Intrusion Detection

Introduction

Threat hunting in not trivial, this page is here to provide a methodological example into finding an IOC within a given dataset.

Ingesting Data Sources

Searching Effectively

Certain queries in Splunk can take up time. Effective threat hunting relies on crafting efficient queries that target relevant data.

Our first step is to see what we can identify within the data.

Start by viewing all available sources in index:

index="main" | stats count by sourcetype

View Sysmon Sourcetype

Let's see what we're dealing with by viewing Sysmon events.

index="main" sourcetype="WinEventLog:Sysmon"

Clicking the arrow allows us to view all data in the row.

Let's target a ComputerName

Note: It's effective to search for concatenated instances ** and non-concatenated.

index="main" ComputerName="*uniwaldo.local*"

NOTE: By providing ComputerName=*name* it is much faster. This is because we are specifying the point in where we are trying to filter from by lessening resource consumption.

Spotting Anomalies

Searching for Created Processes - Sysmon

Our dataset includes Sysmon events, we can retrieve a count of all Sysmon Event id's with the following query:

index="main" sourcetype="WinEventLog:Sysmon" 
|  stats count by EventCode

Doing so retrieves 20 different Sysmon event code ID's:

We can search the Sysmon documentation and view the respective event code ID numbers and their behavior.

Searching for Sysmon EventCode 1 (Process Creation)

Sysmon's event code 1 signifies a created process. Let's search for it.

The following query searches for the following:

• ParentImage: The filepath that spawned the process.

• Image: The filepath to the new process.

• Description: A description of the spawned process image

• ComputerName: The name of the computer that the process spawned on.

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 
|  stats count by ComputerName, Description, ParentImage, Image

Searching for powershell.exe & cmd.exe

Let's try and narrow this count down and search for some low hanging fruit. We'll search for powershell.exe & cmd.exe

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 (Image="*cmd.exe" OR Image="*powershell.exe") 
| stats count by ParentImage, Image

NOTE: It's important we add quotes (") and the a wildcard (*) around the Image we're filtering for.

We get 622 results!

notepad.exe to powershell.exe chain stands out immediately. It implies that notepad.exe was run, which then spawned a child powershell to execute a command. Let's add to the query, and this time look for ParentImage as notepad.exe.

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 (Image="*cmd.exe" OR Image="*powershell.exe")
 ParentImage="C:\\Windows\\System32\\notepad.exe"

Here we discover an IOC: a web request to an external ip address.

Building Alerts

Below is a SQL query that will go through Sysmon events and search the Callstack for UNKNOWN memory regions as well as weeding out legitimate applications to prevent false positives. Normal Sysmon process access events starts with ntdll (hosting Windows Syscalls), if the CallTrace starts with an UNKNOWN module instead of ntdll then its suspicious and may indicate a direct syscall evasion.

index="main" CallTrace="*UNKNOWN*" SourceImage!=*Microsoft.NET* 
CallTrace!=*ni.dll* CallTrace!=*clr.dll* CallTrace!=*wow64* 
SourceImage!="C:\\Windows\\Explorer.EXE" 
| where SourceImage!=TargetImage 
| stats count by SourceImage, TargetImage, CallTrace