Splunk Search

Is there a way to create a transaction that contains 4 actions?

janiceb
Path Finder

Good Morning,

I am trying to create a transaction that will search my logs for hosts that perform the following:

  1. Start by opening a file(doc or pdf)
  2. Execute a command prompt
  3. perform action C
  4. perform action C again

So far I have something like:

LogType=Mylogs | transaction host startswith=CreatorProcessName="WINWORD" endswith=BaseFileName="chrome.exe"

With the above command, I am about to see hosts that have opened a Word document and ended by opening a chrome browser, however, I am unable to see that the host met all 4 actions of (1) opening Word (2) opening a command prompt (3) opening a chrome browser (4) opening another chrome browser. How do I edit my search to also include the actions in between, number 2 and 3?

Thanks

Tags (1)
0 Karma

woodcock
Esteemed Legend

Ditch transaction and try this:

LogType=Mylogs | streamstats current=t count(eval(BaseFileName="powershell.exe")) AS SessionID by host | sort host SessionID

Or this (should be synonymous if every event has a proper start and end event):

LogType=Mylogs | reverse | streamstats current=t count(eval(CreatorProcessName="WINWORD")) AS SessionID by host | sort host SessionID
0 Karma

janiceb
Path Finder

Thanks so much for your reply. I am not as familiar with the streamstats command so I will have to study it more. I am also not sure I explained things correctly. What I am trying to do is detect any hosts that may have been infected with PowerWare ransomeware. I know that this host activity may include opening a Word document, which has an embedded macro to execute the command prompt. After which, there are two instances of powershell that are executed.

What I am trying to do is detect when a user opens a Word doc, gets a command prompt, and then two instances of powershell. I was able to come up with this:

LogType=WindowsEventLog OR LogType=WLS | transaction host startswith=CreatorProcessName="WINWORD" endswith=BaseFileName="powershell.exe" 

However, the above doesn't specify the cmd.exe or the second instance of Powershell. If someone were to actually execute this PowerRare, I believe my alert will catch it, but it lacks the specification to include all of those events specifically.

Thanks,

Janice

0 Karma

woodcock
Esteemed Legend

I re-edited my answer to give 2 options for the same thing. I think the one with reverse will help you best. You can also tack on to the end of each command this, which will probably help you even more (it will create many multi-value fields):

... | stats values(*) AS * BY SessionID host

Then you can tack on something like this:

... | search CreatorProcessName="WINWORD"

So my suggested complete solution is this:

LogType=Mylogs | streamstats current=t count(eval(BaseFileName="powershell.exe")) AS SessionID by host | sort host SessionID | stats values(*) AS * BY SessionID host | search CreatorProcessName="WINWORD"
0 Karma

janiceb
Path Finder

Thanks so much for your help!

0 Karma

woodcock
Esteemed Legend

So did it work out?

0 Karma

janiceb
Path Finder

I still didn't get it to work out for me. I entered the following, ran the test file and didn't get any alert. However, I just decided to use the basic transaction one that I initially made which will alert me if two of the requirements are met, but I will just have to follow up with additional analysis. Thanks for your help!

LogType=Mylogs | streamstats current=t count(eval(BaseFileName="powershell.exe")) AS SessionID by host | sort host SessionID | stats values(*) AS * BY SessionID host | search CreatorProcessName="WINWORD" | search BaseFileName="cmd.exe"

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...