Last active
November 9, 2021 19:49
-
-
Save oukeu/5facf76db918d88f78c538bb7399d783 to your computer and use it in GitHub Desktop.
Splunk Sysmon TERM() Search Examples.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ``` | |
| Author: @0x1FFFFF | |
| Date: 9 November, 2021 | |
| Goal: Limit the queried buckets in Splunk to the minimum necessary to query appropriate sysmon events. | |
| There are a few things to think about when considering to use these types of searches. | |
| Please familiarize yourself with how TERM works and how to look for usable strings in raw events. | |
| Splunk Docs: https://docs.splunk.com/Documentation/Splunk/latest/Search/UseCASEandTERMtomatchphrases | |
| https://docs.splunk.com/Documentation/Splunk/8.2.3/Search/Eventsegmentationandsearching | |
| Talk by Richard Morgan: https://conf.splunk.com/files/2020/recordings/PLA1089C.mp4 | |
| https://conf.splunk.com/files/2020/slides/PLA1089C.pdf | |
| Always be wary of including NOT TERM(...) in your query. TERM searches against raw strings in the original event text. | |
| You can't define the location of the string in the log, the best way to explain this is an example. | |
| Take a look at the search for EID 23 (Line 23), by using NOT TERM(ClientInfo) we exclude EID 24s, but if we had an EID 23 event that includes something like Image="ClientInfo_v1.exe" we would never see it. | |
| This comes down to understanding what you're excluding and if it's worth allowing a known gap. | |
| ``` | |
| ```All Sysmon Logs within the index``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) | |
| ```Sysmon Event Code 1``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(ParentCommandLine) TERM(ParentImage) | |
| ```Sysmon Event Code 2``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(CreationUtcTime) TERM(PreviousCreationUtcTime) | |
| ```Sysmon Event Code 3``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(DestinationHostname) TERM(DestinationPort) | |
| ```Sysmon Event Code 4. Note: this log /should/ only have two states afaik. If there are others they'd need to be included``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(State) (TERM(Started) OR TERM(Stopped)) | |
| ```Sysmon Event Code 5. Note: be wary of NOT TERM()``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) NOT TERM(ParentCommandLine) NOT TERM(DestinationHostname) NOT TERM(ImageLoaded) NOT TERM(CreationUtcTime) NOT TERM(TargetObject) NOT TERM(WmiFilterEvent) NOT TERM(PipeName) NOT TERM(IsExecutable) NOT TERM(CallTrace) EventID=5 | |
| ```Sysmon Event Code 6. Note: be wary of NOT TERM()``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(ImageLoaded) NOT TERM(OriginalFileName) | |
| ```Sysmon Event Code 7``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(ImageLoaded) TERM(OriginalFileName) | |
| ```Sysmon Event Code 8``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(TargetImage) TERM(StartModule) | |
| ```Sysmon Event Code 9. Note: be wary of NOT TERM()``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) NOT TERM(ParentCommandLine) NOT TERM(DestinationHostname) NOT TERM(ImageLoaded) NOT TERM(CreationUtcTime) NOT TERM(TargetObject) NOT TERM(WmiFilterEvent) NOT TERM(PipeName) NOT TERM(IsExecutable) NOT TERM(CallTrace) EventID=9 | |
| ```Sysmon Event Code 10``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(CallTrace) | |
| ```Sysmon Event Code 11. Note: be wary of NOT TERM()``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(TargetFilename) TERM(CreationUtcTime) NOT TERM(PreviousCreationUtcTime) EventID=11 | |
| ```Sysmon Event Code 12, 13, and 14``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(TargetObject) | |
| ```Sysmon Event Code 12. Note: be wary of NOT TERM()``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(TargetObject) NOT TERM(Details) EventID=12 | |
| ```Sysmon Event Code 13``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(TargetObject) TERM(Details) | |
| ```Sysmon Event Code 14``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(TargetObject) TERM(NewName) | |
| ```Sysmon Event Code 15``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(TargetFilename) TERM(CreationUtcTime) TERM(Hash) EventID=15 | |
| ```Sysmon Event Code 16``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(ConfigurationFileHash) | |
| ```Sysmon Event Code 17``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(PipeName) TERM(CreatePipe) | |
| ```Sysmon Event Code 18``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(PipeName) TERM(ConnectPipe) | |
| ```Sysmon Event Code 19``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(WmiFilterEvent) | |
| ```Sysmon Event Code 20``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(WmiConsumerEvent) | |
| ```Sysmon Event Code 21``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(WmiBindingEvent) | |
| ```Sysmon Event Code 22``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(QueryName) TERM(QueryResults) | |
| ```Sysmon Event Code 23 Note: be wary of NOT TERM()``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(Archived) TERM(IsExecutable) NOT TERM(ClientInfo) | |
| ```Sysmon Event Code 24``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(Archived) TERM(IsExecutable) TERM(CientInfo) | |
| ```Sysmon Event Code 25. Note: be wary of NOT TERM()``` | |
| index=your_sysmon TERM(Microsoft-Windows-Sysmon) TERM(Image) TERM(Type) TERM(25) NOT TERM(ParentCommandLine) NOT TERM(ImageLoaded) NOT TERM(TargetObject) NOT TERM(PreviousCreationUtcTime) EventID=25 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment