The following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show potentially suspicious activity based on processes within a Windows environment. It could also indicate a sanctioned security scan (so don’t run out there and start pointing fingers based off this one query!)
sourcetype="WinEventLog:Security" EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32\\net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) | eval Message=split(Message,".") | eval Short_Message=mvindex(Message,0) | table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message
I get the following error running this search (Splunk 6.1.5):
Error in ‘eval’ command: The expression is malformed. An unexpected character is reached at ‘0)’.
I get a similar error with version 6.5.1:
Error in ‘eval’ command: The expression is malformed. An unexpected character is reached at ‘0)’.
Appears to be in: (eval Short_Message=mvindex(Message,0)
This fixed it for me
Hmm posting error with //
Lets try this again:
(eval Short_Message=mvindex(Message,/0)
“eval Short_Message=mvindex(Message,0) “
Argh…html….
eval Short_Message=mvindex(Message,LessThanSign wbr Right slash //GreaterThanSign>0)
having the same issue with that eval short message.
Try it without the Evals. Sorry haven’t touched this in a while (and clearly haven’t commented on this!). I’m no longer working in an environment that uses this query.
Works fine without the Evals.
In my environment, where I get the logs only from 10 DCs, I get thousands of such events per day. Such a query requires a lot of tweaking, to be useful (and good knowledge of the processes that are running on your servers).