search

Intrustion Detection with Splunk

hashtag
Ingesting Data Sources

The most imporant thing at the begining is to lower the volume of logs.

hashtag
Retrive all logs

index="main" earliest=0

hashtag
Searching Effectively

Some queries can take more time to load than others, although the returned lgos are the exact same. That is because if for example we specify to search for security logs and an EventCode that occurs only in security logs, and in another query we only specify the EventCode and not the source, we will get the same result, but splunk in the first example knows where to look, while in the second it looks through all the logs. Thus, taking more time to return the result of the query.

hashtag
listing all our sourcetypes

index="main" 
| stats count by sourcetype

hashtag
Query for all Sysmon logs

all possible instances of uniwaldo.local (Computer Name)

all possible instances of uniwaldo.local using wildcards (takses more time)

This search takes a lot of time because it searches for uniwaldo.local in all fields as a value. But we know its a computer name, so we can make it easyer for splunk by specifying the field.

all possible instances of uniwaldo.local using wildcards in ComputerName field

hashtag
Embracing The Mindset Of Analysts, Threat Hunters, & Detection Engineers

  1. Sysmon Event Codes provide detailed logging of system activities, useful for detecting anomalies.

  2. Parent-Child Process Relationships can reveal malicious execution chains (e.g., notepad.exe spawning powershell.exe).

  3. DCSync Attack Detection involves monitoring Active Directory replication events (EventCode=4662 with Access_Mask=0x100).

  4. LSASS Dumping can be detected using EventCode=10 (Process Access) targeting lsass.exe.

  5. Efficient Searching in Splunk involves:

    • Filtering by sourcetype and EventCode to reduce search time.

    • Using wildcards (*) carefully to avoid performance issues.

    • Specifying fields (e.g., ComputerName) instead of raw text searches.

hashtag
Listing All Sysmon EventCodes in the Dataset

Identifies which Sysmon events are logged in the environment.

hashtag
Investigating Suspicious Parent-Child Processes

Lists all process creation events with parent-child relationships.

hashtag
Filtering for High-Risk Processes (e.g., cmd.exe, powershell.exe)

Focuses on suspicious execution chains.

hashtag
Deep Dive into notepad.exe Spawning powershell.exe

hashtag
Tracking Suspicious IP (10.0.0.229)

Identifies all logs related to the suspicious IP.

hashtag
Investigating Linux Host (waldo-virtual-machine)

Checks if the Linux system is involved in malicious activity.

hashtag
Finding Malicious Commands from the IP

Lists commands executed on Windows hosts from the suspicious IP.

hashtag
Detecting DCSync Attacks (Active Directory Compromise)

Identifies potential DCSync attempts (replication of AD secrets).

hashtag
Detecting LSASS Dumping (Credential Theft)

Lists processes accessing lsass.exe (common in credential dumping).

hashtag
Investigating Suspicious notepad.exe Accessing LSASS

Checks if Notepad is being used to dump credentials (highly suspicious).

hashtag
Key Takeaways

  1. Start Broad, Then Narrow Down

    • Begin with general queries (e.g., all Sysmon events), then filter for anomalies.

  2. Focus on High-Value EventCodes

    • EventCode=1 (process creation), EventCode=10 (process access), and EventCode=4662 (AD replication) are critical for detecting intrusions.

  3. Correlate Suspicious Activity

    • Combine process anomalies (notepad.exepowershell.exe) with network connections (10.0.0.229) to uncover attack chains.

  4. Validate Findings

    • Use additional queries (e.g., Access_Mask=0x100 for DCSync) to confirm malicious activity.

  5. Optimize Searches

    • Specify sourcetype and fields (e.g., ComputerName) to speed up queries.

hashtag
Creating Meaningful Alerts

hashtag
Key Concepts

  1. Alerting vs. Hunting

    • Alerting: Proactive detection with low false positives.

    • Hunting: Exploratory analysis to uncover hidden threats.

    • Goal: Avoid alert fatigue by minimizing noise while catching real threats.

  2. Detecting Malicious API Calls from UNKNOWN Memory Regions

    • Shellcode often executes from unbacked memory (UNKNOWN in call stacks).

    • Legitimate processes (e.g., JIT compilers) may also trigger UNKNOWN calls (false positives).

  3. Optimizing Alerts

    • Exclude known benign processes (e.g., .NET, Explorer.exe, WOW64).

    • Focus on high-risk behaviors (e.g., ProcessAccess with UNKNOWN call traces).

    • Ensure resilience against evasion (e.g., attackers renaming DLLs to bypass filters).

hashtag
1. Identify All Call Traces with "UNKNOWN" (Shellcode Indicator)**

  • Purpose: Find which EventCode logs contain suspicious memory calls.

  • Observation: Only EventCode=10 (Process Access) is relevant here.

hashtag
2. Group Suspicious Calls by Source Process

  • Purpose: Identify processes making unbacked memory calls.

  • Common False Positives:

    • .NET (JIT compilation).

    • Electron apps (Squirrel.exe).

    • WOW64 (Windows 32-bit emulation).

hashtag
3. Filter Out Self-Accessing Processes

  • Purpose: Ignore processes accessing themselves (often benign).

hashtag
4. Exclude Known Benign Processes (JIT, .NET, WOW64)

  • Purpose: Remove noise from legitimate applications.

  • Key Exclusions:

    • .NET (clr.dll, ni.dll).

    • WOW64 (32-bit emulation).

    • Explorer.exe (too noisy).

hashtag
5. Final High-Fidelity Alert Query

  • Purpose: Detect only suspicious process access from unbacked memory.

  • Output:

    • SourceImage (malicious process).

    • TargetImage (process being accessed, e.g., lsass.exe).

    • CallTrace (full API call stack).

hashtag
Tasks

hashtag
task1

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data the other process that dumped lsass. Enter its name as your answer. Answer format: _____.exe

Answer: ntdll.dll

hashtag
task2

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the method through which the other process dumped lsass. Enter the misused DLL's name as your answer. Answer format: ______.dll

answer: comsvcs.dll

hashtag
task3

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: ______.exe

Answer: rundll32.exe

hashtag
task4

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the two IP addresses of the C2 callback server. Answer format: 10.0.0.1XX and 10.0.0.XX

Answer: 10.0.0.186 and 10.0.0.91

hashtag
task5

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.

Answer: 3389

PreviousIntroduction to Splunk AppsNextDetecting Attacker Behavior With Splunk Based On TTPs

Last updated