Intro to Splunk and Real World Scenarios

Part 1 of module skills assessment:
1. Find through an SPL search against all data the account name with the highest amount of Kerberos authentication ticket requests
  1. Here we will hop into Splunk and access the “search and reporting” section on the left hand side
  2. Next we need to build a query that can help us locate events with “Kerberos”
    1. I build one like this:
      2. We are checking our main index which contains our window security and sysmon logs
      3. And we are searching generally for “Kerberos” which will pull all event’s where this application name shows
      4. We get 1052 events
      5. Now we want to figure out which account_name has the highest count of events
      6. On the left hand side we want to take a look at the interesting fields for “Account_Name”
      7. With the filter create we now see the total counts. At the top left clicked in on “account_name” we see an option to build a report on top values
      8. Clicking this drops us into a visually friendly way to see our data
      9. We can ignore “WIN-HSRME76TRAD$” and “DESKTOP-EGSS5IS$” as these are machine names
      10. Your answer will be in this report alongside the above 😛

Part 2 of module skills assessment:
1. Find through an SPL search against all 4624 events, the count of distinct computers accessed by the account name SYSTEM
  1. To break down the above ask:
    1. Create a SPL query that will search for all eventcode: 4624 events
    2. And provide the count of distinct computers accessed by the account_name = “system”
  2. For our query we will use:
    1. index=”main” sourcetype=”wineventlog:security” EventCode=4624 Account_Name=”SYSTEM” | stats dc(ComputerName) as distinct_computers
    2. Index=main
      1. Pulling data in our index that contains our windows security and sysmon logs
    3. sourcetype=”wineventlog:security”:
      1. Here we are specifying we want our source type to be for windows security logs
    4. EventCode=4624:
      1. Our event code which indicates a successful login
    5. Account_Name=”SYSTEM”:
      1. The name of the account we are referencing which is named “SYSTEM”
    6. stats dc(ComputerName) as distinct_computers:
      1. Uses the stats command to count the distinct (dc stands for distinct count) computer names accessed by the “SYSTEM” account
  3. The answer will be pretty evident here 🙂

Part 3 of module skills assessment:
1. Find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes
  1. First we need to build a query
    1. I went with:
      1. index=main account_name=”waldo”
      2. | bin _time span=10m
        | stats count as login_count by _time, AccountName
        | sort – login_count
        | dedup _time, AccountName
        | table _time, AccountName, login_count
        
        | bin _time span=10m
        
        Using ‘bin’ to group events into 10min intervals
        
        | stats count as login_count by _time, AccountName
        
        Use ‘stats’ to count the number of login events (count) for each account within each 10-minute interval
        
        | sort – login_count
        
        Sort the results by the login count in descending order
        
        | dedup _time, AccountName
        
        Use dedup to keep only the top result for each 10-minute interval per account
        
        | table _time, AccountName, login_count
        
        Display the relevant fields in the results.
    2. Once loaded, I used a similar tactic and looked into the different account names. Your answer will be in there 🙂

Intrusion Detection With Splunk (Real-world Scenario)

Find through an SPL search against all data the other process that dumped lsass:
1. Following through our HTB Module we ran a query earlier around lsass looking for what was used when credentials were dumped
  1. What we found and dove into was the notepad.exe that popped up
2. Going back now we want to uncover what the other process was that stood out in our query
3. Here we can run a general query for lsass and count by SourceImage
5. Some of these are noise, one is notepad, but the other process that shows only a few counts is the *FLAG*
Find through SPL searches against all data the method through which the other process dumped lsass. Enter the misused DLL’s name as your answer
1. Now that we have our other process we want to see if we can look through the data to see what DLL was misused for the DLL Hijack
  1. We can actually click into the highlighted process and click “View Events”
  3. This will open a new query to dig into those specific events
2. Let’s open the first event and take a glance at the CallTrace section
  1. Here is a place we can locate the pathing, or call that happened giving us insight into what triggered our process
  2. TIP: Follow the call stack until you find your process, then work back to see what the last DLL was used. This should give you *FLAG*
Find through SPL searches against all data the two IP addresses of the C2 callback server
1. The first step we want to take is run a query to check on EventCode 3 for connections where the image of rundll32.exe was located
2. Here we can then check the list of destination IP’s which is our answer to the question
Find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines
1. With our destination IP’s we found we can use those to quickly locate the port used
2. index=main EventCode=3 (SourceIp=”10.0.0.1xx” OR SourceIp=”10.0.0.xx”) DestinationPort=”*”
3. | stats values(DestinationPort) as destination_ports
  1. This will provide you with a single port number