Re: Help on SPL for Lateral Movement

john-doe · ‎05-20-2023

Hello Folks,

I am new with Splunk.

I am looking to build a query to detect lateral movement using Windows Service creation.

I want to check for following pattern:

EventCode 4624 followed by EventCode 4697 or 7045.

EventCode 4624 followed by EventCode 7036.

How can I write a query to detect such patterns?

ITWhisperer · ‎05-20-2023

Try something like this

<your index> EventCode=4624 OR EventCode=4697 OR EventCode=7045 OR EventCode=7036
| sort 0 _time
| streamstats global=f current=f window=2 last(EventCode) as previousEventCode by ComputerName
| where previousEventCode=4624 AND (EventCode=4697 OR EventCode=7045 OR EventCode=7036)

jonny_doe · ‎05-20-2023

Given search is unable to find the pattern.

I tried with PsExec logs

ITWhisperer · ‎05-20-2023

If you want more help, you may have to share more information, like what your events look like, what fields do you already have extracted, what does your current search look like, what results are you currently getting? My mind-reading license was suspended last month due to a misunderstanding with an African Prince!

Help on SPL for Lateral Movement?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation