Potential Suspicious Activity in Windows

The following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show potentially suspicious activity based on processes within a Windows environment. It could also indicate a sanctioned security scan (so don’t run out there and start pointing fingers based off this one query!)

sourcetype="WinEventLog:Security" EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32\\net.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) 
| eval Message=split(Message,".") 
| eval Short_Message=mvindex(Message,0) 
| table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message
Share This:

Comments

  1. Drdosia

    I get a similar error with version 6.5.1:
    Error in ‘eval’ command: The expression is malformed. An unexpected character is reached at ‘0)’.

    Appears to be in: (eval Short_Message=mvindex(Message,0)

  2. john117

    Try it without the Evals. Sorry haven’t touched this in a while (and clearly haven’t commented on this!). I’m no longer working in an environment that uses this query.

  3. Rafal Stanilewicz

    In my environment, where I get the logs only from 10 DCs, I get thousands of such events per day. Such a query requires a lot of tweaking, to be useful (and good knowledge of the processes that are running on your servers).

Leave A Comment?