![]() ![]() So I can continue to offer you identical queries side-by-side. Now, what’s really awesome is that the CPTC dataset has both EID4688 logs, and Sysmon EID1 logs. Keep this in mind that the results from these queries aren’t typical of what you find in most enterprise networks. On a typical network, if you see a lot of weird, unexplained, obfuscated PowerShell, that usually means you have a significant problem–either there are some business processes that are completely unknown to you that you need to become familiar with in order to filter out the results, or you have a very deeply entrenched adversary and have a long fight ahead of you before you root them out of your network. Since we’ve been doing such a great job picking on PowerShell so far, that’s exactly what we’re going to continue doing here.īe aware that this dataset is from a security competition, so there are going to be a lot of weird instances of PowerShell being used, and a lot of stuff that looks anomalous observed in high frequency. If you’re interested in this data for following along, I’ve provided a link in the “Additional Reading and Resources” section below. For this example, I’m going to utilize the 2019 National Collegiate Penetration Testing Competition dataset. Let’s begin! Hands-On Example: CPTC datasetĪll of this information sounds really awesome, but I’m willing to bet you’d like a hands-on example that shows you just how interesting process creation logs can be. ![]() Afterwards, I will provide you with links to various resources you can use to improve your threat hunting prowess. We’re going to use basic process creation log queries, and investigate some of the results together. In this final part of the series, I’m going to go through some hands-on examples with you. We also covered some introductory queries you can use to interrogate this massive body of data, methods for filtering the data without creating blindspots while you are hunting, and a couple of hypothesis and questions you can use to guide your hunting further. I provided some documentation on fields that contain excellent data to analyze, and how to get the logs into Splunk for further analysis. In this series of blog posts, following Part 1 and Part 2, we have discussed Windows process creation logs and their primary sources.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |