|
1 2 3 4 5 6 |
sourcetype=WinEventLog:Security src_nt_domain!="NT AUTHORITY" EventCode=4720 OR EventCode=4726 OR EventCode=4738 OR EventCode=4767 OR EventCode=4781 OR EventCode=4727 OR EventCode=4730 OR EventCode=4731 OR EventCode=4734 OR EventCode=4735 OR EventCode=4737 OR EventCode=4744 OR EventCode=4745 OR EventCode=4748 OR EventCode=4749 OR EventCode=4750 OR EventCode=4753 OR EventCode=4754 OR EventCode=4755 OR EventCode=4758 OR EventCode=4759 OR EventCode=4760 OR EventCode=4763 OR EventCode=4764 OR EventCode=4728 OR EventCode=4729 OR EventCode=4732 OR EventCode=4733 OR EventCode=4746 OR EventCode=4747 OR EventCode=4751 OR EventCode=4752 OR EventCode=4756 OR EventCode=4757 OR EventCode=4761 OR EventCode=4762 | rex field=member_id "^\w+\W(?<ITS_Admin>\w*\s\w*\s\w*|\w+_\w+|\w*\s\w*|\w*)(\s\w+\W|\s)(?<Target_Account>.*\S)" | eval Target_Account=if(Target_Account="NONE_MAPPED", trim(member_dn, ITS_Admin), Target_Account) | table _time, EventCode, EventCodeDescription, src_nt_domain, ITS_Admin, Target_Account,src_nt_domain,msad_action,Group_Name | sort EventCodeDescription,ITS_Admin, Target_Account | rename ITS_Admin as "ITS Admin", src_nt_domain as "Source Domain" |
Timechart of the status of an Locked Out Account
This query will show a timechart of the status of an Locked Out Account
|
1 |
sourcetype="WinEventLog:Security" EventCode=4625 AND Status=0xC0000234 | timechart count by user | sort -count |
Active Directory Password change attempts
Use the following search to create a stacked barchart of AD Password change attempts:
|
1 |
source="WinEventLog:Security" "EventCode=4723" src_user!="*$" src_user!="_svc_*" | eval daynumber=strftime(_time,"%Y-%m-%d") | chart count by daynumber, status | eval daynumber = mvindex(split(daynumber,"-"),2) |
Detect Username Guessing Brute Force Attacks
The below will detect a form of brute force which most will miss. Whereas other scripts detect multiple logins against a single account, they fail to detect 4 failed logins against 40 accounts. This first checks for all accounts having an account login failure of 4 or more, it then checks for the quantity of […]
Find passwords in User_Name field
This eval for password can be easily used for any field where a user can accidentally type in a password or even worse both username/password during login which generates a failed event. Â Below example is for Windows failed login. Â The eval will match 10 or more characters with 1 uppercase, 1 lower case, 1 […]
Potential Suspicious Activity in Windows
The following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show potentially suspicious activity based on processes within a Windows environment. It could also indicate a sanctioned security scan (so don’t run out there and start pointing fingers based […]
Monitor File Shares being Accessed in Windows
This splunk search will show file shares being accessed within windows environments.
|
1 |
sourcetype="WinEventLog:Security" EventCode=5140 (Share_Name="*\\C$" OR Share_Name="*D$" OR Share_Name="*E$" OR Share_Name="*F$" OR Share_Name="*U$") NOT Source_Address="::1" | eval Destination_Sys1=trim(host,"1") | eval Destination_Sys2=trim(host,"2") | eval Dest_Sys1=lower(Destination_Sys1) | eval Dest_Sys2=lower(Destination_Sys2) | rename host AS Destination | rename Account_Domain AS Domain | where Account_Name!=Dest_Sys1 | where Account_Name!=Dest_Sys2 | stats count values(Domain) AS Domain, values(Source_Address) AS Source_IP, values(Destination) AS Destination, dc(Destination) AS Dest_Count, values(Share_Name) AS Share_Name, values(Share_Path) AS Share_Path by Account_Name |
Pass the Hash Detection
|
1 |
index="wineventlog" ( EventCode=4624 Logon_Type=3 ) OR ( EventCode=4625 Logon_Type=3 ) Authentication_Package="NTLM" NOT Account_Domain=YOURDOMAINÂ NOT Account_Name="ANONYMOUS LOGON" |
Failed Attempt to Login to a Disabled Account
This Splunk Search Query will indicate any user who attempted to login to a disabled account. (Tested only on Windows 7 / Server 2008 and newer Windows logs).
|
1 |
sourcetype="WinEventLog:security" EventCode=4625 (Sub_Status="0xc0000072" OR Sub_Status="0xC0000072") Security_ID!="NULL SID" Account_Name!="*$" | eval Date=strftime(_time, "%Y/%m/%d")| rex "Which\sLogon\sFailed:\s+\S+\s\S+\s+\S+\s+Account\sName:\s+(?<facct>\S+)" | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, facct, host, Keywords | rename facct as "Target Account" host as Host Keywords as Status count as Count |
Failed Versus Successful Logon Attempts
This Splunk search query example will return results indicating failed vs successful login attempts in a Windows environment:
|
1 |
source="WinEventLog:security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624 OR EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval status=case(EventCode=528, "Successful Logon", EventCode=540, "Successful Logon", EventCode=4624, "Successful Logon", EventCode=4625, "Failed Logon", EventCode=529, "Failed Logon", EventCode=530, "Failed Logon", EventCode=531, "Failed Logon", EventCode=532, "Failed Logon", EventCode=533, "Failed Logon", EventCode=534, "Failed Logon", EventCode=535, "Failed Logon", EventCode=536, "Failed Logon", EventCode=537, "Failed Logon", EventCode=539, "Failed Logon") | stats count by status | sort - count |
Event Logs | System Logs | Warnings and Errors
This will hit all of the host and pull back the eventlogs and group them by Message. You can change the source to what ever windows eventlogs you need
|
1 |
source=wineventlog:application |
|
1 |
source=wineventlog:security |
|
1 |
source=wineventlog:system |
|
1 |
host="*" source=wineventlog:system NOT Type=Information | stats count by Message | sort -count | table count, Message |
Get list of concurrent users on a specific server
The following Splunk query will return results for concurrent logon sessions (in a Windows Environment) on any given server (or multiple servers) with slight modification. First you must define the time span in which you consider “concurrent” this is defined in the “bucket” section below and the example uses a 30 minute range (widen […]
List of Legitimate Account Names in Windows
This splunk query will list all successful logins by account name for a given time range. This query will work on a variety of Windows Operating systems to include XP, 2003, Vista, 2008, 7, 8, and server 2012. I’ve tested in some capacity in Windows 10 for some of my queries, so far they appear […]
Clearing of Windows Audit Logs
This Splunk search will show anytime the windows audit logs (event viewer logs) have been cleared or deleted. Ensure the Splunk App for Windows is installed, you can grab it here:Â https://apps.splunk.com/app/742/
|
1 |
source=WinEventLog:security (EventCode=1102 OR EventCode=517) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Client_User_Name, host, index, Date | sort - Date | rename Client_User_Name as "Account Name" |
Successful Windows Logons with Average Overlay
The following Splunk query will display successful windows logins and overlay an average on visualizations.
|
1 |
sourcetype="WinEventLog:Security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=528 OR EventCode=540 OR EventCode=4624) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval average=round(average,0) | rename count as "Successful Logons" |
Windows Failed Logons with Average Overlay
This Splunk search will show any failed login attempt and graphically overlay an average value.
|
1 |
sourcetype="WinEventLog:Security" (Logon_Type=2 OR Logon_Type=7 OR Logon_Type=10) (EventCode=4625 OR EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | timechart count(EventCode) as count | eventstats avg(count) as Average | eval average=round(average,0) | rename count as "Failed Logons" |
Failed Windows Remote Desktop Connection Attempt
The following splunk query example will return results on any Windows remote desktop connection attempts. This could be a result of a bad password, invalid user name, or any number of other reasons. Ensure the Splunk App for Windows is installed grab it here:Â https://apps.splunk.com/app/742/ Windows Server 2008 and Newer:
|
1 |
source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | eval Date=strftime(_time, "%Y/%m/%d") | rex "Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>\S+)\s" | stats count by Date, TargetAccount, Failure_Reason, host | sort - Date |
Windows Server 2003 and […]
Accounts Deleted within 24 Hours of Creation
This splunk query unmodified will return results on any account regardless of duration, however it uses an “eval case” argument to determine what is “critical” (such as accounts deleted within a day of being created) or what is simply note worthy (normal behavior). Ensure the Splunk App for Windows is installed grab it here:Â https://apps.splunk.com/app/742/ […]
Account Enabled in Windows
The following Splunk queries will show any accounts that have been enabled from a previously disabled state. Ensure the Splunk App for Windows is installed grab it here:Â https://apps.splunk.com/app/742/ Windows Server 2008 and Newer:
|
1 |
sourcetype=WinEventLog:Security (EventCode=4722) | eval Date=strftime(_time, "%Y/%m/%d") |rex "ID:\s+\w+\\\(?<sourceaccount>\S+)\s+" | rex "Account:\s+Security\sID:\s+\w+\\\(?<targetaccount>\S+)\s+" | stats count by Date, sourceaccount, targetaccount, Keywords, host | rename sourceaccount as "Source Account" | rename targetaccount as "Target Account" | sort - Date |
Windows Server 2003 and Older:
|
1 |
sourcetype=WinEventLog:Security (EventCode=626) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, Caller_User_Name, Target_Account_Name, Type, host | sort - Date |
Failed Attempt to Initiate Remote Desktop Session
This splunk query will return any failed attempts initiated by users to launch an RDP (remote desktop) session in a Windows environment. Ensure the Splunk App for Windows is installed grab it here:Â https://apps.splunk.com/app/742/ Windows Server 2008 and Newer:
|
1 |
source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 EventCode=4625 | eval Date=strftime(_time, "%Y/%m/%d") | rex "Failed:\s+.*\s+Account\sName:\s+(?<TargetAccount>\S+)\s" | stats count by Date, TargetAccount, Failure_Reason, host |
Windows Server 2003 and Older:
|
1 |
source=WinEventLog:Security sourcetype=WinEventLog:security Logon_Type=10 (EventCode=529 OR EventCode=530 OR EventCode=531 OR EventCode=532 OR EventCode=533 OR EventCode=534 OR EventCode=535 OR EventCode=536 OR EventCode=537 OR EventCode=539) | eval Date=strftime(_time, "%Y/%m/%d") | stats count by Date, User_Name, Reason, host |
