Detecting Attacker Behavior With Splunk Based On Analytics

As previously mentioned, the second approach leans heavily on statistical analysis and anomaly detection to identify abnormal behavior. By profiling normal behavior and identifying deviations from this baseline, we can uncover suspicious activities that may signify an intrusion.

A good example of this approach in Splunk is the use of the streamstats command. This command allows us to perform real-time analytics on the data, which can be useful for identifying unusual patterns or trends.

Consider a scenario where we are monitoring the number of network connections initiated by a process within a certain time frame.

index="main" sourcetype="WinEventLog:Sysmon" EventCode=3 
| bin _time span=1h 
| stats count as NetworkConnections by _time, Image 
| streamstats time_window=24h avg(NetworkConnections) as avg stdev(NetworkConnections) as stdev by Image 
| eval isOutlier=if(NetworkConnections > (avg + (0.5*stdev)), 1, 0) 
| search isOutlier=1

• We start by focusing on network connection events (EventCode=3), and then group these events into hourly intervals (bin can be seen as a bucket alias). For each unique process image (Image), we calculate the number of network connection events per time bucket.

• We then use the streamstats command to calculate a rolling average and standard deviation of the number of network connections over a 24-hour period for each unique process image. This gives us a dynamic baseline to compare each data point to.

• The eval command is then used to create a new field, isOutlier, and assigns it a value of 1 for any event where the number of network connections is more than 0.5 standard deviations away from the average. This labels these events as statistically anomalous and potentially indicative of suspicious activity.

• Lastly, the search command filters our results to only include the outliers, i.e., the events where isOutlier equals 1.

Crafting SPL Searches Based On Analytics

Example: Detection Of Abnormally Long Commands

Attackers frequently employ excessively long commands as part of their operations to accomplish their objectives.

index="main" sourcetype="WinEventLog:Sysmon" Image=*cmd.exe | eval len=len(CommandLine) | table User, len, CommandLine | sort - len

After reviewing the results, we notice some benign activity that can be filtered out to reduce noise. Let's apply the following modifications to the search.

index="main" sourcetype="WinEventLog:Sysmon" Image=*cmd.exe ParentImage!="*msiexec.exe" ParentImage!="*explorer.exe" | eval len=len(CommandLine) | table User, len, CommandLine | sort - len

Example: Detection Of Abnormal cmd.exe Activity

The following search identifies unusual cmd.exe activity within a certain time range. It uses the bucket command to group events by hour, calculates the count, average, and standard deviation of cmd.exe executions, and flags outliers.

index="main" EventCode=1 (CommandLine="*cmd.exe*") 
| bucket _time span=1h 
| stats count as cmdCount by _time User CommandLine 
| eventstats avg(cmdCount) as avg stdev(cmdCount) as stdev 
| eval isOutlier=if(cmdCount > avg+1.5*stdev, 1, 0) 
| search isOutlier=1

Example: Detection Of Processes Loading A High Number Of DLLs In A Specific Time

It is not uncommon for malware to load multiple DLLs in rapid succession. The following SPL can assist in monitoring this behavior.

index="main" EventCode=7 
| bucket _time span=1h 
| stats dc(ImageLoaded) as unique_dlls_loaded by _time, Image 
| where unique_dlls_loaded > 3 
| stats count by Image, unique_dlls_loaded

After reviewing the results, we notice some benign activity that can be filtered out to reduce noise. Let's apply the following modifications to the search.

index="main" EventCode=7 NOT (Image="C:\\Windows\\System32*") NOT (Image="C:\\Program Files (x86)*") NOT (Image="C:\\Program Files*") NOT (Image="C:\\ProgramData*") NOT (Image="C:\\Users\\waldo\\AppData*")
| bucket _time span=1h 
| stats dc(ImageLoaded) as unique_dlls_loaded by _time, Image 
| where unique_dlls_loaded > 3 
| stats count by Image, unique_dlls_loaded 
| sort - unique_dlls_loaded

• | bucket _time span=1h: This command is used to group the events into time buckets of one hour duration. This is used to analyze the data in hourly intervals.

• | stats dc(ImageLoaded) as unique_dlls_loaded by _time, Image: The stats command is used to perform statistical operations on the events. Here, dc(ImageLoaded) calculates the distinct count of DLLs loaded (ImageLoaded) for each process image (Image) in each one-hour time bucket.

• | where unique_dlls_loaded > 3: This filter excludes the results where the number of unique DLLs loaded by a process within an hour is 3 or less. This is based on the assumption that legitimate software usually loads DLLs at a moderate rate, whereas malware might rapidly load many different DLLs.

• | stats count by Image, unique_dlls_loaded: This command calculates the number of times each process (Image) has loaded more than 3 unique DLLs in an hour.

• | sort - unique_dlls_loaded: Finally, this command sorts the results in descending order based on the number of unique DLLs loaded (unique_dlls_loaded).

It's important to note that this behavior can also be exhibited by legitimate software in numerous cases, so context and additional investigation would be necessary to confirm malicious activity.

Example: Detection Of Transactions Where The Same Process Has Been Created More Than Once On The Same Computer

We want to correlate events where the same process (Image) is executed on the same computer (ComputerName) since this might indicate abnormalities depending on the nature of the processes involved.

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 
| transaction ComputerName, Image 
| where mvcount(ProcessGuid) > 1 
| stats count by Image, ParentImage

• | transaction ComputerName, Image: The transaction command is used to group related events together based on shared field values. In this case, events are being grouped together if they share the same ComputerName and Image values. This can help to link together all the process creation events associated with a specific program on a specific computer.

• | where mvcount(ProcessGuid) > 1: This command filters the results to only include transactions where more than one unique process GUID (ProcessGuid) is associated with the same program image (Image) on the same computer (ComputerName). This would typically represent instances where the same program was started more than once.

• | stats count by Image, ParentImage: Finally, this stats command is used to count the number of such instances by the program image (Image) and its parent process image (ParentImage).

Let's dive deeper into the relationship between rundll32.exe and svchost.exe (since this pair has the highest count number).

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1  
| transaction ComputerName, Image  
| where mvcount(ProcessGuid) > 1 
| search Image="C:\\Windows\\System32\\rundll32.exe" ParentImage="C:\\Windows\\System32\\svchost.exe" 
| table CommandLine, ParentCommandLine

After careful scrutiny of the results, it becomes apparent that we not only identify the presence of previously identified suspicious commands but also new ones.

Practical Exercises

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an analytics-driven SPL search against all data the source process images that are creating an unusually high number of threads in other processes. Enter the outlier process name as your answer where the number of injected threads is greater than two standard deviations above the average. Answer format: _.exe

index="main" sourcetype="WinEventLog:Sysmon" EventCode=8 
| bin _time span=1h
| stats count as threads by _time, SourceImage
| eventstats avg(threads) as avg_threads, stdev(threads) as stdev_threads
| eval Upper_Limit= avg_threads + (2 * stdev_threads)
| where threads > Upper_Limit
| table _time, SourceImage, threads, avg_threads, stdev_threads, Upper_Limit

This SPL query identifies abnormal thread creation activity from Sysmon EventCode 8 (which logs "CreateRemoteThread" events). It groups events by hour and source image, calculates the average and standard deviation of thread counts, then identifies entries where the thread count exceeds two standard deviations above the average. Finally, it displays the results in a table with relevant statistics.

Answer: randomfile.exe