triffee oukeu
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| TERM(jndi:*) OR TERM(env:ENV_NAME:*) OR TERM(::-/) OR | |
| TERM(::-j) OR TERM(::-jn) OR TERM(::-jnd) OR TERM(::-jndi) OR | |
| TERM(::-n) OR TERM(::-nd) OR TERM(::-ndi) OR | |
| TERM(::-d) OR TERM(::-di) OR | |
| TERM(::-i) OR | |
| TERM(lower:j) OR TERM(lower:jn) OR TERM(lower:jnd) OR TERM(lower:jndi) OR | |
| TERM(lower:n) OR TERM(lower:nd) OR TERM(lower:ndi) OR | |
| TERM(lower:d) OR TERM(lower:di) OR | |
| TERM(lower:i) OR | |
| TERM(upper:j) OR TERM(upper:jn) OR TERM(upper:jnd) OR TERM(upper:jndi) OR |
oukeu
/ Sysmon TERM() Searches
Last active
November 9, 2021 19:49
Splunk Sysmon TERM() Search Examples.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ``` | |
| Author: @0x1FFFFF | |
| Date: 9 November, 2021 | |
| Goal: Limit the queried buckets in Splunk to the minimum necessary to query appropriate sysmon events. | |
| There are a few things to think about when considering to use these types of searches. | |
| Please familiarize yourself with how TERM works and how to look for usable strings in raw events. | |
| Splunk Docs: https://docs.splunk.com/Documentation/Splunk/latest/Search/UseCASEandTERMtomatchphrases | |
| https://docs.splunk.com/Documentation/Splunk/8.2.3/Search/Eventsegmentationandsearching | |
| Talk by Richard Morgan: https://conf.splunk.com/files/2020/recordings/PLA1089C.mp4 | |
| https://conf.splunk.com/files/2020/slides/PLA1089C.pdf |
oukeu
/ GrantedAccess.spl
Last active
October 29, 2021 13:13
Enumerate the human readable permission listed in Sysmon EID 10s.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ``` | |
| Author: @0x1FFFFF | |
| Date: 1 September, 2021 | |
| Goal: Enumerate the human readable permission listed in Sysmon EID 10s. | |
| Note: This type of logic is too heavy to run inline in a search. Use this to generate results and add to a lookup table. | |
| ``` | |
| $Your_Sysmon_Logic_Here$ EventCode=10 | |
| | stats count by GrantedAccess |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index IN (...) EventID=4627 LogonType IN (3,10) | |
| ```Parse out Groups and expand each into it's own event``` | |
| | rex field=GroupMembership "(?m)^\s*(?<GroupMV>.+)\n*" max_match=0 | |
| | mvexpand GroupMV | |
| ```Look for Admin Groups https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/security-identifiers-in-windows``` | |
| | search GroupMV="*-512}*" OR GroupMV="*-519}*" OR GroupMV="*-544}*" | |
| | search TargetUserName!="*$" AND GroupMV!="%{S-1-5-32-544}" | |
| ```Map search for the lack of an associated 4768 TGT Request Log``` | |
| | eval startMap=relative_time(_time,"-1m") | |
| | eval endMap=relative_time(_time,"+1m") |