Splunk Search

Map, Join or ... ??

un1claudiu
Observer

Hello community,

I tried to find an answer to my problem, but it seems im incapable of finding it, so i will be posting it here :). First, my search is based on the Windows Event Id 4663 (https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4663) and i am trying to do the following:

1. find all the ObjectName values with AccessMask IN(0x2,0x4,0x6) that have EXE, DLL, SYS or OCX extensions

2. from 1. take the corresponding ProcessName (which created the ObjectName) and import it in a new search

3. the new search has to replace the values of ProcessName with ObjectName in 4663 and re-iterate the 1. searches.

4. output in a table the time of/and ObjectName (1.) creation and both the process creators (for ObjectName and the ProcessName from 2.)

I know, it is a little messy, but what i am trying to find is a malware Dropper. A freshly written executable (usually) that would further write other binaries.

Here are my two attempts at this:

5. with join, which surprisingly is faster

index=* earliest=-3h latest=now sourcetype=xmlwineventlog EventCode=4663 AccessMask IN(0x2,0x4,0x6) (ObjectName=*\.cab OR ObjectName=*\.dll OR ObjectName=*\.exe OR ObjectName=*\.ocx OR ObjectName=*\.sys OR ObjectName=*\.bat)|rename ObjectName AS PayloadCreated ProcessName AS Dropper|join Dropper [search index=64388 earliest=-1d latest=now sourcetype=XmlWinEventLog EventCode=4663 AccessMask IN(0x2,0x4,0x6) (ObjectName=*\.dll OR ObjectName=*\.exe OR ObjectName=*\.ocx OR ObjectName=*\.sys)|rename ObjectName AS Dropper]|table _time Computer SubjectUserName SubjectLogonId SubjectUserSid ProcessName ProcessId Dropper PayloadCreated

6. with map, which due to the large number of results for ObjectName in search 1. is reaaaallly slow (obligated to stop and delete the job after 5 min) and gives some duplicates (except for _time)

index=* sourcetype=XmlWinEventLog EventCode=4663 AccessMask IN(0x2,0x4,0x6) (ObjectName=*\.cab OR ObjectName=*\.dll OR ObjectName=*\.exe OR ObjectName=*\.ocx OR ObjectName=*\.sys OR ObjectName=*\.bat OR ObjectName=*\.dat OR ObjectName=*\.pdb OR ObjectName=*\.sdb)|rename ObjectName AS PayloadCreated ProcessName AS Dropper|map maxsearches=999 search="search index=* sourcetype=XmlWinEventLog EventCode=4663 AccessMask IN(0x2,0x4,0x6) ObjectName=$Dropper$|eval PayloadCreated=$PayloadCreated$, Dropper=$Dropper$"|table _time Computer SubjectUserName SubjectLogonId SubjectUserSid ProcessName ProcessId Dropper PayloadCreated
 
Is there any function or workaround for this?
 
Thank you all.
Labels (2)
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!