "value": "infrastructure sharing"
              },
              {
                "value": "phantomjitter"
              }
            ],
            "killChainPhases": [],
            "externalReferences": {
              "edges": [
                {
                  "node": {
                    "external_id": null,
                    "source_name": "VirusTotal",
                    "url": "https://www.virustotal.com/gui/file/92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50",
                    "description": "PE32+ executable (console) x86-64, for MS Windows"
                  }
                }
              ]
            },
            "observables": {
              "edges": [
                {
                  "node": {
                    "id": "3a163e26-93c4-4dd9-a6d3-61af4052c99d",
                    "standard_id": "file--75dac703-7cc2-5f0b-a5bf-2bb5e8437d57",
                    "entity_type": "StixFile",
                    "observable_value": "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50",
                    "hashes": [
                      {
                        "algorithm": "SHA-256",
                        "hash": "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50"
                      },
                      {
                        "algorithm": "MD5",
                        "hash": "e930b05efe23891d19bc354a4209be3e"
                      }
                    ],
                    "size": 1250056,
                    "name": "windows_update100.exe",
                    "name_enc": null,
                    "magic_number_hex": null,
                    "mime_type": null,
                    "ctime": null,
                    "mtime": null,
                    "atime": null,
                    "x_opencti_additional_names": [
                      "windows_update.exe",
                      "mimikatz.exe",
                      "DeadPotato-master/Resources/mimikatz.exe",
                      "H:\\kendo\\scaronong\\/mimikatz.exe",
                      "mimikatz",
                      "mimikatz-master/x64/mimikatz.exe",
                      "FilelessPELoader-main/mimikatz.exe",
                      "92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50.exe",
                      "C:\\Users\\user\\Desktop\\out.exe",
                      "out.exe",
                      "mimi.exe",
                      "H:\\kendo\\yy/mimikatz.exe",
                      "x64/mimikatz.exe",
                      "mimikatz (1).exe",
                      "mimikatz-debian-2.2.0-20200229-1parrot1/x64/mimikatz.exe",
                      "windows_update (2).exe",
                      "C:\\Users\\adminaccount\\Downloads\\mimikatz.exe",
                      "mimikatz(1).exe",
                      "winutils.exe",
                      "mimikatz-debian-1-2.2.0-20200229-1parrot2/x64/mimikatz.exe",
                      "mpasbase.vdm",
                      "spoolsv.exe",
                      "mimikatzx64.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\zumxllar.ar1\\mimikatz.exe",
                      "master.exe",
                      "/tmp/cache/extracted_files/d1f7832035c3e8a73cc78afd28cfd7f4cece6d20.bin",
                      "c:\\windows\\system32\\scf751w2yllunglolntb6y9wq1597xe2t5lr9dhrza.exe",
                      "eq14atcrgon0uty16hd0hmxj1dg19di4wofmrm8wl.exe",
                      "C:\\Windows\\11k6fus6guj100xastc2c6dm3b41s91acx3yq9qxos.exe",
                      "n4v4m40l92rtw6957mis3p1ho6459ntf3dn2l4t23tzr.exe",
                      "C:\\ProgramData\\ogkmf7m3n3xdq85difql4f63xfsj75dlk19xffmlkm0o84ovb.exe",
                      "C:\\Windows\\Temp\\2.exe",
                      "mimikatz.exe.copy0",
                      "windows_update - Copy.exe",
                      "mimikatz-upstream-2.2.0-20200229/x64/mimikatz.exe",
                      "Mizedo64.exe",
                      "out",
                      "cnp.trojan",
                      "🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥️♾️🔄🆘🆘⭕️🔟🇵🇹🇮🇴♥.exe",
                      "◻️.exe",
                      "test.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\03dulnbn.ne0\\Mizedo64.exe",
                      "%HOME%\\unpack\\mimikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\53wh542w.d1c\\mimikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\nnv0hh3l.v04\\mimikatz.exe",
                      "mimikatz.exe.crdownload",
                      "notmimikatz.exe",
                      "ad/mimikatz.exe",
                      "D:/test\\\\mimikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\4ohx5kmf.gvr\\ad\\mimikatz.exe",
                      "mimikatz.bin",
                      "autoupdater.exe",
                      "mmk.mp3",
                      "C:\\Windows\\mimikatz.exe",
                      "Danger.exe",
                      "ikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\jvpvvqk0.bdf\\cmifc-main\\x64\\ikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\qclkufmt.pvf\\x64\\mimikatz.exe",
                      "cmifc-main/x64/ikatz.exe",
                      "windows_patch.exe",
                      "Unconfirmed 869316.crdownload",
                      "сентябрь 2023(570)/92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\zfptlmhs.k2y\\Mizedo64.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\s0zcolno.x0h\\Mizedo64.exe",
                      "mimikatzWindows-master/x64/mimikatz.exe",
                      "c:\\Tools\\mimikatz\\x64\\mimikatz.exe",
                      "Youtube-main/Active Directory/Tools/mimikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\24cpddoq.woi\\Youtube-main\\Active Directory\\Tools\\mimikatz.exe",
                      "Microsoft.exe",
                      "data/web32.exe",
                      "C:\\test\\mimikatz-master\\x64\\mimikatz.exe",
                      "nomimikatz.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\pfy2dakv.ivm\\mimikatz.exe",
                      "test02-mimikatz.pdf",
                      "mimikatzjgfwijgijwr.exe",
                      "mimikatz_original.exe",
                      "$R1DB59L.exe",
                      "mi64.exe",
                      "USBCoreMm.exe",
                      "C:\\Users\\georg\\Downloads\\mimikatz.exe",
                      "mumu.exe",
                      "NotaVirus.exe",
                      "usr/share/mimikatz/x64/mimikatz.exe",
                      "usr/share/windows-resources/mimikatz/x64/mimikatz.exe",
                      "test.zip",
                      "Mimikatz x64.exe",
                      "mimikatz (2).exe",
                      "C:\\Users\\AAMIR\\Downloads\\mimikatz.exe",
                      "C:\\Users\\user\\Desktop\\Files\\master.exe",
                      "sifreliokuma64.exe",
                      "mi.exe",
                      "mmk.exe",
                      "mimikatz.exe.png",
                      "%TEMP%\\svchost.exe",
                      "C:\\Users\\user\\AppData\\Local\\Temp\\svchost.exe",
                      "%TEMP%\\file.exe",
                      "c:\\users\\oqxzraykm\\desktop\\file.exe",
                      "C:\\Users\\user\\Desktop\\file.exe",
                      "file.exe"
                    ],
                    "obsContent": null
                  }
                }
              ],
              "pageInfo": {
                "globalCount": 1
              }
            }
          },
          "cursor": "Wzg5LjcwMTg2LCJpbmRpY2F0b3ItLTI2YzczYjM0LTk3NzQtNTkzZS05ODk1LTk1MjUwZGZlNjkwNSJd"
        }
      ],
      "pageInfo": {
        "endCursor": "Wzg5LjcwMTg2LCJpbmRpY2F0b3ItLTI2YzczYjM0LTk3NzQtNTkzZS05ODk1LTk1MjUwZGZlNjkwNSJd",
        "hasNextPage": false,
        "globalCount": 2
      }
    }
  }
}

Block2: Hash reputation check with VirusTotal

Action: file reputation
App: VirusTotal Call API
Input: process_hash
Output: Name, Type, Malicious, Threat, Url search, v.v.

{
	"meaningful_name": "mimikatz.exe",
	"magic": "PE32+ executable (console) x86-64, for MS Windows",
	"malicious": 63,
	"suggested_threat_label": "trojan.mimikatz/marte",
	"url": "https://www.virustotal.com/api/v3/files/92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50"
}

Notification Phare

Block3: Notify Team

Action: Send Information
App: Slack
Input: Summary of alert, Splunk result, OpenCTI result, VT result.

Verification Phare (Advance)

Block4: Sandbox Detonation

Action: detonate file
App: Any.run or sandbox integration
Input: process_hash
Output: Behavior analysis

Containment Phase (Advance)

Block5: Endpoint Isolation

Action: isolate endpoint
App: EDR
Input: host or dest
Output: Status=success

Block6: Kill Malicious Process

Action: terminate process malicious
App: EDR
Input: process_path or pid
Output: Confirmation

Diagram

Configure

Splunk Rule Detection

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name=mimikatz.exe OR Processes.original_file_name=mimikatz.exe) by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_mimikatz_binary_execution_filter` 
| where process_hash!="null" 
| where parent_process_name!="unknown"
| join type=left dest [ search index="windows-log" | fields dest, severity ] 
| addinfo 
| eval link_alert = "https://192.168.35.150:8000/en-US/app/search/search?sid=".info_sid 
| eval annotations=json_object( 
    "analytic_story", mv_to_json_array(split("CISA AA22-320A,CISA AA23-347A,Compromised Windows Host,Credential Dumping,Flax Typhoon,Sandworm Tools,Volt Typhoon", ",")), 
    "cis20", mv_to_json_array(split("CIS 10", ",")), 
    "kill_chain_phases", mv_to_json_array(split("Exploitation", ",")), 
    "mitre_attack", mv_to_json_array(split("T1003", ",")), 
    "nist", mv_to_json_array(split("DE.CM", ",")),
    "vn9i", mv_to_json_array(split("Các hình thức tấn công khác", ",")) 
    ) 
| eval tactics = "Credential Access" 
| eval entity = dest, entity_type = "system", risk_object= entity, risk_object_type=entity_type, threat_object = parent_process_name, threat_object_type = "parent_process_name"
| collect index=soc_risk

Setting

Value

Disabled

False

Cron Schedule

0 * * * * *

Earliest Time

-70m@m

Latest Time

-10m@m

Schedule Window

auto

Creates Notable

Yes

Rule Title

%name%

Rule Description

%description%

Create Trigger Action with Webhook search index=soc_risk

Setting

Value

Disabled

False

Cron Schedule

*/1 * * * *

Earliest Time

-70m@m

Latest Time

-10m@m

Schedule Window

auto

Creates Notable

Yes

Rule Title

%name%

Rule Description

%description%

Parse IOC

Using Shuffler tool Regex capture group

OpenCTI body

VirusTotal Get a hash report

Slack Chat Message

Result after Workflow trigger alert and Enrichment IOC

 [New-Alert] Splunk Information
Rule Name: EBD - Windows Mimikatz Binary Execution - Rule
Timestamp: 2025-07-23T11:42:24
Dest: WinSrv22.luongdv.thd
Risk Object: WinSrv22.luongdv.thd
Risk Object Type: system
Threat Object: powershell.exe
Threat Object Type: parent_process_name
Process Name: mimikatz.exe
Process Hash: SHA1=D1F7832035C3E8A73CC78AFD28CFD7F4CECE6D20,MD5=E930B05EFE23891D19BC354A4209BE3E,SHA256=92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50,IMPHASH=1355327F6CA3430B3DDBE6E0ACDA71EA
Severity: informational
Link Alert: https://192.168.35.150:8000/en-US/app/search/search?sid=scheduler__admin_dGhkX2ZpbmRpbmdfYmFzZWRfZGV0ZWN0aW9u__RMD5274c121f254c8a17_at_1753245780_428
    OpenCTI Infomation
Indicator ID: indicator--4922d1d4-3df6-5cc4-bcb7-c7ed420ab841
Name: [file:hashes.'SHA-256' = '92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50']
OpenCTI Score: 50
    VirusTotal Information
Name: mimikatz.exe
Type: PE32+ executable (console) x86-64, for MS Windows
Malicious: 63
Threat: trojan.mimikatz/marte
Url: https://www.virustotal.com/api/v3/files/92804FAAAB2175DC501D73E814663058C78C0A042675A8937266357BCFB96C50

PreviousOpenCTI integration with SIEM (Splunk)NextWindows

Last updated 6 months ago

hashtagMALICIOUS FILE DETECTED

hashtagEnvironment

hashtagPlaybook Trigger

hashtagPlaybook Workflow

hashtagEnrichment Phare

hashtagNotification Phare

hashtagVerification Phare (Advance)

hashtagContainment Phase (Advance)

hashtagDiagram

hashtagConfigure

hashtagSplunk Rule Detection

hashtagParse IOC