A subsearch goes and runs another search, and then takes those results and inserts them into the main search. | search įrom line one we have our process launch logs, now we need to filter that down to just the potential attack tools. This could be any EDR data source that provides file hash information. If there's a single transaction with many events, it surfaces those.ĭemo Data | `Load_Sample_Log_Data("Generic Sysmon Process Launches")`įirst we pull in our demo dataset. It then filters for a set of file hashes that are known to be hacker related (from a lookup called tools.csv) and uses the transaction command to group them by time. Our dataset is a collection of Windows process launch logs (Event ID 4688), where we have hashing turned on (look for tools like WLS, or Sysmon to help here). This example leverages the Simple Search assistant. ![]() As you get more information about this particular system (for example, how did malware end up on it, what websites has it communicated with, etc.), make sure to pivot and look across your entire organization for other indications, and to look in Open Source Intelligence sites like VirusTotal to learn more about the attacker.Ĭoncentration of Attacker Tools by SHA1 Hash Help That should guide you to the underlying problem. The first step in that process will be to look at the parent process that launched these suspicious processes, and see what other activities that process has done. Recommended steps are to begin incident response on the host where this alert fired from, to look for signs of other suspicious activities. This alert is very clearly tied to a known threat, so when it fires your concern is that this represents an attacker inside of one of your systems. The only scenario where you would expect to see this happen is if your organization happens to use some of those unusual tools for normal sysadmin tasks, and have them scripted. This search should trigger very few false positives, because it's filtered to just very specific launches, and even more, looking for multiple process launches in a short period of time. ![]() Once you have the search itself running, then you need only schedule it (click "Schedule Alert") and have Splunk email you, create a ticket in Enterprise Security or Service Now, or take some other action for you. In order for the hashes to show up correctly in the table, make sure that you have a field named sha1 (or change the search to match what you see in the events). Finally, Sysmon will return multiple different hashes.The EventCode field is the second to last field you have to think about, which if you use our Splunk Add-on for Sysmon on your Search Head, will also work automatically for you (again, docs are key!).The next field you have to worry about is the sourcetype, which should be pretty standard.You should make sure that you specify the index where your EDR logs live (index=epintel if you follow our best practices, and the documentation in this app). In the live version, we start with index=* which is bad Splunk form (but makes it a little bit easier to get started). ![]() (Why EDR? The boundary between EDR logs and Windows Security Logs for most Splunk customers is that Windows Process Launch Logs won't contain hashes, or the right variety of hashes, but EDR tools including the free Sysmon tool will.) Logger "VIRUSTOTAL Send Hash for File $f"ĭata=$(curl -s -request GET -url $sha256 -header "x-apikey: $vt_api_key" | jq '.' | grep -oP '(?<="malicious": ).The hardest part of implementing this correctly, once you have EDR logs ingested, will be to make sure that the fields correctly set. Logger "VIRUSTOTAL Nothing to do for $queue_file. Currently I would guess, this is not allowed in free API except only for private usage!Įcho "usage: $0 APIVERSION QUEUEFILENAME" 1>&2 Next is to contact VIRUSTOTAL to get pricing for this usage. So you have Hash-Check against 50 or more AV-Engines.Įvery check is delayed by 7 seconds. If the File-Hash has never been seen at Virustotal it will also return "0" which is considered as clean for now. Open for suggestions and optimizations.Į-Mails and Attachments are extracted with MUNPACK into a Temp-Folder below /tmp and removed again after generating HASH and Check against Virustotal-API is done.įor now only "Malicious Count" is used, but this can be enhanced to also look for "Suspicious" or any other result later. ![]() This is really not good BASH-Code, but it works. Hash-Check for E-Mail and Attachment against Virustotal API.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |