Splunk - Threat Hunting for PowerShell Execution
Splunk - Threat Hunting for PowerShell Execution
SPL Queries used Here :
Windows login event via Powershell as a channel
sourcetype="threathunting*" Channel IN ("Microsoft-Windows-PowerShell/Operational") EventID=4103
| table Channel _time Hostname
| sort -_time
Non-Interactive mode, Powershell spawned from some other process
sourcetype="threathunting**" EventID=4688 NewProcessName="*powershell.exe*" ParentProcessName!="*explorer.exe*"
| stats count by EventID NewProcessName ParentProcessName SubjectUserName SubjectDomainName _time
Event ID = 7, modules/image loaded in the process (process concerned here is Powershell)
sourcetype="threathunting**" Channel="Microsoft-Windows-Sysmon/Operational" EventID=7
| stats count by _time Hostname Image ImageLoaded
EventID = 17 Pipe Creation
sourcetype="threathunting*" Channel="Microsoft-Windows-Sysmon/Operational" EventID=17
| stats count by _time Hostname Image PipeName ProcessId
EventID=53504 "PowerShell Named Pipe IPC”
sourcetype="threathunting*" EventID=53504
| stats count by EventID AccountName Hostname Message
Watch video Splunk - Threat Hunting for PowerShell Execution online without registration, duration hours minute second in high quality. This video was added by user cybersecnerd 18 June 2022, don't forget to share it with your friends and acquaintances, it has been viewed on our site 897 once and liked it 20 people.