search
LinkedinTryHackme

Intrusion Detection With Splunk

hashtag
Introduction

In this module, we expand from individual log analysis to monitoring entire networks, using Windows Event Logs across multiple machines to identify potential malicious activity. We aim to filter out false positives, crafting precise queries and alerts to proactively secure the environment.

hashtag
Ingesting Data Sources

We need access to various data sources for effective threat hunting. Options include:

  • BOTS: Provided by Splunk with setup instructions.

  • logs.to: Generates dummy logs in JSON format. When using logs.to data, set Indexed Extractions to JSON for accurate parsing.

Query Example to Retrieve All Events:

index="main" earliest=0

This dataset will contain over 500,000 events across various sourcetypes, representing multiple infections and types of attacks.

hashtag
Effective Searching Techniques

Efficient querying is crucial for threat hunting. As SIEM data grows, so does processing time. Targeted searches help minimize resource usage and reduce irrelevant data. For instance:

  • We'll start by listing all our sourcetypes to approach this as an unknown environment from scratch

index="main" | stats count by sourcetype

hashtag
Generalized vs. Targeted Queries

  1. General Search (String Anywhere):

    index="main" uniwaldo.local

    This search will retrieve all occurrences of the string "uniwaldo.local" across sourcetypes.

  2. Wildcard Search (Anywhere in String):

    index="main" *uniwaldo.local*

    Slower performance due to broad search scope.

  3. Targeted Field Search:

    index="main" ComputerName="*uniwaldo.local"

    Faster due to specific targeting, reducing resource load.

hashtag
Identifying Sysmon Events by EventCode

Using Sysmon data, we can break down activity by EventCode, helping identify patterns indicative of attacks.

Event Codes for Threat Detection:

  • Event ID 1 - Process Creation (e.g., abnormal parent-child process hierarchies)

  • Event ID 3 - Network Connections (noise-heavy but useful for spotting anomalies)

  • Event ID 5 - Process Termination (helps detect suspicious process kills)

  • Event ID 6 - Driver Loaded (useful for identifying BYOD attacks)

  • Event ID 10 - Process Access (useful for memory dumps and injection detection)

  • Event ID 25 - Process Tampering (e.g., process herpadering, mini AV alert filter)

Query Example - Identifying Suspicious Parent-Child Processes:

This query reveals process chains, aiding in detecting unusual executions (e.g., notepad.exe launching powershell.exe).

hashtag
Advanced Threat Detection and IP Investigation

To identify connections to suspicious IP addresses, we can query IP-related events:

Query Example:

Examining specific sources, such as Sysmon and Linux syslog, helps confirm machine interactions with external IPs, potentially signaling compromise.

hashtag
Targeting Credential Dumping - Sysmon Event Code 10

Query Example - Detecting Access to lsass Process:

This query helps identify unusual processes accessing lsass.exe, a common target for credential dumping.

hashtag
Creating Effective Alerts

To develop reliable alerts, we focus on filtering noise and targeting high-fidelity indicators. For instance, by targeting API calls from UNKNOWN memory regions, we filter out common false positives.

hashtag
Step-by-Step Alert Query

  1. Identify All UNKNOWN Call Stacks:

  2. Filter Known JITs, Microsoft.Net, and WOW64 Processes:

  3. Exclude Explorer.exe and Group Results by Call Trace:

This method produces a robust alert system that distinguishes between legitimate JIT processes and potential threats.

PreviousUsing Splunk ApplicationsNextQuestion

Last updated