topic How to write a regex to cover few options? in Splunk Search

How to write a regex to cover few options?

DanAlexander — Thu, 22 Jun 2023 10:51:32 GMT

Hi people,

I need help designing a regex that will cover the below strings, please.

------------------------------------------------------------------------------

wmic useraccount get /ALL /format:csv

wmic process get caption,executablepath,commandline /format:csv

wmic qfe get description,installedOn /format:csv

wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")

wmic process call create #{process_to_execute}

wmic process where name='#{process_to_execute}' delete >nul 2>&1

wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}

wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1

wmic /node:#{node} process call create "rundll32.exe #{dll_to_execute} #{function_to_execute}"

wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall

----------------------------------------------------------------

Thank you!

Re: Need a regex to cover few options

gcusello — Wed, 21 Jun 2023 08:41:24 GMT

Hi @DanAlexander,

let me understand:

these are the full events or part of the that you want to extract?

could you share the full events, highlighting the fields to extract?

Ciao.

Giuseppe

Re: Need a regex to cover few options

DanAlexander — Wed, 21 Jun 2023 08:46:16 GMT

Thanks for the swift reply @gcusello

Let me put more context on what I am trying to achieve.

All the above strings represent Atomic-Red-Team pen test exercises.

Instead of having 10 notables I am trying to collate them all into a single notable that can catch and alert on any of the CMD commands above executed on an endpoint. I have SysMon up and running for testing.

Thank you

Re: Need a regex to cover few options

gcusello — Wed, 21 Jun 2023 09:17:42 GMT

Hi @DanAlexander,

ok, but I don't see a timestamp in each event and there isn't any value to use as key to group events.

Are they the full events or a part of them, if they aren't the full events, please share them,

otherwise, are they in the same source file?
in other words, what can I use to group them?

Ciao.

Giuseppe

Re: Need a regex to cover few options

DanAlexander — Wed, 21 Jun 2023 09:20:36 GMT

Apologies, @gcusello

I should have been more clear.

These are CMD command line executables. They are not events

I am trying to create a notable containing regex that would catch on all attempts from the "bad" guys braking into the network.

I am attempting to create a search and convert it into a notable

Thank you

Re: Need a regex to cover few options

gcusello — Wed, 21 Jun 2023 09:26:38 GMT

Hi @DanAlexander,

ok, let me understand: do you already have these commands as events or do you need to catch them and transform them in events that can be searched using a search?

If you already have, please share the raw logs.

If you haven't, I don't know how to help you, maybe Splunk Stream or the firewall logs can catch these messages in the network traffic.

Ciao.

Giuseppe

Re: Need a regex to cover few options

DanAlexander — Wed, 21 Jun 2023 09:32:37 GMT

Let me simplify it, please

Imagine I am the bad guy seating end executing these commands against my machine.

I need to get alerts about each malicious attempt.

The command lines are not events nor logs, they do not exist.

After creating a single notable to alert then I can fire up these commands to test if the notable alerts really.

Re: Need a regex to cover few options

gcusello — Wed, 21 Jun 2023 09:45:56 GMT

Hi @DanAlexander,

as I said, you are in a previous moment then the alert creation: you have to understand how to catch the commands from your workstation.

If e.g. you are on a linux system, you could read the history files catching in this way all the used commands so you can search them in an alert (using the Splunk_TA-Linux and enabling the history capture).

In which environment do you want to trace commands?

you have to analyze the environment you're using to understand how to trace commands.

I'll try to help you, but probably I will not able, but I'll try!

Ciao.

Giuseppe

Re: Need a regex to cover few options

DanAlexander — Wed, 21 Jun 2023 09:56:53 GMT

Thanks, @gcusello

Let us approach this from a different angle.

Would you be able to put all the searches as they are in maybe regex101 and create a regex that can match them all if that is possible, please?

Thank you

Re: Need a regex to cover few options

gcusello — Wed, 21 Jun 2023 10:00:11 GMT

Hi @DanAlexander,

as I said, without the full events (raw logs) it isn't possible to create a regex.

In addition, you should indicate what you need to extract from the raw logs.

Ciao.

Giuseppe