Spotting the Adversary… with Splunk

Howdy Ya’ll. Eventually there is a Rubicon to cross in every Security professional’s life. With a satisfied sigh he’ll take a step back from the keyboard, wipe Dorito dust covered hands on khakis, take a long slug of Mountain Dew, and gaze proudly at his Splunk instance and utter the words “I’ve added all the data sources I can. The network is being ‘monitored’”. Then the smile will falter as his cyber demons claw their way up to the surface.  He’ll hear them scream out “but WHAT am I supposed to look for??”  He (and you) are not alone. Ever since time immemorial (or at least when I first began “practicing” the dark arts of cyber security) I would hear the question of “but what should I look for?” [1]. Collecting data is great but if you aren’t using it to find baddies, it’s just expensively corralled bits and bytes.  In this brief missive, I’m going to tell you about a great document from the NSA  that can set you on the road to “Adversary Detection” nirvana with Microsoft Logs and give then a sample panel of ways to look at that data to get on your way.

With that in mind, I thought I would take a moment and possibly give out some “Splunkspiration™” that I have shared several times over the last year but never committed to paper. For those of you who are not clued in by the vague title, the NSA IA team released a great white paper several years ago which was recently updated called “Spotting the Adversary with Windows event Log Monitoring” [2]. I highly recommend reading the entire white paper, but my favorite section is on page 8 where these beautiful IA nerds at the NSA provide a table of all the event codes that they find interesting for detecting baddies in your windows network.

spotting_adversary_table

 

So for those of you who are wondering what the hell to look for with those millions of Windows Logs… these Event ID’s are a great place to start!!! Since I’ve already done some of the work, I decided to share a little Splunk panel below that groups all of these Event IDs into selections based on the descriptions above.  This does have the assumption that you have your GPO’s set up right to get these logs (see aforementioned NSA document), that you have the Windows Infrastructure app installed, and your CIM setup correctly. I’m not gonna lie to you. This panel is not going to find APT1337 right off the bat but it should give that bit of “Splunkspiration™” to go out there, make some correlation rules, add some saved searches, or go crazy on the SPL à la Splunker David Veuve,  and get into the APT squashing business.

spotting_adversary_panel

 I also HIGHLY recommend taking a peek at a talk (https://conf.splunk.com/session/2015/conf2015_MGough_MalwareArchaelogy_SecurityCompliance_FindingAdvnacedAttacksAnd.pdf) from .conf2015 given by Michael Gough that goes over very similar material! [3]

I hope this helps and as always… Happy Hunting :-)

    <panel>
      <input type="dropdown" token="nsasearch" searchWhenChanged="true">
source=WinEventlog:application<label>Interesting Event IDs</label>
        <choice value=" source=WinEventLog:application">Executables</choice>
        <choice value=" source=WinEventLog:Security EventCode=4624 OR EventCode=4625 OR EventCode=4648 OR EventCode=4728 OR EventCode=4732 OR EventCode=4634 OR EventCode=4735 OR EventCode=4740 OR EventCode=4756">Account and Group Activities</choice>
        <choice value=" source=WinEventLog:Application EventCode=1000 OR EventCode=1002">Application Crashes and Hangs</choice>
        <choice value=" source=WinEventLog:Application EventCode=1001">Windows Error Reporting and BSOD</choice>
        <choice value=" source=WinEventLog:Application EventCode = 1005 OR EventCode = 1006 OR EventCode = 1008 OR EventCode = 1010 OR EventCode = 2001 OR EventCode = 2003 OR EventCode = 2004 OR EventCode = 3002 OR EventCode = 5008">Windows Defender Errors</choice>
        <choice value=" source=WinEventLog:Application EventCode = 3001 OR EventCode = 3002 OR EventCode = 3003 OR EventCode = 3004 OR EventCode = 3010 OR 3023">Windows Integrity Errors</choice>
        <choice value=" source=WinEventLog:Application EventCode = 1 OR EventCode = 2">EMET Crash Logs</choice>
        <choice value=" source=WinEventLog:Security EventCode = 2004 OR EventCode = 2005 OR EventCode = 2006 OR EventCode = 2009 OR EventCode = 2033">Windows Firewall Logs</choice>
        <choice value=" source=WinEventLog:Application EventCode = 2 OR EventCode = 19">MSI Packages Installed</choice>
        <choice value=" source=WinEventLog:System EventCode = 7022 OR EventCode = 7023 OR EventCode = 7024 OR EventCode = 7026 OR EventCode = 7031 OR EventCode = 7032 OR EventCode = 7034">Windows Service Manager Errors</choice>
        <choice value=" source=WinEventLog:System EventCode = 1125 OR EventCode = 1127 OR EventCode = 1129">Group Policy
Errors</choice>
        <choice value=" source=WinEventLog:Application EventCode = 865 OR EventCode = 866 OR EventCode = 867 OR EventCode = 868 OR EventCode = 882 OR EventCode = 8003 OR EventCode = 8004 OR EventCode = 8006 OR EventCode = 8007">AppLocker and SRP Logs</choice>
        <choice value=" source=WinEventLog:System EventCode = 20 OR EventCode = 24 OR EventCode = 25 OR EventCode = 31 OR EventCode = 34 OR EventCode = 35">Windows Update Errors</choice>
        <choice value=" source=WinEventLog:System EventCode = 1009">Hotpatching Error</choice>
        <choice value=" source=WinEventLog:Security EventCode = 5038 OR EventCode = 6281 OR EventCode = 219">Kernel Driver
and Kernel Driver Signing Errors</choice>
        <choice value=" source=WinEventLog:System EventCode = 104 OR 1102">Log Clearing</choice>
        <choice value=" source=WinEventLog:System EventCode = 7045">Windows Service Installed</choice>
        <choice value=" source=WinEventLog:Application EventCode = 800 OR EventCode = 903 OR EventCode = 904 OR EventCode = 905 OR EventCode = 906 OR EventCode = 907 OR EventCode = 908">Program
Inventory</choice>
        <choice value=" source=WinEventLog:Security EventCode = 8000 OR EventCode = 8001 OR EventCode = 8002 OR EventCode = 8003 OR EventCode = 8011 OR EventCode = 10000 OR EventCode = 10001 OR EventCode = 11000 OR EventCode = 11001 OR EventCode = 11002 OR EventCode = 11004 OR EventCode = 11005 OR EventCode = 11006 OR EventCode = 11010 OR EventCode = 12011 OR EventCode = 12012 OR EventCode = 12013">Wireless
Activities</choice>
        <choice value=" EventCode = 43 OR EventCode = 400 OR EventCode = 410">USB Activities</choice>
        <choice value=" source=WinEventLog:System EventCode = 307">Printing Activities</choice>
        <default> source=WinEventLog:application</default>
      </input>
      <html>
 These "interesting" Events are selected from the NSA's guide
to <a href="https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm">spotting
the adversary</a> 
      </html>
<table>
        <title>Event ID's of Interest</title>
        <search>
          <query>$nsasearch$ | table _time  EventCode Message ComputerName</query>
          <earliest>-7d@h</earliest>
          <latest>now</latest>
        </search>
<option name="list.drilldown">full</option>
<option name="list.wrap">1</option>
<option name="maxLines">5</option>
<option name="raw.drilldown">full</option>
<option name="rowNumbers">false</option>
<option name="table.drilldown">all</option>
<option name="table.wrap">1</option>
<option name="type">list</option>
<option name="wrap">true</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="count">7</option>
      </table>
    </panel>

[1]
And to be fair, I asked the question more than my fair share back when I was less experienced, less neckbeardy, and significantly less horizontally fleshed

[2]
https://www.iad.gov/iad/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm
[3]
https://conf.splunk.com/session/2015/conf2015_MGough_MalwareArchaelogy_SecurityCompliance_FindingAdvnacedAttacksAnd.pdf

*Also thanks to John L. for spotting some ANDs where they should have been ORs ad letting me know :-)

 

Combining above with powershell EventID’s like 4104 would be cool.

Lohit
June 22, 2016