Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Potential Suspicious Activity in Windows

WinEventLog:Security

Description

Submitted by john117

The following Splunk search should be ran over a long period of time (at least it worked best that way in my environment). This query will show potentially suspicious activity based on processes within a Windows environment. It could also indicate a sanctioned security scan (so don't run out there and start pointing fingers based off this one query!)
12 2 
sourcetype="WinEventLog:Security" EventCode=4688 NOT (Account_Name=*$) (arp.exe OR at.exe OR bcdedit.exe OR bcp.exe OR chcp.exe OR cmd.exe OR cscript.exe OR csvde OR dsquery.exe OR ipconfig.exe OR mimikatz.exe OR nbtstat.exe OR nc.exe OR netcat.exe OR netstat.exe OR nmap OR nslookup.exe OR netsh OR OSQL.exe OR ping.exe OR powershell.exe OR powercat.ps1 OR psexec.exe OR psexecsvc.exe OR psLoggedOn.exe OR procdump.exe OR qprocess.exe OR query.exe OR rar.exe OR reg.exe OR route.exe OR runas.exe OR rundll32 OR schtasks.exe OR sethc.exe OR sqlcmd.exe OR sc.exe OR ssh.exe OR sysprep.exe OR systeminfo.exe OR system32\
et.exe OR reg.exe OR tasklist.exe OR tracert.exe OR vssadmin.exe OR whoami.exe OR winrar.exe OR wscript.exe OR "winrm.*" OR "winrs.*" OR wmic.exe OR wsmprovhost.exe OR wusa.exe) 
| eval Message=split(Message,".") 
| eval Short_Message=mvindex(Message,0) 
| table _time, host, Account_Name, Process_Name, Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID, Creator_Process_ID, Short_Message

Comments

10 total

WR
wrangler2x
12/15/2016

I get the following error running this search (Splunk 6.1.5):\r\n\r\nError in 'eval' command: The expression is malformed. An unexpected character is reached at '0)'.

DR
Drdosia
12/15/2016

I get a similar error with version 6.5.1:\r\nError in 'eval' command: The expression is malformed. An unexpected character is reached at '0)'. \r\n\r\nAppears to be in: (eval Short_Message=mvindex(Message,0)

DR
Drdosia
12/15/2016

Hmm posting error with //\r\nLets try this again:\r\n (eval Short_Message=mvindex(Message,/0)

DR
Drdosia
12/15/2016

\"eval Short_Message=mvindex(Message,0) \"

DR
Drdosia
12/15/2016

Argh...html....\r\neval Short_Message=mvindex(Message,LessThanSign wbr Right slash //GreaterThanSign>0)

GH
GhostLeviathan
8/10/2018

having the same issue with that eval short message.

JO
john117 Author
8/21/2018

Try it without the Evals. Sorry haven't touched this in a while (and clearly haven't commented on this!). I'm no longer working in an environment that uses this query.

JT
JT
10/30/2019

This fixed it for me

IT
itsmevic
1/1/2020

Works fine without the Evals.

RA
Rafal Stanilewicz
9/16/2020

In my environment, where I get the logs only from 10 DCs, I get thousands of such events per day. Such a query requires a lot of tweaking, to be useful (and good knowledge of the processes that are running on your servers).

Leave a comment

You must log in to post a comment.

Ad slot: bottom