Intrusion Detection With Splunk (Real-world Scenario)
Last updated
Last updated
The Windows Event Logs & Finding Evil
module familiarized us with log exploration on a single machine to pinpoint malicious activity. Now, we're stepping up our game. We'll be conducting similar investigations, but on a much larger scale, across numerous machines to uncover irregular activities within the entire network instead of just one device. Our tools will still include Windows Event logs, but the scope of our work will broaden significantly, demanding careful scrutiny of a larger pool of information, and identifying and discarding false positives whenever possible.
Let's dive into our data. Our first objective is to see what we can identify within the Sysmon data. We'll start by listing all our sourcetypes to approach this as an unknown environment from scratch. Run the following query to observe the possible sourcetypes (the screenshot may contain a WinEventLog sourcetype that you will not have).
This will list all the sourcetypes available in your Splunk environment. Now let's query our Sysmon sourcetype and take a look at the incoming data.
We can delve into the events by clicking the arrow on the left.
Let's execute some generalized queries to illustrate performance differences. Let's search for all possible instances of uniwaldo.local
.
Now let's attempt to find all instances of this string concatenated within any other string such as "myuniwaldo.localtest" by using a wildcard before and after it.
Now let's target this string within the ComputerName
field only, as we might only care about this string if it shows up in ComputerName
. Because no ComputerName
only
contains this string, we need to prepend a wildcard to return relevant results.
You'll find that this query returns results much
more swiftly than our previous search. The point being made here is that targeted searches in your SIEM will execute and return results much more quickly.
Making progress on our journey, let's pivot our focus towards spotting anomalies in our data. Remember the foundation we established in the Windows Event Logs & Finding Evil
module, where we explored the potential of event codes in tracing peculiar activities? We utilized public resources such as the Microsoft Sysinternals guide for Sysmon. Let's apply the same approach and identify all Sysmon EventCodes prevalent in our data with this query.
Based on these EventCodes
, we can perform preliminary queries. As previously stated, unusual parent-child trees are always suspicious. Let's inspect all parent-child trees with this query.
We're met with 5,427 events, quite a heap to manually sift through. We have choices, weed out what seems benign or target child processes known to be problematic, like cmd.exe
or powershell.exe
. Let's target these two.
The notepad.exe
to powershell.exe
chain stands out immediately. It implies that notepad.exe was run, which then spawned a child powershell to execute a command. The next steps? Question the why
and validate if this is typical.
We see the ParentCommandLine
(just notepad.exe
with no arguments) triggering a CommandLine
of powershell.exe
seemingly downloading a file from a server with the IP of 10.0.0.229
!
Our path now forks. We could trace what initiated the notepad.exe
, or we could investigate other machines interacting with this IP and assess its legitimacy. Let's unearth more about this IP by running some queries to explore all sourcetypes that could shed some light.
Here we see that based on the data and the host
parameter, we can conclude that this IP belongs to the host named waldo-virtual-machine
on its ens160
interface. The IP seems to be doing some generic stuff.
This finding indicates that our machine has engaged in some form of communication with a Linux system, notably downloading executable files through PowerShell
. This sparks some concerns, hinting at the potential compromise of the Linux system as well!
At this juncture, alarm bells should be sounding! We can spot several binaries with conspicuously malicious names, offering strong signals of their hostile intent.
From our assessment, it's becoming increasingly clear that not only was the spawning of notepad.exe
to powershell.exe
malicious in nature, but the Linux system also appears to be infected.
Our analysis indicates that two hosts fell prey to this Linux pivot. Notably, it appears that the DCSync PowerShell script was executed on the second host, indicating a likely DCSync
attack.
Now, let's dissect the rationale behind this query. Event Code 4662
is triggered when an Active Directory (AD) object is accessed. It's typically disabled by default and must be deliberately enabled by the Domain Controller to start appearing. Access Mask 0x100
specifically requests Control Access
typically needed for DCSync's high-level permissions. The Account_Name
checks where AD objects are directly accessed by users instead of accounts, as DCSync should only be performed legitimately by machine accounts
or SYSTEM
, not users.
We notice two intriguing GUIDs. A quick Google search can yield valuable insights. Let's look them up.
Upon researching, we find that the first one is linked to DS-Replication-Get-Changes-All
, which, as per its description, "...allows the replication of secret domain data".
This gives us solid confirmation that a DCSync attempt was made and successfully executed by the Waldo user on the UNIWALDO
domain. It's reasonable to presume that the Waldo user either possesses Domain Admin
rights or has a certain level of access rights permitting this action.
However, it's evident that we've barely scratched the surface of the attacker's activities. The attacker must have initially infiltrated the system and undertaken several maneuvers to obtain domain admin rights, orchestrate lateral movement, and dump the domain credentials.
We'll begin by examining any conspicuous strange process accesses to lsass.exe by any source image. The most noticeable ones are notepad
(given its absurdity) and rundll32
(given its limited frequency). We can further explore these as we usually do.
To the untrained eye, it might not be immediately apparent that the callstack refers to an UNKNOWN
segment into ntdll
. In most cases, any form of shellcode will be located in what's termed an unbacked
memory region. This implies that ANY API calls from this shellcode don't originate from any identifiable file on disk, but from arbitrary, or UNKNOWN
, regions in memory that don't map to disk at all. While false positives can occur, the scenarios are limited to processes such as JIT
processes, and they can mostly be filtered out.
Armed with this newfound source of information, we can now aim to create alerts from malicious malware based on API calls from UNKNOWN
regions of memory. It's crucial to remember that generating alerts differs from hunting. Our alerts must be resilient and effective, or we risk flooding our defense team with a glut of data, inadvertently providing a smokescreen for attackers to slip through our false positives. Moreover, we must ensure they aren't easily circumvented, where a few tweaks and seconds is all it takes.
We'll start by listing all the call stacks containing UNKNOWN
during this lab period based on event code to see which can yield the most meaningful data.
It appears that only event code 10 shows anything related to our CallTrace
, so our alert will be tied to process access! This means we'll be alerting on anything attempting to open handles to other processes that don't map back to disk, assuming it's shellcode. We see 1575 counts though...so we'll begin by grouping based on SourceImage
.
Here are the false positives we mentioned, and they're all JITs
as well! .Net
is a JIT
, and Squirrel
utilities are tied to electron
, which is a chromium browser and also contains a JIT. Even with our smaller dataset, there's a lot to sift through, and we're not sure what's malicious and what's not. The most effective way to manage this is by linking a few queries together.
Next, we know that C Sharp
will be hard to weed out, and we want a high-fidelity alert. So we'll exclude anything C Sharp
related due to its JIT
. We can achieve this by excluding the Microsoft.Net folders and anything that has ni.dll
in its call trace or clr.dll
.
In the next phase, we'll be focusing on eradicating anything related to WOW64
within its call stact.
Moving forward, we'll also exclude Explorer.exe
, considering its versatile nature. It's akin to a wildcard, capable of undertaking an array of tasks. Identifying any malicious activity within Explorer directly is almost a Herculean task.
With the steps outlined above, we've now established a reasonably robust alert system for our environment. This alert system is adept at identifying known threats. However, it's essential that we review the remaining data to verify its legitimacy.
uilding this alert system was relatively simple due to the limited data and false positives in our current environment. However, in a real-world scenario, the volume of data would be much larger, necessitating more sophisticated methods to detect potential malicious activities. It's also crucial to consider the effectiveness of the alert—how easily could it be bypassed? For example, a hacker could evade detection by loading a random DLL with "NI" appended to its name. Enhancing the alert would require considering such bypass techniques and fortifying against them.
In summary, we've developed skills to analyze large datasets, identify potential threats, explore SIEM systems for valuable data sources, trace attacks, and create effective alerts. While our examples were simplified with a smaller dataset of about 500,000 events, real-world scenarios might involve different scales of data, requiring more advanced techniques. As you progress in cybersecurity, remember the importance of effective search strategies, innovative data analysis, leveraging open-source intelligence, and creating robust alerts that are difficult to bypass.
1) Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data the other process that dumped lsass. Enter its name as your answer. Answer format: _.exe
Answer: rundll32.exe
2) Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the method through which the other process dumped lsass. Enter the misused DLL's name as your answer. Answer format: _.dll
rundll32.exe
is a legitimate Windows utility used to execute DLLs (Dynamic Link Libraries) and call specific functions from them. However, attackers often misuse rundll32.exe
to execute malicious activities, as it allows them to run code in a way that might evade detection.
comsvcs.dll
is a legitimate Windows system DLL that is associated with COM+ services and is part of the Microsoft COM+ application environment. One of its lesser-known functions is the MiniDump
function, which can be used to create memory dumps of processes, including the Local Security Authority Subsystem Service (LSASS).
Answer: comsvcs.dll
3) Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: _.exe
In a standard, legitimate scenario, clr.dll
would not be loaded by rundll32.exe
. Seeing this behavior in logs or security events can be an indicator of malicious activity or process injection. This pattern is not typical for legitimate software, suggesting that an attacker may be trying to use native Windows utilities to execute their malicious code.
Using rundll32.exe
to invoke the CLR provides a stealthy way to execute .NET-based payloads without triggering alarms.
Answer: rundll32.exe
4) Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the two IP addresses of the C2 callback server. Answer format: 10.0.0.1XX and 10.0.0.XX
Answer: 10.0.0.186 and 10.0.0.91
5) Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.
Answer: 3389