Splunk Threat Hunting – Windows Events

Sharing is caring

Views: 41

When performing threat hunting using Splunk on Windows systems, there are several important queries you can use to identify potential threats and security incidents. Here are some examples:

  1. Detecting Suspicious Processes:
index=windows sourcetype="wineventlog:security" EventCode=4688 
  | where Process_Name != "*\\splunkd.exe" AND Process_Name != "*\\splunk-fwd.exe"

This query looks for event code 4688, which indicates process creation events. It filters out known Splunk-related processes to focus on potentially suspicious activities.

  1. Identifying Anomalous Account Activity:
index=windows (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
  (EventCode=4624 OR EventCode=4625 OR EventCode=4768 OR EventCode=4769)
  | table _time, host, EventCode, Account_Name, Source_Network_Address, Computer_Name

This query searches for events related to account logons, logoffs, Kerberos authentication, and ticket granting. It provides information on the account name, source network address, and computer name involved in the events.

  1. Tracking PowerShell Activity:
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational" 
  EventCode=4104 (CommandLine!="") (CommandLine!="-EncodedCommand *") 
  | table _time, host, CommandLine, Computer_Name

This query looks for PowerShell events with event code 4104, which indicates the execution of a PowerShell command. It filters out common benign commands and provides information on the command line and computer name.

  1. Detecting Malicious Network Connections:
index=windows (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational") 
  (EventCode=3 OR EventCode=10) (Image_Path="*.exe" OR Image_Path="*.dll") 
  (Destination_IP!="*")

This query searches for events related to network connections (EventCode 3 and 10) made by executables or DLLs. It filters out events without a destination IP address and can help identify potentially malicious network activity.

  1. Monitoring Windows Security Logs for Anomalies:
index=windows (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational") 
  | stats count by EventCode

This query provides a count of different security event codes in the Windows security logs, allowing you to identify any unusual or uncommon events that may require further investigation.

These queries provide a starting point for Windows threat hunting with Splunk. You can further customize and expand them based on your specific environment and threat intelligence.