Hunting Evil with Sigma (Splunk Edition)
As discussed when introducing Sigma, Sigma rules revolutionize our approach to log analysis and threat detection. What we're dealing with here is a sort of Rosetta Stone for SIEM systems. Sigma is like a universal translator that brings in a level of abstraction to event logs, taking away the painful element of SIEM-specific query languages.
Example 1: Hunting for MiniDump Function Abuse to Dump LSASS's Memory (comsvcs.dll via rundll32)
A Sigma rule named proc_access_win_lsass_dump_comsvcs_dll.yml
can be found inside the C:\Tools\chainsaw\sigma\rules\windows\process_access
directory of the previous
section's target.
This Sigma rule detects adversaries leveraging the MiniDump
export function of comsvcs.dll
via rundll32
to perform a memory dump from LSASS.
We can translate this rule into a Splunk search with sigmac
as follows.
Open the "Search & Reporting" application, and submit the Splunk search sigmac
provided us with.
The Splunk search provided by sigmac
was indeed able to detect MiniDump function abuse to dump LSASS's memory.
Example 2: Hunting for Notepad Spawning Suspicious Child Process
A Sigma rule named proc_creation_win_notepad_susp_child.yml
can be found inside the C:\Rules\sigma
directory of the previous
section's target.
This Sigma rule detects notepad.exe
spawning a suspicious child process.
Open the "Search & Reporting" application, and submit the Splunk search sigmac
provided us with.
The Splunk search provided by sigmac
was indeed able to detect notepad.exe
spawning suspicious processes (such as PowerShell).
Q & A
1)
Answer: C:\Users\waldo\Downloads\20221108112718_BloodHound.zip
Last updated