- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Need a regex to cover few options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to write a regex to cover few options?
Hi people,
I need help designing a regex that will cover the below strings, please.
------------------------------------------------------------------------------
wmic useraccount get /ALL /format:csv
wmic process get caption,executablepath,commandline /format:csv
wmic qfe get description,installedOn /format:csv
wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
wmic process call create #{process_to_execute}
wmic process where name='#{process_to_execute}' delete >nul 2>&1
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute}
wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name='#{process_to_execute}' delete >nul 2>&1
wmic /node:#{node} process call create "rundll32.exe #{dll_to_execute} #{function_to_execute}"
wmic /node:"#{node}" product where "name like '#{product}%%'" call uninstall
----------------------------------------------------------------
Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DanAlexander,
let me understand:
these are the full events or part of the that you want to extract?
could you share the full events, highlighting the fields to extract?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the swift reply @gcusello
Let me put more context on what I am trying to achieve.
All the above strings represent Atomic-Red-Team pen test exercises.
Instead of having 10 notables I am trying to collate them all into a single notable that can catch and alert on any of the CMD commands above executed on an endpoint. I have SysMon up and running for testing.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DanAlexander,
ok, but I don't see a timestamp in each event and there isn't any value to use as key to group events.
Are they the full events or a part of them, if they aren't the full events, please share them,
otherwise, are they in the same source file?
in other words, what can I use to group them?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apologies, @gcusello
I should have been more clear.
These are CMD command line executables. They are not events
I am trying to create a notable containing regex that would catch on all attempts from the "bad" guys braking into the network.
I am attempting to create a search and convert it into a notable
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DanAlexander,
ok, let me understand: do you already have these commands as events or do you need to catch them and transform them in events that can be searched using a search?
If you already have, please share the raw logs.
If you haven't, I don't know how to help you, maybe Splunk Stream or the firewall logs can catch these messages in the network traffic.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Let me simplify it, please
Imagine I am the bad guy seating end executing these commands against my machine.
I need to get alerts about each malicious attempt.
The command lines are not events nor logs, they do not exist.
After creating a single notable to alert then I can fire up these commands to test if the notable alerts really.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DanAlexander,
as I said, you are in a previous moment then the alert creation: you have to understand how to catch the commands from your workstation.
If e.g. you are on a linux system, you could read the history files catching in this way all the used commands so you can search them in an alert (using the Splunk_TA-Linux and enabling the history capture).
In which environment do you want to trace commands?
you have to analyze the environment you're using to understand how to trace commands.
I'll try to help you, but probably I will not able, but I'll try!
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, @gcusello
Let us approach this from a different angle.
Would you be able to put all the searches as they are in maybe regex101 and create a regex that can match them all if that is possible, please?
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DanAlexander,
as I said, without the full events (raw logs) it isn't possible to create a regex.
In addition, you should indicate what you need to extract from the raw logs.
Ciao.
Giuseppe
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
