You can see we’ve got a ton of results! That’s going to be difficult to sift through and identify malicious instances of PowerShell running. If our timeline is narrow enough (within the last few minutes) it should be pretty easy to pick out our PowerShell process creation event and validate the parent process. The search query should look something like this: host=plaid app="*powershell.exe" Then, we can check Splunk logs for that event by running a search on that host where the application was powershell.exe in the last couple of minutes. We can run a quick sanity check by accessing a Windows host via a console session in our lab dashboard and launching a PowerShell window. To test this hypothesis, we’ll first want to validate that powershell.exe processes started by administrators and users are actually spawned via explorer.exe. Hypothesis – PowerShell processes not created by explorer.exe may be malicious. We can use some of the assumptions we’ve just made to try and identify malicious PowerShell usage in our lab. PowerShell is a popular command-line tool for system administrators and IT professionals, but it’s also commonly abused by attackers to run commands on compromised systems. With this in mind, we can make an assumption that many user launched processes will have a parent process of explorer.exe. Since they launched this browser through their desktop, the desktop process (explorer.exe) with be the “parent process” of Internet Explorer. When a user wants to browse the internet, they’ll launch a browser like Internet Explorer (iexplore.exe). One good way to help determine if a running process on your network is normal or not is to analyze its relationship to its parent process – the one that started the process we’re interested in.įor an example of this, consider your regular Windows user launching applications from their desktop. Abnormal Parent/Child Process Relationships Instead, we’ll explore an example threat hunting scenario and how you can use Splunk to start investigating in your lab environments. We won’t be going into that type of detail in this post. Threat hunting is a popular topic these days among cybersecurity defenders, and there are a ton of great resources out there to learn about methodologies, hunting for specific tactics, techniques, and procedures (TTPs), and even how to best share that information with the community. Now that we’ve gone through the basics of searching for events with Splunk, we can start digging deeper into specific events and identifying malicious behaviors. Https:///Documentation/Splunk/8.0.2/Search/GetstartedwithSearch Diving Deeper – Hunting with Splunk Splunk also has a ton of great documentation and tutorials, which we encourage you to check out! You can get started on Search documentation here: There’s even a built in function for searches, “rare” which can help do this.īy playing around with basic searches like this and utilizing the built in functions Splunk provides to modify your search by including or excluding specified field values, you can start to get a pretty good sense for the Search app and how one might use it to identify malicious security incidents. This type of view can be particularly helpful when you want to identify normal values for a particular field, then pick out the outliers. Once you’ve authenticated, this is the screen you should see You can download the systems list in the “Documents” page of the Snap Labs dashboard. Https://Once you’ve connected, you’ll be able to browse directly to the Splunk application and login with the credentials provided in your lab’s Detailed Systems List. You can reference the Knowledge Base here for details on both those methods: To access the Splunk instance in your lab, first you’ll need to connect to the lab via the browser or a VPN connection. We also run Splunk forwards on Linux based systems to send system and application logs to our Splunk instances. Sysmon runs locally to collect various Windows system events in a log file, and the Universal Forwarder sends that log data to Splunk. In our lab environments, we use Sysmon and the Splunk Universal Forwarder in tandem to collect and ship data to the lab’s Splunk instance. It’s also quite handy for attackers to know precisely what their actions look like, and how to blend into the normal activities on the network. It’s a powerful tool for defenders to gain insight into their environments and better understand normal versus malicious behaviors. Splunk is a SIEM (Security Information and Event Management) product which helps us collect security related event data from your lab environment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |