Splunk Enterprise Security

Where can I find powershell commands?

Pundittech
Loves-to-Learn Lots

G'day,

Can someone please help me to understand how I can find the powershell commands (if any) an adversary has run on the system through Splunk data? I have all the windows security and powershell logs available. Just not sure how to do up a query that would not just find but also list the full  ps command when it finds one.

Danke!

Labels (1)
Tags (1)
0 Karma

Pundittech
Loves-to-Learn Lots

So if i ran this command:

(index=wineventlog sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR tag=process) process=*powershell* (CommandLine="*-EncodedCommand*" OR CommandLine="*-enc*") 
| eval command_hash=md5(CommandLine) 
| lookup CommandLine_whitelist command_hash OUTPUTNEW command_hash  AS isFound 
| where isnull(command_hash)

where would i be putting the CommandLine_whitelist file? Which location/tab etc? 

I understand that CommandLine_whitelist will contain (as per that eg above):

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noninteractive -noprofile -encodedCommand RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAKgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4ARABpAHMAcABsAGEAeQBOAGEAbQBlAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAIAAtAGEAbgBkACAAJABfAC4AUABTAEMAaABpAGwAZABOAGEAbQBlAC4AbABlAG4AZwB0AGgAIAAtAGwAdAAgADMAOQAgAC0AYQBuAGQAIAAkAF8ALgBVAG4AaQBuAHMAdABhAGwAbABTAHQAcgBpAG4AZwAgAC0AbABpAGsAZQAgACIAKgBtAHMAaQBlAHgAZQBjACoAIgB9ACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUALAAgAFAAUwBDAGgAaQBsAGQATgBhAG0AZQAsACAARABpAHMAcABsAGEAeQBWAGUAcgBzAGkAbwBuACwAIABJAG4AcwB0AGEAbABsAEQAYQB0AGUAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAEAAewBOAGEAbQBlAD0AJwBBAHAAcAAgAE4AYQBtAGUAJwA7AEUAeAA9AHsAJABfAC4ARABpAHMAcABsAGEAeQBOAGEAbQBlAH0AfQAsAGAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQAB7AE4AYQBtAGUAPQAYIFAAcgBvAGQAdQBjAHQAIABDAG8AZABlABggOwBFAHgAcAByAGUAcwBzAGkAbwBuAD0AewAkAF8ALgBQAFMAQwBoAGkAbABkAE4AYQBtAGUAfQB9ACwAYAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABAAHsATgBhAG0AZQA9ABggVgBlAHIAcwBpAG8AbgAZIDsARQB4AHAAcgBlAHMAcwBpAG8AbgA9AHsAJABfAC4ARABpAHMAcABsAGEAeQBWAGUAcgBzAGkAbwBuAH0AfQAsAGAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQAB7AE4AYQBtAGUAPQAYIEkAbgBzAHQAYQBsAGwAZQBkACAATwBuABkgOwBFAHgAcAByAGUAcwBzAGkAbwBuAD0AewAkAF8ALgBJAG4AcwB0AGEAbABsAEQAYQB0AGUAfQB9ACAAfAAgAFMAbwByAHQAIAAnAEEAcABwACAATgBhAG0AZQAnAA== -inputFormat xml -outputFormat xml

 Danke!

0 Karma

bowesmana
SplunkTrust
SplunkTrust

What is your goal?

Perhaps you can state what you are trying to achieve here - as it stands your SPL will not do what it appears you are trying to do, i.e. find non-whitelisted command hashes.

As far as lookups are concerned - go to Settings->Lookups and you can upload CSV lookup files. Note that a lookup definition is an abstraction on top of the file. Without the .csv in your example, it appears you are trying to use a definition - also accessed by the same menu option.

 

 

 

0 Karma

Pundittech
Loves-to-Learn Lots

As per my initial question...

Trying to find any powershell commands that were run on any system in the splunk data. If the command is found, show the complete command.

0 Karma

bowesmana
SplunkTrust
SplunkTrust

OK, so then from that command you tried to run, what did you learn about your data. Did it find anything? If you run the first line of that query, did it give you any results.

Take a look in the left hand column of the Splunk display if you run the search in verbose mode. What fields can you see, what information can you learn from that?

In order to be able to help you, we need to understand what you are trying, what results you are getting and what your data looks like - at the moment, I am working in the dark.

Can you share more about any searches you have run so far and what results you have from those searches.

 

0 Karma

Pundittech
Loves-to-Learn Lots

Thank you. I found that indeed. However, thought asking here might be quicker than scrolling through so much of that stuff 🙂

0 Karma

bowesmana
SplunkTrust
SplunkTrust

What have you tried so far? A quick search in answers gives this example which is searching for powershell

https://community.splunk.com/t5/Splunk-Enterprise-Security/Inputlookup-Not-matching-Data/m-p/377433

so much will depend on what you are trying to do and what your data looks like in your environment.

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

A good place to look for example queries is in the Splunk research docs

https://research.splunk.com/detections/

You can search for powershell and there are lots of examples that may be related to your use case.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...