Splunk -Threat Hunting Playbook 1
Splunk - Threat Hunting with Windows OS Logs (threat data)
hypothesis: Adversaries might be using a non system account to access LSASS and extract credentials from memory.
Reference Links:
https://attack.mitre.org/techniques/T...
https://adsecurity.org/?page_id=1821#...
http://clymb3r.wordpress.com/2013/04/...
SPL Queries Used:
1. Looking for non-system accounts getting a handle to and accessing lsass
index=mordor EventID=4656 OR EventID=4663 ObjectName="*lsass.exe*" NOT SubjectUserName="*%$*"
| table EventID Category ObjectName AccessMask Hostname SubjectUserName ProcessName
2. Processes opening handles and accessing lsass with potential dll in memory
index=mordor EventID=10 TargetImage="*lsass.exe*" CallTrace="*UNKNOWN*"
| stats count by _time Hostname SourceImage TargetImage GrantedAccess SourceProcessGUID
3. Look for processes loading few known dlls as loaded by Mimikatz to interact with the credentials
index=mordor EventID=7 ImageLoaded IN ("*samlib.dll*", "*vaultcli.dll*", "*hid.dll*", "*winscard.dll*", "*crypt.dll*")
| stats values(ImageLoaded) dc(ImageLoaded) as ImageLoaded by Image
| sort -ImageLoaded
4. Processed opening handles and accessing lsass with potential dll's loaded in a memory and processes loading few known dlls as loaded by tools like mimikatz
index=mordor EventID=7 ImageLoaded IN ("*samlib.dll*", "*vaultcli.dll*", "*hid.dll*", "*winscard.dll*", "*crypt.dll*")
| fields ProcessGUID ImageLoaded TargetImage Hostname Image SourceImage ProcessName ObjectName
| join ProcessGUID
[search index=mordor EventID=10 TargetImage="*lsass.exe*" CallTrace="*UNKNOWN*"
| table Image TargetImage Image ImageLoaded _time Hostname]
| table TargetImage Image ImageLoaded _time Hostname
Смотрите видео Splunk -Threat Hunting Playbook 1 онлайн без регистрации, длительностью часов минут секунд в хорошем качестве. Это видео добавил пользователь cybersecnerd 27 Февраль 2021, не забудьте поделиться им ссылкой с друзьями и знакомыми, на нашем сайте его посмотрели 5,263 раз и оно понравилось 80 людям.