Hunting Evil with Sigma (Splunk Edition)
As discussed when introducing Sigma, Sigma rules revolutionize our approach to log analysis and threat detection. What we're dealing with here is a sort of Rosetta Stone for SIEM systems. Sigma is like a universal translator that brings in a level of abstraction to event logs, taking away the painful element of SIEM-specific query languages.
Example 1: Hunting for MiniDump Function Abuse to Dump LSASS's Memory (comsvcs.dll via rundll32)
A Sigma rule named proc_access_win_lsass_dump_comsvcs_dll.yml can be found inside the C:\Tools\chainsaw\sigma\rules\windows\process_access directory of the previous section's target.
This Sigma rule detects adversaries leveraging the MiniDump export function of comsvcs.dll via rundll32 to perform a memory dump from LSASS.
We can translate this rule into a Splunk search with sigmacas follows.
PS C:\Tools\sigma-0.21\tools> python sigmac -t splunk C:\Tools\chainsaw\sigma\rules\windows\process_access\proc_access_win_lsass_dump_comsvcs_dll.yml -c .\config\splunk-windows.yml
(TargetImage="*\\lsass.exe" SourceImage="C:\\Windows\\System32\\rundll32.exe" CallTrace="*comsvcs.dll*")Open the "Search & Reporting" application, and submit the Splunk search sigmac provided us with.
The Splunk search provided by sigmac was indeed able to detect MiniDump function abuse to dump LSASS's memory.
Example 2: Hunting for Notepad Spawning Suspicious Child Process
A Sigma rule named proc_creation_win_notepad_susp_child.yml can be found inside the C:\Rules\sigma directory of the previous section's target.
This Sigma rule detects notepad.exe spawning a suspicious child process.
Open the "Search & Reporting" application, and submit the Splunk search sigmac provided us with.
The Splunk search provided by sigmac was indeed able to detect notepad.exe spawning suspicious processes (such as PowerShell).
Q & A
1)
Answer: C:\Users\waldo\Downloads\20221108112718_BloodHound.zip
Last updated