![]() Live Data index=* source= "*WinEventLog:Security" tag=authentication action=success Logon_Type= 2 OR Logon_Type= 10 OR Logon_Type= 11 Logon Type NOT (Account_Domain= "NT Authority" OR Account_Domain= "MYDOMAIN" OR Account_Domain= "SUBSIDIARY*" OR Account_Domain= "YourDomainsHere" OR Account_Name= "*$")įirst we bring in our basic dataset. We aren't putting this in the prior search command because we don't want to exclude those events, we just want to strip that value from the field. Next we use eval to filter out the Account_Domain of "-" as Windows will typically include blank domains in one of the log fields, and we don't want to distract analysts. | eval Account_Domain= mvfilter(Account_Domain!= "-") ![]() This is a problematic assumption, as there's nothing to keep attackers from using dollar sign usernames for their own purposes - as you mature this detection, try to move away from this limitation. Controversially, we are also ignoring accounts that end in a dollar sign, which will typically occur from server accounts. Next we filter out the domains that we are expecting to see. | search NOT (Account_Domain= "NT Authority" OR Account_Domain= "MYDOMAIN" OR Account_Domain= "SUBSIDIARY*" OR Account_Name= "*$") The reason? The legacy (and not really relvant) pass the hash detection actually resembles this detection, where we are looking for unexpected Account_Domains. ![]() ![]() If you're paying close attention, you'll notice that the dataset here is called Legacy Pass the Hash. We're using a macro called Load_Sample_Log_Data to wrap around | inputlookup, just so it is cleaner for the demo data. This dataset includes interactive logins from Windows Security logs. For this analysis, we are looking at what domains we expect to see in our authentication logs, and alert on anything unexpected.ĭemo Data | `Load_Sample_Log_Data("Example Pass The Hash (Legacy)")`įirst we bring in our basic demo dataset. Our dataset is an anonymized collection of Windows Authentication logs. This example leverages the Simple Search assistant. Verify whether this is a service account that should be added to the tuning whitelist moving forward. It's best to consider this alert as a contextual alert rather than a material alert that you would send to the SOC.ĭetermine whether this user is authorized to log in with local credentials, and whether the configuration of the local account complies with company policies around password expiration, complexity, and etc. Many service accounts will log in with local domains as a matter of normal activities, and computer accounts may also show up. ![]() Create the lookup with index=* daysago=60 source=*win*security | top Account_Domain limit=0 | fields Account_Domain | outputlookup allowable_account_domains.csvThen in your correlation search, access that lookup by replacing the existing list of account domains so that it reads: index=* source=*win*security tag=authentication action=success Logon_Type=2 OR Logon_Type=10 OR Logon_Type=11 Logon Type NOT ( ) In more complex environments (such as with many subsidiaries, or services routinely logging in with local accounts), you may wish to run this over a long period of time and create a lookup to tune out your noise. For smaller shops with minimal complexity, run a Splunk search to look at the expected domains, and add them to your explicit whitelist: index=* daysago=7 source=*win*security | top Account_Domain limit=0. Implementing this search is as tricky as your environment is complex. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |