Greetings! This playbook contains a synopsis of the scenarios and functionality from the Hunting with Splunk blog series, as well as the Security Investigation Labs. Resources in this playbook can potentially be matched with challenges presented during the event, helping to expedite solutions and propel our team towards victory! 🚀
- Find hosts on your network connecting to public DNS servers using a lookup file.
- Leverage a lookup file to provide descriptions of windows event logs.
Splunk Stream is a free application that is an extension of Splunk Enterprise.
Advantages of Splunk Stream:
- Can see traffic over the wire from over 28 different protocols some of which include TCP, UDP, DNS, HTTP, and FTP.
- Let's say you just want to see FTP but not HTTP traffic; you can do that.
- Stream can parse PCAP files.
- Monitor internal HTTP traffic. Rather than just your typical egress points of traffic coming from edge devices.
- Inspect suspicious domains in DNS to find high levels of Shannon entropy or potentially dissect the various aspects of the FQDN.
- Use Splunk workflow to analyze a field.
- Create a workflow that performs an open source intelligence search against destination IP addresses.
- Use the metadata command to see hosts that have not sent data to Splunk in the last 24 hours.
- Use the tstats command to quickly see event counts in a visual timeline
- Build a search to identify hosts that are logging more or less data than what is expected.
Windows event logs to focus in on:
- 4688 - A new process has been created. If a Windows computer had a virus, events with this code would show processes created by the virus.
- 4738 - A user account was changed. This is logged whenever a user account is changed. This can be useful to see when an account was granted administrator privileges.
- 4624 - Created when account successfully logs into Windows environment. Can be useful to find outliers in login activity.
- 1102 - Occurs when an administrator account clears the audit logs on Windows.
- Using stats command to find multiple hosts on the network sending and receiving large amounts of bytes from the same destination IP address.
- Use the event stats command to see hosts that have 60 percent of their traffic going to a single destination.
- Use the streamstats command to create a visualization that shows for statistics to be generated as each event is seen.
The article concludes showing a source IP address that was a chart topper for byes sent and received sending 77% of its traffic to a specific destination.
- Searching Splunk by using simple phrases and hitting enter is called super-grepping.
- Use field-value expressions to narrow searches.
- Things to consider leveraging when creating your SPL search are:
- Field names - case sensitive
- Field values - case insensitive
- Wildcards - in field-value pairs
- Boolean operators - AND, OR, and NOT
- Comparison operators - <, >, <=, >=, and !=
"NOT" and "!=" Example:
(index=web OR index=security) status!=200
Returns all events containing status where it is not equal to 200
(index=web OR index=security) NOT status=200
Returns all events that do not contain status=200
- Splunk provides rex and regex in SPL.
- Use regex to create fields on event.
- Find passwords being sent in plain text over the network.
- Use regex to search for only specific cidr blocks.
According to this article URL Toolbox is one of three essential security Splunk apps.
- URL Toolbox is not a command.
- You use is via macros.
- Don't forget to use
ticks
to specify macros.
The most popular macro in the URL toolbox is ut_parse_extended(2)
which pasrses URL and passes the data to multiple fields.
URL Toolkit can be used to slice and dice URLs in events as many different ways as you want. It's said to be easier to use and powerful than regex when working with domains.
Example:
this URL http://davidveuve.com/tech/how-i-do-summary-indexing-in-splunk/
can turn into field - value
ut_domain - davidveuve.com
ut_domain_without_id - davidveuve
AND MORE
Use URL Toolbox to calculate the Levenshetein difference of emails being received by your organization, hypothosizing that attackers are using domains that are very similar to your actual domain.
The Levenshetein distance is the number of changes made to turn one string into another. If one string is Panda and the other is Pando, the distance would be 1 to change the a to an o. Using this we can discover fraudulent emails where attackers make the email similar to the actual one.
Shannon Entropy allows us to calculate the amount of randomness that is present in a string. Leveraging this can allow you to search for algorithmically generated domain names, which are often used in malware. The example given hypothesizes that malware on the network is using randomized domain names to communication with other malicious infrastructure.
Looking for domains with entropy of greater than 3 can be a starting point, but you will need to adjust as needed to have low false positives.
Use the eval command to identify abnormally long process strings such as ones in Microsoft Sysmon processes. Process strings that are several degrees of magnitude larger than the standard deviation of process strings on a system should be inspected as they could be running malware.
Use eval to calculate how many days have passed since a command line string was executed on the system that created the process. If a process string is abnormally long in comparison to what is typical on a machine AND it is long running, that can be signs of malware.
Leverage SSL certification information to find intrusion on your network. What is discussed in those post only works if you have captured SSL metadata in Splunk.
Users are creatures of habit and will typically visit the same roughly 20 sites per day and that visits to entirely new sites could be suspicious or potentially malicious. Malicious domains can leverage dynamic domains, which are subdomains created to be more legitimate-looking and human readable.
Sources of network traffic mentioned in this article are web proxy logs and DNS data.
The methods in this article continue to leverage URL Toolbox.
Use SA-Investigator which is an add-on for Splunk Enterprise Security (ES)
- Can be used wit Asset and Identity framework.
- Can be used with Incident Management framework.
- Even if an asset in your system, you can still search for artifacts.
- Using Splunk to detect and respond to DNS exfiltration.
- Can be used if you hypothesize that an adversary is using DNS to move files out of your organization or use it as a side channel for communications with malicious infrastructure.
If your hots are compromised, they might show characteristics such as:
- Increase in volume of requests by the host.
- Change in records such as TXT records from hosts that don't usually send them.
- Substantial variance in the length of request (this can be caused by database generated algorithm names)
- Substitution of domains that are slightly altered from the original with typo squatting.
- Top 10 clients by volume of requests
- Requests by Resource Record Over Time
- Packet Size & Volume Distribution
- Beaconing Activity to C&C infrastructure
- Number of Hosts Talking to Beaconing Domains
- Domains with Lots of Sub-Domains
Exercise 1 - Detection
- Identify patterns of login failures across all systems.
Exercise 2 - Validation
- Brute force activity to random web hosts from internal host that has been infected by malware.
- Isolate password failures to a single host and examine all activity from workstation. Then visualize attempts of failed login attempts to better get an idea as to what the bad actor was doing.
Exercise 3 - Scoping
- After identifying the internal workstation responsible for the attempted login activity, you must identity the scope and effect of the activities taken by the compromised workstation.
- Identify the following:
- Were any of the access attempts successful
- What user account and privileges were used
- What actions were performed on the target system?
- Detecting process anomalies from MS Sysmon Events.
- Searching for windows Office execution of unusual process.
- Detecting encryption activities by ransomware binaries.
- Prevention via action between infection and encryption.
- By analyzing average process command line length by looking at sysmon events that contain endpoint activities.
- Malware tends to use long commands or wscript. By looking at the standard deviation of command lengths on a workstation then looking for command lengths that are 4 times that. You can identify uncharacteristly long commands that could be malicious.
- Web Proxy Command Control Activity Analysis
- Looking at data on a firewall, web proxy, or NetFlow contains records between all users and hosts. One example is leveraging web proxy traffic can help identify malicious activities on the network in addition to identifying Command and Control activities.