Hunting With Splunk
Introduction
Operational Security (OPSEC) hunting with Splunk focuses on proactively detecting and mitigating security risks by analysing and correlating log data from various sources. Splunk's robust data ingestion and search capabilities enable security analysts to identify patterns indicative of OPSEC failures, such as the exposure of sensitive information, unauthorised access attempts, or adversarial activities targeting organisational assets. By leveraging Splunk's search processing language (SPL) and prebuilt dashboards, security teams can hunt for indicators like unusual user activity, suspicious process execution, lateral movement, and network anomalies that may signify operational security weaknesses.
Splunk's integration with frameworks like MITRE ATT&CK enhances OPSEC hunting by aligning detected behaviours with known adversarial tactics, techniques, and procedures (TTPs). Analysts can create custom queries and alerts to monitor high-risk areas such as credentials, endpoint configurations, and privileged access. The platform's real-time analytics and machine learning capabilities empower teams to stay ahead of threats by identifying vulnerabilities and potential attack vectors before they can be exploited. By enabling comprehensive threat detection and providing actionable insights, Splunk helps organisations strengthen their OPSEC measures, reduce the attack surface, and enhance overall security resilience.
The following is a set of Splunk queries that can be used to detect and analyse malicious or suspicious activities in your environment. The queries are designed to quickly grab the necessary information that will allow the investigator to determine whether the activity warrants deeper analysis or escalation.
Note: Sometimes, you may have to customise the queries to your environment. Also, queries will only work if the data is available.
Windows Audit Log Tampering
Check for any tampering done to Windows audit logs.
Finding Large Web Uploads
Find large file uploads that could point to data exfiltration in your network.
Detecting Recurring Malware on Host
Using anti-virus logs to detect if malware is recurring on a host after being removed.
Detecting Brute Force Attacks
A brute-force attack consists of a multiple login attempts using many passwords by an unauthorized user/attacker with the hope of eventually guessing the correct password.
Detecting Unencrypted Web Communications
Find unencrypted web communications that could lead to a data breach.
Identifying Web Users By Country
Use IPs in your data to report and visualize user locations.
Identifying Slow Web Content
A slow loading web site can not only frustrate users, but can also hurt search rankings.
Finding New Local Admin Accounts
Often an attack will include the creation of a new user, followed by permissions being elevated to an admin level.
Finding Interactive Logins From Service Accounts
Most service accounts should never interactively log into servers.
Log Volume Trending
Visualizing the number of events being logged by an application can provide a simple, yet powerful indicator of the state of your application, or changes in the behavior of your code or environment.
Basic TOR Traffic Detection
Use firewall data to find TOR traffic on your network.
Measuring Storage I/O Latency
Quickly find I/O bottlenecks across your systems.
Rogue DNS detection
Look for DNS requests that are not destined for the dedicated DNS server.
Suspicious PowerShell Commands
Look for logs with commands that try to download external scripts/content or bypass PowerShell.
Windows audit log cleared
Look for security logs filtered with EventCode 1102.
Detecting Network and Port Scanning
Look for distinct count of destination ports within a short span of time.
Unusual Access
Look for count of multiple failed login attempts where successful login is true.
Malware Attack
Look for infection count of malware attack.
Attempt To Add Certificate To Untrusted Store
Adversaries may add their root certificate to the certificate store to cause the web browser to trust that certificate and not display a security warning when it encounters the previously unseen certificate. This action may be the precursor to malicious activity.
Batch File Write to System32
While batch files are not inherently malicious, it is uncommon to see them created after OS installation, especially in the Windows directory. This query looks for the suspicious activity of a batch file being created within the C:\Windows\System32 directory tree. There will be only occasional false positives due to administrator actions.
BCDEdit Failure Recovery Modification
This search looks for flags passed to bcdedit.exe modifications to the built-in Windows error recovery boot configurations. This is typically used by ransomware to prevent recovery.
BITS Job Persistence
The following query identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe scheduling a BITS job to persist on an endpoint. The query identifies the parameters used to create, resume or add a file to a BITS job. Typically seen combined in an oneliner or run in sequence. If identified, review the BITS job created and capture any files written to disk. It is possible for BITS to be used to upload files and this may require further network data analysis to identify. You can use bitsadmin /list /verbose to list out the jobs during investigation.
BITSAdmin Download File
The following query identifies Microsoft Background Intelligent Transfer Service utility bitsadmin.exe using the transfer parameter to download a remote object. In addition, look for download or upload on the commandline. The switches are not required to perform a transfer. Capture any files downloaded. Review the reputation of the IP or domain used. Typically, once executed, a follow-on command will be used to execute the dropped file. Note that the network connection or file modification events will not spawn or create from bitsadmin.exe. Still, the artifacts will appear parallel to svchost.exe with a commandline similar to svchost.exe -k netsvcs -s BITS. It’s important to review all parallel and child processes to capture any behaviours and artefacts. In some suspicious and malicious instances, BITS jobs will be created. You can use bitsadmin /list /verbose to list out the jobs during investigation.
CertUtil Download With URLCache and Split Arguments
Certutil.exe may download a file from a remote destination using urlcache. This behavior does require a URL to be passed on the command-line. In addition,** f** (force) and split (Split embedded ASN.1 elements, and save to files) will be used. It is not entirely common for certutil.exe to contact public IP space. However, it is uncommon for certutil.exe to write files to world writeable paths.\ During triage, capture any files on disk and review them. Review the reputation of the remote IP or domain in question.
CertUtil Download With VerifyCtl and Split Arguments
Certutil.exe may download a file from a remote destination using VerifyCtl. This behavior does require a URL to be passed on the command-line. In addition, f (force) and split (Split embedded ASN.1 element and save to files) will be used. It is not entirely common for certutil.exe to contact public IP space. \ During triage, capture any files on disk and review them. Review the reputation of the remote IP or domain in question. Using VerifyCtl, the file will either be written to the current working directory or %APPDATA%..\LocalLow\Microsoft\CryptnetUrlCache\Content<hash>.
Certutil exe certificate extraction
This search looks for arguments to certutil.exe indicating the manipulation or extraction of Certificate. This certificate can then be used to sign new authentication tokens specially inside Federated environments such as Windows ADFS.
CertUtil With Decode Argument
CertUtil.exe may encode and decode a file, including PE and script code. Encoding will convert a file to base64 with ----BEGIN CERTIFICATE----- and ----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, a parallel process will load it. Note that two additional command switches may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.
Create local admin accounts using net exe
This search looks for the creation of local administrator accounts using net.exe.
Create Remote Thread into LSASS
Actors may create a remote thread into the LSASS service as part of a workflow to dump credentials.
Create Service In Suspicious File Path
This detection is to identify the creation of a “user mode service” whose service file path is located in a non-common service folder in Windows.
Common Windows Process Masquerading
“Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused to evade defences and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.” Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).
Unusual Child Process Spawned using DDE Exploit
Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.
Detecting Tampering of Windows Defender Command Prompt
Threat actors often try to disable Windows Defender after compromising a machine in an attempt to avoid detection. This is often done using “sc” [service control], a legitimate tool provided by Microsoft for managing services. This action interferes with event detection and may lead to a security event going undetected, potentially leading to further network compromise.
Disable UAC
Threat actors often try to disable User Access Control (UAC) to escalate privileges after compromising a machine. This is often done by changing the registry key for system policies using “reg.exe,” a legitimate tool provided by Microsoft for modifying the registry via command prompt or scripts. This action interferes with UAC and may enable a threat actor to escalate privileges on the compromised system, thereby allowing further exploitation of the system.
Unusually Long Command Line Strings
Often, after a threat actor gains access to a system, they will attempt to run some kind of malware to further infect the victim machine. These malware often have long command line strings, which could be a possible indicator of attack. Here, we use sysmon and Splunk to first find the average command string length and search for command strings that stretch over multiple lines, thus identifying anomalies and possibly malicious commands.
Clearing Windows Logs with Wevtutil
Threat actors often try to clear Windows Event logs after compromising a machine in an attempt to clear traces. This is often done using “wevtutil,” a legitimate tool provided by Microsoft. This action interferes with event collection and notification and may lead to a security event going undetected, thereby potentially leading to further compromise of the network.
Unusual Child Process for Spoolsv.Exe or Connhost.Exe
After gaining initial access to a system, threat actors attempt to escalate privileges as they may be operating within a lower privileged process which does not allow them to access protected information or carry out tasks which require higher permissions. A common way of escalating privileges in a system is by externally invoking and exploiting spoolsv or connhost executables, both of which are legitimate Windows applications. This query searches for an invocation of either of these executables by a user, thus alerting us of any potentially malicious activity.
Detecting Shadow Copy Deletion via Vssadmin.exe
After compromising a network of systems, threat actors often try to delete Shadow Copy to prevent administrators from restoring the systems to versions present before the attack. This is often done via vssadmin, a legitimate Windows tool for interacting with shadow copies. This non-detection of this technique, often employed by ransomware strains such as “Olympic Destroyer,” may lead to a failure in recovering systems after an attack.
Webshell-Indicative Process Tree
A web shell is a web script placed on an openly accessible web server to allow an adversary to use the server as a gateway in a network. As the shell operates, commands will be issued from within the web application into the broader server operating system. This query looks for host enumeration executables initiated by any web service that would not normally be executed within that environment.
Get System Elevation
Cyber actors frequently escalate to the SYSTEM account after gaining entry to a Windows host, enabling them to carry out various attacks more effectively. Tools such as Meterpreter, Cobalt Strike, and Empire carry out automated steps to “Get System”, which is the same as switching over to the System user account. Most of these tools utilize multiple techniques to try and attain SYSTEM: in the first technique, they create a named pipe and connect an instance of cmd.exe to it, which allows them to impersonate the security context of cmd.exe, which is SYSTEM. In the second technique, a malicious DLL is injected into a process running as SYSTEM; the injected DLL steals the SYSTEM token and applies it where necessary to escalate privileges. This query looks for both of these techniques.
Boot or Logon Initialization Scripts
Adversaries may schedule software to run whenever a user logs into the system; this is done to establish persistence and sometimes for lateral movement. This trigger is established through the registry key HKEY_CURRENT_USER\EnvironmentUserInitMprLogonScript. This signature looks for edits to existing keys or the creation of new keys in that path. Users purposefully adding benign scripts to this path will result in false positives; that case is rare, however. There are other ways of running a script at startup or login that are not covered in this signature. Note that this signature overlaps with the Windows Sysinternals Autoruns tool, which would also show changes to this registry path.
Local Network Sniffing
Adversaries may use various tools to gain visibility into the network's current status: which processes are listening on which ports, which services are running on other hosts, etc. This query looks for the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins regularly use any of these tools, their use is noteworthy in most networks.
DLL Injection with Mavinject
Injecting a malicious DLL into a process is a common adversary TTP. Although the ways of doing this are numerous, mavinject.exe is a commonly used tool because it roles up many of the necessary steps into one and is available within Windows. Attackers may rename the executable, so we also use the common argument “INJECTRUNNING” as a related signature here. Whitelisting certain applications may be necessary to reduce noise for this query.
Processes Started From Irregular Parent
Adversaries may start legitimate processes and then use their memory space to run malicious code. This query looks for common Windows processes that have been abused this way in the past; when the processes are started for this purpose, they may not have the standard parent that we would expect. This list is not exhaustive, and it is possible for cyber actors to avoid this discrepancy. These signatures only work if Sysmon reports the parent process, which may not always be the case if the parent dies before sysmon processes the event.
Clear Powershell Console Command History
Adversaries may attempt to conceal their tracks by deleting the history of commands run within the Powershell console or turning off history saving to begin with. This query looks for several commands that would do this. This does not capture the event if it is done within the console itself; only commandline-based commands are detected. Note that the command to remove the history file directly may vary a bit if the history file is not saved in the default path on a particular system.
Local Permission Group Discovery
Cyber actors frequently enumerate local or domain permissions groups. The net utility is usually used for this purpose. This query looks for any instances of net.exe, which is not generally used for benign purposes, although system administrator actions may trigger false positives.
Network Share Connection Removal
Adversaries may use network shares to exfiltrate data; they will then remove the shares to cover their tracks. This query looks for the removal of network shares via commandline, which is otherwise a rare event.
MSBuild and msxsl
Trusted developer utilities such as MSBuild may be leveraged to run malicious code with elevated privileges. This query looks for any instances of msbuild.exe, which will execute any C# code placed within a given XML document, and msxsl.exe, which processes XSL transformation specifications for XML files and will execute a variety of scripting languages contained within the XSL file. Both of these executables are rarely used outside of Visual Studio.
Compiled HTML Access
Adversaries may hide malicious code in .chm compiled HTML files. When these files are read, Windows uses the HTML help executable named hh.exe, which is the signature for this query.
CMSTP
CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion. When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP.
Registry Edit from Screensaver
Adversaries may use screensaver files to run malicious code. This query triggers suspicious edits to the screensaver registry keys, which dictate which .scr file the screensaver runs.
Scheduled Task - File Access
An adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host to gain persistence, privilege escalation, or remote execution. The Task Scheduler stores tasks as files in two locations: C: WindowsTasks (legacy) or C: WindowsSystem32Tasks. Accordingly, this query looks for the creation of task files in these two locations.
Component Object Model Hijacking
Adversaries may establish persistence or escalate privileges by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. This is typically done by replacing COM object registry entries under the HKEY_CURRENT_USER\Software\Classes\CLSID or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID keys. Accordingly, this query looks for any changes under these keys.
Indicator Blocking - Driver Unloaded
Adversaries may attempt to evade system defences by unloading minifilter drivers used by host-based sensors such as Sysmon through the use of the fltmc command-line utility. Accordingly, this query looks for command-line invocations of this utility when used to unload minifilter drivers.
Credentials in Files & Registry
Adversaries may search the Windows Registry on compromised systems for insecurely stored credentials for credential access. This can be accomplished using the query functionality of the reg.exe system utility, by looking for keys and values that contain strings such as “password.” In addition, adversaries may use toolkits such as PowerSploit to dump credentials from various applications such as IIS.Accordingly, this query looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality.
AppInit DLLs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. These values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes. Accordingly, this query looks for modifications to these registry keys that may indicate this type of abuse.
NTFS Alternate Data Stream Execution - System Utilities
Adversaries may use NTFS Alternate Data Streams (ADSs) to evade security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because various Windows tools can directly execute them; this query looks at common ways of executing ADSs using system utilities such as Powershell.
NTFS Alternate Data Stream Execution - LOLBAS
Adversaries may use NTFS Alternate Data Streams (ADSs) to evade security tools by storing malicious data or binaries in file attribute metadata. ADSs are also powerful because various Windows tools can directly execute their contents; this query looks at standard ways of executing ADSs using Living off the Land Binaries and Scripts (LOLBAS).
Execution with AT
In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows built-in command AT (at.exe) to schedule a command to be run at a specified time, date, and even host. This method has been used by adversaries and administrators alike. Its use may lead to the detection of compromised hosts and compromised users if it is used to move laterally. The built-in Windows tool schtasks.exe (CAR-2013-08-001) offers greater flexibility when creating, modifying, and enumerating tasks. For these reasons, schtasks.exe is more commonly used by administrators, tools/scripts, and power users.
Running executables with the same hash and different names
Executables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to avoid detection.
Although this query was initially based on MD5 hashes, it is equally applicable to any hashing convention.
Suspicious Arguments
Malicious actors may rename built-in commands or external tools, such as those provided by SysInternals, to better blend in with the environment. In those cases, the file path name is arbitrary and may blend well with the background. If the arguments are closely inspected, it may be possible to infer what tools are running and understand what an adversary is doing. When any legitimate software shares the same command lines, it must be whitelisted according to the expected parameters.
User Login Activity Monitoring
Monitoring logon and logoff events for network hosts is very important for situational awareness. This information can be used to indicate unusual activity and corroborate activity seen elsewhere.
It could be applied to a number of different types of monitoring, depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above and 518 for pre-Vista. Logoff events are Windows Event Code 4634 for Windows Vista and above and 538 for pre-Vista.
PowerShell Execution
PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus, which makes using PowerShell an easy way to circumvent security measures. This query detects the execution of PowerShell scripts.
Powershell can be used to hide monitored command line executions such as:
net use
sc start
Services launching Cmd
Windows runs the Service Control Manager (SCM) within the process services.exe. Windows launches services as independent processes or DLL loads within a svchost.exe group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, it will timeout (default is 30 seconds), and the process will be killed. To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command. The /c flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and report an error starting the service. This query will catch the command prompt instance used to launch the malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default. Thus, services are a convenient way for an adversary to gain Persistence and Privilege Escalation.
Command Launched from WinLogon
An adversary can use accessibility features (Ease of Access), such as StickyKeys or Utilman, to launch a command shell from the logon screen and gain SYSTEM access. Since an adversary does not have physical access to the machine, this technique must be run within Remote Desktop. To prevent an adversary from getting to the login screen without first authenticating, Network-Level Authentication (NLA) must be enabled. If a debugger is set up for one of the accessibility features, then it will intercept the process launch of the feature and instead execute a new command line. This query looks for instances of cmd.exe or powershell.exe launched directly from the logon process, winlogon.exe.
Host Discovery Commands
When entering a host for the first time, an adversary may try to discover information about the host. There are several built-in Windows commands that can be used to learn about the software configurations, active users, administrators, and networking configuration. These commands should be monitored to identify when an adversary is learning information about the system and environment. The information returned may impact choices an adversary can make when establishing persistence, escalating privileges, or moving laterally.
Because these commands are built in, they may run frequently by power users or even normal users. Thus, a query looking at this information should have well-defined white- or blacklists and should consider looking at an anomaly detection approach so that this information can be learned dynamically.
Create a Remote Process via WMIC
Adversaries may use Windows Management Instrumentation (WMI) to move laterally by launching executables remotely. The query CAR-2014-12-001 describes how to detect these processes with network traffic monitoring and process monitoring on the target host. However, if the command line utility wmic.exe is used on the source host, then it can additionally be detected on a query. The command line on the source host is constructed into something like wmic.exe /node:"<hostname>" process call create "<command line>". It is possible to connect via IP address, where the string "<hostname>" would instead look like an IP Address.
Although this query was created after CAR-2014-12-001, it is a much simpler (although more limited) approach. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility
UAC Bypass
Bypassing user account control (UAC Bypass) is generally done by piggybacking on a system process that has auto-escalate privileges. This query looks to detect those cases as described by the open-source UACME tool.
Generic Regsvr32
Regsvr32 can be used to execute arbitrary code in the context of a Windows signed binary, which can be used to bypass application whitelisting. This query looks for suspicious usage of the tool. It’s not likely that you’ll get millions of hits, but it does occur during normal activity, so some form of baselining would be necessary for this to be an alerting query. Alternatively, it can be used for hunting by manually looking for new or anomalous DLLs.
Credential Dumping via Mimikatz
Credential dumpers like Mimikatz can be loaded into memory and read data from other processes. This query looks for instances where processes request specific permissions to read parts of the LSASS process to detect credential dumping. One weakness is that all current implementations are “overturned” to look for common access patterns used by Mimikatz.
(GrantedAccess=0x1410 OR GrantedAccess=0x1010 OR GrantedAccess=0x1438 OR GrantedAccess=0x143a OR GrantedAccess=0x1418) CallTrace="C:\windows\SYSTEM32\ntdll.dll+* |C:\windows\System32\KERNELBASE.dll+20edd|UNKNOWN(*)" | table _time hostname user SourceImage GrantedAccess
Access Permission Modification
Adversaries sometimes modify object access rights at the operating system level. There are varying motivations behind this action - they may not want some files/objects to be changed on systems for persistence reasons and, therefore, provide admin-only rights; also, they may want files to be accessible with lower levels of permissions.
Lsass Process Dump via Procdump
ProcDump is a sysinternal command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching procdump.exe as a privileged user with command line options indicating that lsass.exe should be dumped to a file with an arbitrary name.
Credential Dumping via Windows Task Manager
The Windows Task Manager may be used to dump the memory space of lsass.exe to disk for processing with a credential access tool such as Mimikatz. This is performed by launching Task Manager as a privileged user, selecting lsass.exe, and clicking “Create dump file”. This saves a dump file to disk with a deterministic name that includes the name of the process being dumped.
Active Directory Dumping via NTDSUtil
The NTDSUtil tool may be used to dump a Microsoft Active Directory database to disk for processing with a credential access tool such as Mimikatz. This is performed by launching ntdsutil.exe as a privileged user with command line arguments indicating that media should be created for offline Active Directory installation and specifying a folder path. This process will create a copy of the Active Directory database, ntds.dit, to the specified folder path.
Shadow Copy Deletion
The Windows Volume Shadow Copy Service is a built-in OS feature that can be used to create backup copies of files and volumes.
Adversaries may delete these shadow copies, typically through the usage of system utilities such as vssadmin.exe or wmic.exe, in order prevent file and data recovery. This technique is commonly employed for this purpose by ransomware. Vssadmin.exe delete shadows
WMIC shadowcopy delete
MiniDump of LSASS
This query detects the minidump variant of credential dumping, in which a process opens lsass.exe to extract credentials using the Win32 API call MiniDumpWriteDump. Tools like SafetyKatz, SafetyDump, and Outflank-Dumpert default to this variant and may be detected by this query. However, remember that not all options for using those tools will result in this specific behaviour.
The query is based on a Sigma query contributed by Samir Bousseaden and written up in a blog on MENASEC. It looks for a call trace that includes dbghelp.dll or dbgcore.dll, which exports the relevant functions/permissions to perform the dump. It also detects using the Windows Task Manager (taskmgr.exe) to dump lsass. In this iteration of the Sigma query, the GrantedAccess filter isn’t included because it didn’t seem to filter out any false positives and introduces the potential for evasion.
Rare LolBAS Command Lines
LoLBAS are binaries and scripts built into Windows, frequently signed by Microsoft, and may be used by an attacker. Some LoLBAS are used very rarely, and it might be possible to alert every time they’re used (this would depend on your environment), but many others are very common and can’t be simply alerted.
This query takes all instances of LoLBAS execution and then looks for instances of command lines that are not normal in the environment. This can detect attackers (which will tend to need the binaries for something different than normal usage) but will also tend to have false positives.
queryThe query needs to be tuned. The 1.5 in the query is the number of standard deviations away to look. It can be tuned up to filter out more noise and tuned down to get more results. This means it is probably best as a hunting query when you have analysts looking at the screen and able to tune the query up and down, because the threshold may not be stable for very long.
Last updated