rockhilt.blogg.se - Splunk logs query

#Splunk logs query full#
#Splunk logs query windows#

If the LOLBAS project isn’t enough for you, consider taking a look at the MITRE ATT&CK framework.

#Splunk logs query windows#

The LOLBAS project is helping defenders enumerate the various ways that Windows native tools can be abused by adversaries. Have you ever heard of the concept of “Living off the land?” Well, attackers and adversaries are getting smarter, and learning to use Windows native tools and applications for everything from initial compromise, pivoting, persistence, and everything else in between.

What if all I have are Windows native tools and pre-installed third party applications in my process creation logs?.

You can then extract those file hashes and feed them to threat intelligence tools, or, for example, search for the file hash on VirusTotal (either via the web GUI or via their API) to see if the file(s) have been seen before and/or whether or not different endpoint security products see the file as malicious or not. This is a sysmon-specific search that will show you a list of executables observed over a time period, including their file hash, and give you a count of how many times that executable name and file hash combination has been seen. Let’s start with both WinEventLog and Sysmon examples: Then, once your investigation is complete, formulate a new query focusing exclusively on results from “Legit Monitoring Agent”. Option 1: Use an overly broad filter to filter out all results containing the string “Legit Monitoring Agent”. We’re going to pick on “Legit Monitoring Agent” to demonstrate these options with examples: A lot of advanced adversaries will execute tools out of directories containing antivirus tools, or rename their tools to make them appear to be legitimate. However, It’d be irresponsible if I didn’t mention that some advanced adversaries can and will take advantage of overly permissive filters in order to operate in the margins. An Important Warning about Filtering DataĪs demonstrated in the queries above, Splunk makes it pretty easy to filter out benign results. “Use the list of executables from the first query, and focus in on a single (or smaller number of) executables, show me the arguments that got passed to the executable, and sort them by the least frequent command line arguments”.

“Show me all of the EventID 4688 or Sysmon EventID 1 events for a given time period, and sort them by least frequent occurrence” All of the queries I’ve used for process creation log hunting are some variation of these two initial queries: Simply add a comma for each keyword/string you want to filter on: For example, let’s say you have Legit Monitoring Agent installed, and you’re sick of seeing it repeatedly in your Splunk results while zeroing in on unusual powershell.exe executions, but you also want to filter out the “TotesSecure” Tool Scripts directory. You can use this filtering technique to filter more than one keyword or string in a single query. You may also notice that I used a backslash (\) character to escape both the space in the “Tool Scripts” directory name and the backslash in the TotesSecure directory path. The wildcard at the end of our string also means that we don’t have to filter every single script in the Tool Scripts directory we want to filter on all of them.

#Splunk logs query full#

The wildcard character (*) at the beginning and end of the string allows us to to pattern match without having to know the full directory path for the “TotesSecure” Tool Scripts directory.

We entered the string “*TotesSecure\\Tool\ Scripts*” in the parentheses. Here is a similar query using sysmon logs: These results can be investigated through other queries in order to build context and/or determine intent. Results can then be sorted by executables that are run least frequently or most frequently (all you have to do is click the “count” field to sort by most or least frequent occurrences). From there, we’re piping this query to the stats command, listing out all of the executables that have been seen for a given time period, and sorting them by how many times they have been executed, AND by similar command line arguments. We’re looking for all EventCode 4688 entries (process creation). This search queries the “WinEventLog” sourcetype (substitute this with the sourcetype you are dumping your windows event logs to). A lot of threat hunting is starting with broad queries and getting more and more specific as you have more and more questions or things you want to filter out. You’ll probably get a large number of responses back.