G'day,
Can someone please help me to understand how I can find the powershell commands (if any) an adversary has run on the system through Splunk data? I have all the windows security and powershell logs available. Just not sure how to do up a query that would not just find but also list the full ps command when it finds one.
Danke!
So if i ran this command:
(index=wineventlog sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR tag=process) process=*powershell* (CommandLine="*-EncodedCommand*" OR CommandLine="*-enc*") | eval command_hash=md5(CommandLine) | lookup CommandLine_whitelist command_hash OUTPUTNEW command_hash AS isFound | where isnull(command_hash)
where would i be putting the CommandLine_whitelist file? Which location/tab etc?
I understand that CommandLine_whitelist will contain (as per that eg above):
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noninteractive -noprofile -encodedCommand RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAKgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4ARABpAHMAcABsAGEAeQBOAGEAbQBlAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAIAAtAGEAbgBkACAAJABfAC4AUABTAEMAaABpAGwAZABOAGEAbQBlAC4AbABlAG4AZwB0AGgAIAAtAGwAdAAgADMAOQAgAC0AYQBuAGQAIAAkAF8ALgBVAG4AaQBuAHMAdABhAGwAbABTAHQAcgBpAG4AZwAgAC0AbABpAGsAZQAgACIAKgBtAHMAaQBlAHgAZQBjACoAIgB9ACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUALAAgAFAAUwBDAGgAaQBsAGQATgBhAG0AZQAsACAARABpAHMAcABsAGEAeQBWAGUAcgBzAGkAbwBuACwAIABJAG4AcwB0AGEAbABsAEQAYQB0AGUAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAEAAewBOAGEAbQBlAD0AJwBBAHAAcAAgAE4AYQBtAGUAJwA7AEUAeAA9AHsAJABfAC4ARABpAHMAcABsAGEAeQBOAGEAbQBlAH0AfQAsAGAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQAB7AE4AYQBtAGUAPQAYIFAAcgBvAGQAdQBjAHQAIABDAG8AZABlABggOwBFAHgAcAByAGUAcwBzAGkAbwBuAD0AewAkAF8ALgBQAFMAQwBoAGkAbABkAE4AYQBtAGUAfQB9ACwAYAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABAAHsATgBhAG0AZQA9ABggVgBlAHIAcwBpAG8AbgAZIDsARQB4AHAAcgBlAHMAcwBpAG8AbgA9AHsAJABfAC4ARABpAHMAcABsAGEAeQBWAGUAcgBzAGkAbwBuAH0AfQAsAGAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQAB7AE4AYQBtAGUAPQAYIEkAbgBzAHQAYQBsAGwAZQBkACAATwBuABkgOwBFAHgAcAByAGUAcwBzAGkAbwBuAD0AewAkAF8ALgBJAG4AcwB0AGEAbABsAEQAYQB0AGUAfQB9ACAAfAAgAFMAbwByAHQAIAAnAEEAcABwACAATgBhAG0AZQAnAA== -inputFormat xml -outputFormat xml
Danke!
What is your goal?
Perhaps you can state what you are trying to achieve here - as it stands your SPL will not do what it appears you are trying to do, i.e. find non-whitelisted command hashes.
As far as lookups are concerned - go to Settings->Lookups and you can upload CSV lookup files. Note that a lookup definition is an abstraction on top of the file. Without the .csv in your example, it appears you are trying to use a definition - also accessed by the same menu option.
As per my initial question...
Trying to find any powershell commands that were run on any system in the splunk data. If the command is found, show the complete command.
OK, so then from that command you tried to run, what did you learn about your data. Did it find anything? If you run the first line of that query, did it give you any results.
Take a look in the left hand column of the Splunk display if you run the search in verbose mode. What fields can you see, what information can you learn from that?
In order to be able to help you, we need to understand what you are trying, what results you are getting and what your data looks like - at the moment, I am working in the dark.
Can you share more about any searches you have run so far and what results you have from those searches.
Thank you. I found that indeed. However, thought asking here might be quicker than scrolling through so much of that stuff 🙂
What have you tried so far? A quick search in answers gives this example which is searching for powershell
https://community.splunk.com/t5/Splunk-Enterprise-Security/Inputlookup-Not-matching-Data/m-p/377433
so much will depend on what you are trying to do and what your data looks like in your environment.
A good place to look for example queries is in the Splunk research docs
https://research.splunk.com/detections/
You can search for powershell and there are lots of examples that may be related to your use case.