Splunk - HackMD

# Search Validate the IP that is scanning ``` index=botsv1 imreallynotbatman.com src=40.80.148.42 sourcetype=suricata ``` * Counts by each source IP against the webserver. ``` index=botsv1 imreallynotbatman.com sourcetype=stream* | stats count(src_ip) as Requests by src_ip | sort - Requests ``` * show the traffic coming into this URI. ``` index=botsv1 imreallynotbatman.com sourcetype=stream:http dest_ip="192.168.250.70" uri="/joomla/administrator/index.php" ``` More info ``` index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" http_method=POST uri="/joomla/administrator/index.php" | table _time uri src_ip dest_ip form_data ``` * Brute force ``` index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" http_method=POST uri="/joomla/administrator/index.php" form_data=*username*passwd* | table _time uri src_ip dest_ip form_data ``` Real password ``` index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" http_method=POST form_data=*username*passwd* | rex field=form_data "passwd=(?<creds>\w+)" |table _time src_ip uri http_user_agent creds ``` * Installation ``` index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" *.exe ``` ``` index=botsv1 src=192.168.250.70 sourcetype=suricata dest_ip=23.22.63.114 ``` https://www.youtube.com/watch?v=4Jau-Wj-mkE&list=PLqM63j87R5p42cBwRwI24FQeF7oEBFmka * Name of USB key inserted ``` index=botsv1 sourcetype=winregistry friendlyname | table host object data ``` * Name of file executed ``` index=botsv1 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" host=we8105desk "d:\\" | reverse | table host parent_process process process_current_directory CurrentDirectory ``` reverse: oldest -> lastest * Find commandline ``` index=botsv1 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" host=we8105desk (CommandLine="*d:\\*" OR parentcommandline="*d:\\*") | table _time CommandLine ParentCommandLine | sort _time ``` * Parent proccess of PID 121214 ``` index=botsv1 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" 121214.tmp CommandLine =* | table ProcessId ParentProcessId ParentCommandLine | reverse ``` * Amongst the Suricata signatures that detected the Cerber malware, which signature ID alerted the fewest number of times? ``` index=botsv1 sourcetype=suricata alert.signature =*cerber* |stats count by alert.signature alert.signature_id |sort - count ``` * How many files does it encrypt? ``` index=botsv1 sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational host=we8105desk EventCode=2 TargetFilename="C:\\Users\\bob.smith.WAYNECORPINC\\*.txt" | stats dc(TargetFilename) ``` * What fully qualified domain name (FQDN) does the Cerber ransomware attempt to direct the user to at the end of its encryption phase? ``` index=botsv1 sourcetype="stream:dns" src="192.168.250.100" record_type=A NOT (query() =*.microsoft.com OR query() =*.waynecorpinc.local OR query() =*.bing.com OR query()=isatap OR query(}=wpad OR query(} =*.windows.com OR query() =*.msftncsi.com) | table _time query{} src dest ``` ## Get rule to find https://www.youtube.com/watch?v=gmQrOGqlz4A&list=PLqM63j87R5p42cBwRwI24FQeF7oEBFmka&index=3 https://github.com/SigmaHQ/sigma https://uncoder.io/ https://tdm.socprime.com/signup ## SQL XSS https://www.youtube.com/watch?v=EYdUp_EEGlY&list=PLqM63j87R5p42cBwRwI24FQeF7oEBFmka&index=5 ## USB https://www.youtube.com/watch?v=EEq9H0LWuxc&list=PLqM63j87R5p42cBwRwI24FQeF7oEBFmka&index=6 ## FTP https://www.youtube.com/watch?v=QlUq9TaM_fM&list=PLqM63j87R5p42cBwRwI24FQeF7oEBFmka&index=7 ## Amazon https://www.youtube.com/watch?v=7Mw3vRI2A9g&list=PLqM63j87R5p42cBwRwI24FQeF7oEBFmka&index=8 ## Incident response https://medium.com/@Mx0o14/tryhackme-incident-handling-with-splunk-1f21fa04b644 https://www.youtube.com/watch?v=4Jau-Wj-mkE&list=PLqM63j87R5p42cBwRwI24FQeF7oEBFmka # Install https://splunkbase.splunk.com/app/3186 https://www.splunk.com/en_us/download/universal-forwarder.html https://www.splunk.com/en_us/download/splunk-enterprise.html?locale=en_us https://www.bitsioinc.com/install-splunk-linux/ ## Get license https://www.youtube.com/watch?v=SEc6-Ma1B-s&list=PLSr58-DJdRybowRyR8gp4cbLtoQektcze&index=4 ## set up on linux https://www.youtube.com/watch?v=_3yDDzKddwQ ## Set up on windows https://takahiro-oda.medium.com/splunk-how-to-capture-log-using-splunk-universal-forwarder-b6b87ae62a8b ## Search document https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/Search/Usethestatscommandandfunctions ## Web data https://www.youtube.com/watch?v=9ZGZ-UhtUuQ ## FW https://medium.com/@black_Diamond/easy-steps-to-connect-fortigate-firewall-with-splunk-part-3-7c949f8ca761 ## monitor https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Monitorfilesanddirectorieswithinputs.conf ## Command ``` /opt/splunk/bin/splunk add forward-server 0.0.0.0:9997 /opt/splunk/bin/splunk add monitor /var/log/apache2/access.log -sourcetype apache:access -index web /opt/splunk/bin/splunk add monitor /var/log/apache2/error.log -sourcetype apache:error -index web /opt/splunk/bin/splunk restart /opt/splunk/bin/splunk remove monitor /var/log/apache2/access.log -sourcetype apache:access -index web ``` # Pratice https://bots.splunk.com/#play-now