Intrustion Detection with Splunk
Ingesting Data Sources
The most imporant thing at the begining is to lower the volume of logs.
Retrive all logs
index="main" earliest=0
Searching Effectively
Some queries can take more time to load than others, although the returned lgos are the exact same. That is because if for example we specify to search for security logs and an EventCode that occurs only in security logs, and in another query we only specify the EventCode and not the source, we will get the same result, but splunk in the first example knows where to look, while in the second it looks through all the logs. Thus, taking more time to return the result of the query.
listing all our sourcetypes
index="main"
| stats count by sourcetype

Query for all Sysmon logs
index="main" sourcetype="WinEventLog:Sysmon"
all possible instances of uniwaldo.local
(Computer Name)
index="main" uniwaldo.local
all possible instances of uniwaldo.local
using wildcards (takses more time)
index="main" *uniwaldo.local*
This search takes a lot of time because it searches for uniwaldo.local in all fields as a value. But we know its a computer name, so we can make it easyer for splunk by specifying the field.
all possible instances of uniwaldo.local
using wildcards in ComputerName field
index="main" ComputerName="*uniwaldo.local"
Embracing The Mindset Of Analysts, Threat Hunters, & Detection Engineers
Sysmon Event Codes provide detailed logging of system activities, useful for detecting anomalies.
Parent-Child Process Relationships can reveal malicious execution chains (e.g.,
notepad.exe
spawningpowershell.exe
).DCSync Attack Detection involves monitoring Active Directory replication events (
EventCode=4662
withAccess_Mask=0x100
).LSASS Dumping can be detected using
EventCode=10
(Process Access) targetinglsass.exe
.Efficient Searching in Splunk involves:
Filtering by
sourcetype
andEventCode
to reduce search time.Using wildcards (
*
) carefully to avoid performance issues.Specifying fields (e.g.,
ComputerName
) instead of raw text searches.
Listing All Sysmon EventCodes in the Dataset
index="main" sourcetype="WinEventLog:Sysmon"
| stats count by EventCode
Identifies which Sysmon events are logged in the environment.
Investigating Suspicious Parent-Child Processes
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1
| stats count by ParentImage, Image
Lists all process creation events with parent-child relationships.
Filtering for High-Risk Processes (e.g., cmd.exe
, powershell.exe
)
cmd.exe
, powershell.exe
)index="main" sourcetype="WinEventLog:Sysmon" EventCode=1
(Image="*cmd.exe" OR Image="*powershell.exe")
| stats count by ParentImage, Image
Focuses on suspicious execution chains.
Deep Dive into notepad.exe
Spawning powershell.exe
notepad.exe
Spawning powershell.exe
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1
(Image="*powershell.exe") ParentImage="C:\\Windows\\System32\\notepad.exe"
Tracking Suspicious IP (10.0.0.229
)
10.0.0.229
)index="main" 10.0.0.229
| stats count by sourcetype
Identifies all logs related to the suspicious IP.
Investigating Linux Host (waldo-virtual-machine
)
waldo-virtual-machine
)index="main" 10.0.0.229 sourcetype="linux:syslog"
Checks if the Linux system is involved in malicious activity.
Finding Malicious Commands from the IP
index="main" 10.0.0.229 sourcetype="WinEventLog:sysmon"
| stats count by CommandLine, host
Lists commands executed on Windows hosts from the suspicious IP.
Detecting DCSync Attacks (Active Directory Compromise)
index="main" EventCode=4662 Access_Mask=0x100 Account_Name!=*$
| table _time, Account_Name, Object_Type, Properties
Identifies potential DCSync attempts (replication of AD secrets).
Detecting LSASS Dumping (Credential Theft)
index="main" EventCode=10 lsass
| stats count by SourceImage
Lists processes accessing lsass.exe
(common in credential dumping).
Investigating Suspicious notepad.exe
Accessing LSASS
notepad.exe
Accessing LSASSindex="main" EventCode=10 lsass SourceImage="C:\\Windows\\System32\\notepad.exe"
Checks if Notepad is being used to dump credentials (highly suspicious).
Key Takeaways
Start Broad, Then Narrow Down
Begin with general queries (e.g., all Sysmon events), then filter for anomalies.
Focus on High-Value EventCodes
EventCode=1
(process creation),EventCode=10
(process access), andEventCode=4662
(AD replication) are critical for detecting intrusions.
Correlate Suspicious Activity
Combine process anomalies (
notepad.exe
→powershell.exe
) with network connections (10.0.0.229
) to uncover attack chains.
Validate Findings
Use additional queries (e.g.,
Access_Mask=0x100
for DCSync) to confirm malicious activity.
Optimize Searches
Specify
sourcetype
and fields (e.g.,ComputerName
) to speed up queries.
Creating Meaningful Alerts
Key Concepts
Alerting vs. Hunting
Alerting: Proactive detection with low false positives.
Hunting: Exploratory analysis to uncover hidden threats.
Goal: Avoid alert fatigue by minimizing noise while catching real threats.
Detecting Malicious API Calls from UNKNOWN Memory Regions
Shellcode often executes from unbacked memory (UNKNOWN in call stacks).
Legitimate processes (e.g., JIT compilers) may also trigger UNKNOWN calls (false positives).
Optimizing Alerts
Exclude known benign processes (e.g.,
.NET
,Explorer.exe
,WOW64
).Focus on high-risk behaviors (e.g.,
ProcessAccess
withUNKNOWN
call traces).Ensure resilience against evasion (e.g., attackers renaming DLLs to bypass filters).
1. Identify All Call Traces with "UNKNOWN" (Shellcode Indicator)**
index="main" CallTrace="*UNKNOWN*"
| stats count by EventCode
Purpose: Find which
EventCode
logs contain suspicious memory calls.Observation: Only
EventCode=10
(Process Access) is relevant here.
2. Group Suspicious Calls by Source Process
index="main" CallTrace="*UNKNOWN*"
| stats count by SourceImage
Purpose: Identify processes making unbacked memory calls.
Common False Positives:
.NET
(JIT compilation).Electron apps (
Squirrel.exe
).WOW64
(Windows 32-bit emulation).
3. Filter Out Self-Accessing Processes
index="main" CallTrace="*UNKNOWN*"
| where SourceImage!=TargetImage
| stats count by SourceImage
Purpose: Ignore processes accessing themselves (often benign).
4. Exclude Known Benign Processes (JIT, .NET, WOW64)
index="main" CallTrace="*UNKNOWN*"
SourceImage!="*Microsoft.NET*"
CallTrace!=*ni.dll*
CallTrace!=*clr.dll*
CallTrace!=*wow64*
SourceImage!="C:\\Windows\\Explorer.EXE"
| where SourceImage!=TargetImage
| stats count by SourceImage
Purpose: Remove noise from legitimate applications.
Key Exclusions:
.NET
(clr.dll
,ni.dll
).WOW64
(32-bit emulation).Explorer.exe
(too noisy).
5. Final High-Fidelity Alert Query
index="main" CallTrace="*UNKNOWN*"
SourceImage!="*Microsoft.NET*"
CallTrace!=*ni.dll*
CallTrace!=*clr.dll*
CallTrace!=*wow64*
SourceImage!="C:\\Windows\\Explorer.EXE"
| where SourceImage!=TargetImage
| stats count by SourceImage, TargetImage, CallTrace
Purpose: Detect only suspicious process access from unbacked memory.
Output:
SourceImage
(malicious process).TargetImage
(process being accessed, e.g.,lsass.exe
).CallTrace
(full API call stack).
Tasks
task1
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data the other process that dumped lsass. Enter its name as your answer. Answer format: _____.exe
index="main" EventCode=10 lsass SourceImage="C:\\Windows\\System32\\notepad.exe"

Answer: ntdll.dll
task2
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the method through which the other process dumped lsass. Enter the misused DLL's name as your answer. Answer format: ______.dll
index="main" EventCode=10 lsass SourceImage="C:\\Windows\\System32\\rundll32.exe"
| stats count by CallTrace

answer: comsvcs.dll
task3
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: ______.exe
index="main" EventCode=7 ImageLoaded="*clr.dll"
| stats count by Image
Answer: rundll32.exe
task4
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the two IP addresses of the C2 callback server. Answer format: 10.0.0.1XX and 10.0.0.XX
index="main" sourcetype="WinEventLog:Sysmon" EventCode=3 Image="C:\\Windows\\system32\\notepad.exe"
| stats values(DestinationIp) as destination_ips
Answer: 10.0.0.186 and 10.0.0.91
task5
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.
index="main" sourcetype="WinEventLog:Sysmon" EventCode=3 (SourceIp="10.0.0.186" OR SourceIp="10.0.0.91")
| stats count by DestinationPort

Answer: 3389
Last updated