Monitor File Shares being Accessed in Windows

This splunk search will show file shares being accessed within windows environments.

Continue Reading →

Pass the Hash Detection

Continue Reading →

Event Logs | System Logs | Warnings and Errors

This will hit all of the host and pull back the eventlogs and group them by Message. You can change the source to what ever windows eventlogs you need

Continue Reading →

Clearing of Windows Audit Logs

This Splunk search will show anytime the windows audit logs (event viewer logs) have been cleared or deleted. Ensure the Splunk App for Windows is installed, you can grab it here: https://apps.splunk.com/app/742/

Continue Reading →

Successful Windows Logons with Average Overlay

The following Splunk query will display successful windows logins and overlay an average on visualizations.

Continue Reading →

Failed Windows Remote Desktop Connection Attempt

The following splunk query example will return results on any Windows remote desktop connection attempts. This could be a result of a bad password, invalid user name, or any number of other reasons. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/   Windows Server 2008 and Newer:

Windows Server 2003 and […]

Continue Reading →

Account Enabled in Windows

The following Splunk queries will show any accounts that have been enabled from a previously disabled state. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer:

Windows Server 2003 and Older:

 

Continue Reading →

Failed Attempt to Initiate Remote Desktop Session

This splunk query will return any failed attempts initiated by users to launch an RDP (remote desktop) session in a Windows environment. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows Server 2008 and Newer:

Windows Server 2003 and Older:

Continue Reading →

Password Non Compliance Windows

The following splunk queries will return results for failed attempts to change passwords. This is likely a result of users not meeting password requirements. Be sure to have the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and Older:

Windows 2008 and Newer:

Continue Reading →

Modification to File Permissions in Windows

The following splunk query works on Windows Sever 2008 and newer operating systems. It returns results based on modifications to individual file level permissions. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/

Continue Reading →

File Deletion Attempts In Windows

The following splunk queries will return results based on any user account who attempts to delete a file. This will return both successful and failed attempts. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older:

Windows 2008 and newer:

 

Continue Reading →

Windows File Access Attempts

The following splunk queries will display any file access attempts (successful or failed) by user account. Ensure the Splunk App for Windows is installed grab it here: https://apps.splunk.com/app/742/ Windows 2003 and older:

Windows 2008 and newer:

Continue Reading →