Hunting Methodology — Splunk BOTS (Boss of the SOC) — Part 1

Michael Haag
Oct 9, 2018 · 5 min read

I’ve been having a lot of conversation with @subtee about hunting and blue team that I decided it would be beneficial to showcase how I hunt through all sorts of data in a scenario where I was just “dropped in”. In this scenario, I decided to use the Splunk Boss of the SOC dataset as it contains:

  • WinEventLog:Application
  • WinEventLog:Security
  • WinEventLog:System
  • XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  • fgt_event
  • fgt_traffic
  • fgt_utm
  • iis
  • nessus:scan
  • stream:dhcp
  • stream:dns
  • stream:http
  • stream:icmp
  • stream:ip
  • stream:ldap
  • stream:mapi
  • stream:sip
  • stream:smb
  • stream:snmp
  • stream:tcp
  • suricata
  • winregistry

Scenario

In this scenario, I am acting as a data analyst who was given a mass dataset and was told to find all the bad things. I know nothing about this environment and can use all the resources I need to help identify any and all evil.

Black Box Hunting

(There, a new buzzword)

First off, I need to know what data I am working with. I have the index, but I do not know the sourcetypes. Let’s run:

| metadata type=sourcetypes index=botsv1

By my very nature, I am most interested the endpoint, so I will start with Sysmon and go backwards from there. My guess is I will end up finding out “what” (endpoint) before “how” (network).

I hate typing/seeing the long Sysmon sourcetype, so I will create a simple macro of sysmon .

Macro

Now, let’s run it and make sure data resolves:

All set!

Now let’s get to hunting.

Again, this is a Black Box Hunt, I know nothing.

Something I keep in my back pocket is a short list of Most Interesting processes -

`sysmon` Image=”*\\powershell.exe” OR Image=”*\\msbuild.exe” OR Image=”*\\psexec.exe” OR Image=”*\\at.exe” OR Image=”*\\schtasks.exe” OR Image=”*\\net.exe” OR Image=”*\\vssadmin.exe” OR Image=”*\\utilman.exe” OR Image=”*\\wmic.exe” OR Image=”*\\mshta.exe” OR Image=”*\\wscript.exe” OR Image=”*\\cscript.exe” OR Image=”*\\cmd.exe” OR Image=”*\\whoami.exe” OR Image=”*\\mmc.exe” OR Image=”*\\systeminfo.exe” OR Image=”*\\csvde.exe” OR Image=”*\\certutil.exe” | stats values(CommandLine) by Image
Already lots of interesting things
Might be ransomware
Interesting cmd’s running

From there, I need to see how widespread this is:

3 hosts of interest

I’ll change my search a little:

`sysmon` Image=”*\\powershell.exe” OR Image=”*\\msbuild.exe” OR Image=”*\\psexec.exe” OR Image=”*\\at.exe” OR Image=”*\\schtasks.exe” OR Image=”*\\net.exe” OR Image=”*\\vssadmin.exe” OR Image=”*\\utilman.exe” OR Image=”*\\wmic.exe” OR Image=”*\\mshta.exe” OR Image=”*\\wscript.exe” OR Image=”*\\cscript.exe” OR Image=”*\\cmd.exe” OR Image=”*\\whoami.exe” OR Image=”*\\mmc.exe” OR Image=”*\\systeminfo.exe” OR Image=”*\\csvde.exe” OR Image=”*\\certutil.exe” | stats values(CommandLine) by host

we1149srv

we8105desk

we9041srv

Three endpoints all with interesting things ran on them. Awesome. Now what?

We need to add “time” to all of this. What ran when?

This is probably the best time to export this as a CSV and have to track:

Not bad, right? We got some good details here.

Now I am going to investigate each host individually, as much first query was targeted processes, I want to see what other data points I have for my timeline:

`sysmon` host=we8105desk | stats values(CommandLine) by Image _time

I would probably export this to Excel, but some interesting datapoints:

Cliff notes on Sysmon Event Types

Event ID 1: Process creation
Event ID 2: A process changed a file creation time
Event ID 3: Network connection
Event ID 4: Sysmon service state changed
Event ID 5: Process terminated
Event ID 6: Driver loaded
Event ID 7: Image loaded
Event ID 8: CreateRemoteThread
Event ID 9: RawAccessRead
Event ID 10: ProcessAccess
Event ID 11: FileCreate
Event ID 12: RegistryEvent (Object create and delete)
Event ID 13: RegistryEvent (Value Set)
Event ID 14: RegistryEvent (Key and Value Rename)
Event ID 15: FileCreateStreamHash
Event ID 17: PipeEvent (Pipe Created)
Event ID 18: PipeEvent (Pipe Connected)
Event ID 19: WmiEvent (WmiEventFilter activity detected)
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
Event ID 255: Error

Event types in Botsv1 -

`sysmon` | stats count by EventID, EventDescription

Looking into the network data from Sysmon, I notice there is a significant amount of endpoints producing data for Event Type 3, well over 100+.

Now this can get tricky and we will end up using multiple queries to manipulate the data different ways to see if something stands out. I’m not using any outside intelligence to help, just the Splunk query language.

`sysmon` EventID=3 host=WE9041SRV | stats values(DestinationPort) by DestinationHostname

We see mostly DNS and RPC traffic going in and out.

Everything:

`sysmon` EventID=3 | stats values(DestinationPort) by DestinationHostname

At this point, I’m going to pause here at Event Type 3 and begin to break this into multiple segments for easier consumption.

I hope you found this first part easy to consume and understand. If you have any questions or comments — leave a message!