Scribd
Upload
23 views

Hunting with Splunk Lab 5

This document outlines a lab scenario for threat hunting using Splunk, focusing on detecting the offensive framework CrackMapExec through various logs. It includes specific tasks for analyzing SMB file transfers, remote connections, Windows admin shares, PowerShell activity, and self-signed certificates. The lab aims to enhance hands-on analysis skills and emphasizes the importance of combining network and host-based activity for effective threat detection.

Uploaded by

Rayen Salem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
23 views

Hunting with Splunk Lab 5

This document outlines a lab scenario for threat hunting using Splunk, focusing on detecting the offensive framework CrackMapExec through various logs. It includes specific tasks for analyzing SMB file transfers, remote connections, Windows admin shares, PowerShell activity, and self-signed certificates. The lab aims to enhance hands-on analysis skills and emphasizes the importance of combining network and host-based activity for effective threat detection.

Uploaded by

Rayen Salem
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 6

Hunting with Splunk (Lab 5)

LAB 17.5

Scenario
The IT Security manager has now tasked you, the only Threat hunter, with performing a hunt for the offensive framework CrackMapExec. The internal penetration team has already generated CrackMapExec activity that will help you validate
your hypotheses.

Zeek, Windows Security, Sysmon and PowerShell logs are available for this lab.

Goals
The learning objective of this lab is increase familiarity of doing a hands-on analysis with Splunk.

What you will learn


You will learn how to utilize available network and host-based logs to detect abnormal activity.

Recommended tools
 Splunk
 Use Firefox browser to connect to Splunk's web interface (http://demo.ine.local:8000)

Tasks
Task 1. Have any files been transferred over SMB?
Begin by studying T1105 and create a detection search in Splunk.

Hint: Focus on Zeek logs, sourcetype "zeek_files" and sourcetype "zeek_smb_files", (specifically those with action of "SMB::FILE_OPEN"). For the most important fields please refer to https://docs.zeek.org/en/current/

Task 2. Has the suspected attacker machine connected to the victim?


Study T1187 and hunt for relevant activity that may link successful remote connections.

Hint: Focus on Zeek logs, sourcetype "zeek_ntlm".

Task 3. Have windows admin shares be accessed remotely?


Study T1077 and hunt for relevant activity.

Hint: Focus on Zeek logs, sourcetype "zeek_smb_mapping".

Task 4. Has PowerShell Empire agent been executed on the victim machine?
Hunt for PowerShell activity.

Hint: Focus on Sysmon and PowerShell logs for this hunt.


Task 5. Hunt for self-signed certificates
Hunt for self-signed certificates, since attackers usually utilize such certificates for convenience.

Hint: Focus on Zeek logs, sourcetype "zeek_ssl".

SOLUTIONS
Below, you can find solutions for each task. Remember though, that you can follow your own strategy, which may be different from the one explained in the following lab.

Task 1. Have any files been transferred over SMB?


To identify certain type of network traffic, we'll utilize Zeek's logs. The ones we are interested in for this task are those with sourcetype of "zeek_files". Zeek logs will provide hashes for transferred files, so we should take this into account during
our hunt as well. Utilizing that information, we construct the following query:

index=zeek sourcetype="zeek_files" SMB | spath "rx_hosts{}" | table rx_hosts{}, tx_hosts{}, filename, md5, sha1
Once the query is executed, we get the following match:

We can clearly see that some odd, 6 character and randomly named files were detected.

We can further enrich this by looking at Zeek logs with sourcetype of "zeek_smb_files", and specifically those with action of "SMB::FILE_OPEN". We then construct the following query:

index=zeek sourcetype=zeek_smb_files action="SMB::FILE_OPEN" | table id.resp_h, id.resp_p, id.orig_h, id.orig_p, action, name
Once executed, we get the following match result:
Now we can see that those files were accessed remotely. From this we can suspect that 192.168.1.32 is the victim that connects to 192.168.1.34 on port 445.

The 6 character and randomly-named filenames of shares are one of the distinguishing artefacts that is linked to CrackMapExec v4.0 and 5.0.

Task 2. Has the suspected attacker machine connected to the victim?


For this task, we'll use Zeek logs again, specifically those with sourcetype "zeek_ntlm". Simply, we will list all logs in a defined table output format with the query:

index=zeek sourcetype=zeek_ntlm | table id.resp_h, id.resp_p, id.orig_h, id.orig_p, domainname, success, username
Once executed, we get the following:
We can see that 192.168.1.34 has connected successfully to 192.168.1.32 with the account "Administrator" (NTLM authentication, which is often generated by connecting remotely over SMB with plain text password or performing pass the
hash).

Task 3. Have windows admin shares be accessed remotely?


For this task again, we'll look again Zeek logs again, specifically those with sourcetype "zeek_smb_mapping". Simply, we will list all logs in a defined table output format with the query:

index=zeek sourcetype="zeek_smb_mapping" | table id.resp_h, id.resp_p, id.orig_h, id.orig_p, path, share_type


Once executed, we get the following:

It appears that 192.168.1.34 has created multiple connections to the IPC$ share of 192.168.1.32. This is expected behavior when executing commands over SMB on a remote machine.

Task 4. Has PowerShell Empire agent been executed on the victim machine?
For this task, we'll utilize Sysmon logs, specifically whether a process was started with suspicious command line argument that contains "powershell.", which is generated by default in Empire agents. We will use the following query to search for
"powershell":

index=* powershell

Once executed, among a list of matched events, we'll see this one:
If we go forward and decode the obfuscated command, we will indeed note that this matches Empire's stager.

We could also look into PowerShell ScriptBlock logs with Event ID 4104, that will display captured PowerShell activity. A simple query and looking for those that contain "Warning" in them already provides a wealth of potentially malicious
obfuscated commands:

Task 5. Hunt for self-signed certificates


An interesting indicator of compromise is the existence of self-signed SSL certificates in your environment (of course your organization will have to adopt using certificates signed by trusted entities for this hunting technique to have a meaning)

The below Splunk search can reveal self-signed SSL certificates or certificates with multiple empty fields. Both can be used as an alarm.
index=zeek sourcetype=zeek_ssl |table cipher, curve, client_cert_chain_fuids, client_issuer, client_subject, C, version, subject, validation_status

If you look carefully enough, you will identify that the self-signed certificate is related to the attacking host we found during the previous tasks!

KEY TAKEWAYS
1. Robust detection rules are required to perform high quality hunts
2. Combining network and host-based activity provides greater visibility into the actions performed and helps to identify adversary actions that may be hard (or impossible) by looking at only one source.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy