Splunk Lab 1 - Brute Force Detection
Splunk threat hunting lab covering password brute-force detection, attack frequency visualization, IP geolocation, and process execution analysis using BOTSv1 data.
Task 1. Average password length used in brute-force attack against 192.168.250.70
Once you are logged into Splunk’s web management interface, click the Search & Reporting application that resides on the Apps column on your left.
# Password brute-forcing attack
index="botsv1" sourcetype="stream:http" dest_ip=192.168.250.70 http_method=POST form_data=*user*pass*
| stats count by src_ip# Identify what was the average password length used
index="botsv1" sourcetype="stream:http" dest_ip=192.168.250.70 http_method=POST form_data=*user*pass* | rex field=form_data "passwd=(?\w+)" | eval lenpword=len(userpassword) | stats avg(lenpword) AS avgPword | eval avgPword=round(avgPword,0) -
Explanation:
Calculate a length for the userpassword string eval lenpword=len(userpassword)* <- Calculate a length for the userpassword string and store the value in lenpword
stats avg(lenpword) AS avgPword <- Calculate the average of all lenpword and rename it avgPword
eval avgPword=round(avgPword,0) <- Round the avgPword field to 0 decimal places and put it into the avgPword field
Task 2. Visualize the frequency of the password brute-forcing attack.
To visualize the frequency of the password brute-forcing attack, we can use the query below.
index="botsv1" sourcetype="stream:http" dest_ip=192.168.250.70 http_method=POST form_data=*user*pass*
| rex field=form_data "passwd=(?\w+)"
| timechart span=1s count by dest_ip -
Explanation:
This is a similar query as to our final Task 1 query, note that we removed the eval and stats sections and added a timechart
timechart syntax is similar to stats
With our visualization we now know the time ranges of the attack.
Task 3. How many seconds elapsed between the time we first saw the password “batman” and the time we saw it again?
A splunk search that can automatically determine how many seconds elapsed between the time we first saw the password batman and the time we saw it again can be found below.
index="botsv1" sourcetype="stream:http" dest_ip=192.168.250.70 http_method=POST form_data=*user*pass*
| rex field=form_data "passwd=(?\w+)"
| search userpassword=batman
| transaction userpassword
| table duration Change the Visualization from Line Chart to Cluster Map
Task 4. Extend IP location to visualizations
The below Splunk search can provide us with a bird’s eye view of the involved IP addresses.
index="botsv1" sourcetype="stream:http" dest_ip=192.168.250.70 http_method=POST form_data=*user*pass*
| iplocation src_ip
| geostats latfield=lat longfield=lon count by src_ipTask 5. List all process execution activity and all executed commands
All process execution activity can be listed through the Splunk search below.
index="botsv1" sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" | stats values(ParentImage) by processAll commands being executed can be listed through the Splunk search below.
index="botsv1" sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" | stats values(CommandLine) by Computer,processBonus 1: If you want to list all commands being executed by a specific (usually abused) process, you can do so as follows.
index="botsv1" sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" process=*cmd.exe
| stats values(CommandLine) by Computer,processBonus 2: If you want to identify, for example, the longest cmd.exe command that was executed (overly long commands are suspicious), you can do so as follows.
index="botsv1" sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" process=*cmd.exe
| eval len=len(CommandLine)
| table User, len, CommandLine
| sort -lenThat overly-long cmd.exe command looks certainly malicious!