101 things the mainstream media doesn’t want you to know about PowerShell logging*


At .conf2016 Steve Brant and I presented on how to detect PowerShell maliciousness using Splunk [2]. The only problem is, if you didn’t attend the conference and only read the PowerPoint slides you might say something like “Your presentation is just big photos and SPL”. Which is true. Frankly, we like big fonts and we cannot lie. You other presenters may deny. That when a deck goes up with a big sans-serif font and a bright image in your eyes you get… distracted by where I am going with this paragraph. As such, we are going to create blog postings of our presentation for those of you who didn’t attend our talk in person. In this missive …

» Continue reading

How to Pick a Threat Intelligence Provider (kind of…)

Over my last two years-ish at Splunk I’ve been asked the question “Which threat intelligence feed should I purchase?” and “whats the deal with the viking helmet?” and “whats up with the Star Wars theme at Threatconnect”  (ಠ_ಠ at you @wadebaker) on a more than regular occurrence. And like anyone who is trying to get out of a binary question I would respond with “it depends…” and then I’d mumble something about “threat data”. Finally I’d sigh and say, “All joking aside… it depends”. I just didn’t have a great answer. Don’t get me wrong, I have personal preferences based on my experiences, but I tend to know threat intelligence providers who focus on nation-state adversaries. If you work for an …

» Continue reading

Spotting the Adversary… with Splunk

Howdy Ya’ll. Eventually there is a Rubicon to cross in every Security professional’s life. With a satisfied sigh he’ll take a step back from the keyboard, wipe Dorito dust covered hands on khakis, take a long slug of Mountain Dew, and gaze proudly at his Splunk instance and utter the words “I’ve added all the data sources I can. The network is being ‘monitored’”. Then the smile will falter as his cyber demons claw their way up to the surface.  He’ll hear them scream out “but WHAT am I supposed to look for??”  He (and you) are not alone. Ever since time immemorial (or at least when I first began “practicing” the dark arts of cyber security) I would hear the question of “but what …

» Continue reading

Random Words on Entropy and DNS

During my last blog post, I mentioned that I would delve more into how to detect subdomains with relatively high entropy. But first I think it is important to discuss WHAT is entropy; WHY do I care if a domain or subdomain has high entropy; and finally, HOW you can use entropy in Splunk to find potentially bad things.


So, what does entropy mean? For the purposes of computer science, I tend to use the definition of entropy as “… a measure of uncertainty in a random variable” [1]. For most things in computer science, entropy is calculated with the Shannon Entropy formula invented by Claude Shannon:


In other words (since if you are still reading this section, …

» Continue reading

Detecting dynamic DNS domains in Splunk

Name a security breach or sample of malware in the last five years and you will come across a fairly common denominator: the malware (or the method of data exfiltration) used a “Dynamic DNS” hostname to connect to the Internet [1][2][3][4][5]. But what is dynamic DNS (DDNS)? Why do malicious actors use it? And how do network defenders detect it in their network?

On a basic level, dynamic DNS allows for sub-domains to have IP addresses that can be quickly changed, often in real-time. Legitimate users take advantage of this service by using providers such as noip.com or duckdns.org to create easy to remember subdomains (such as the example “myhouse.no-ip[.]org”) …

» Continue reading