Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Pundittech
Pundittech
Loves-to-Learn Lots
Member since:
08-30-2022
03-22-2023
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 08-30-2022 |
Activity Feed
- Posted Re: Finding powershell commands on Splunk Enterprise Security. 03-13-2023 08:40 PM
- Posted Re: Finding powershell commands on Splunk Enterprise Security. 03-13-2023 07:31 PM
- Posted Re: Finding powershell commands on Splunk Enterprise Security. 03-13-2023 05:48 PM
- Posted Where can I find powershell commands? on Splunk Enterprise Security. 03-13-2023 05:17 PM
- Tagged Where can I find powershell commands? on Splunk Enterprise Security. 03-13-2023 05:17 PM
- Posted Re: how to extract usernames from windows event log 4648 in splunk on Splunk Search. 02-09-2023 02:29 AM
- Posted How to extract usernames from Windows event log 4648 in Splunk? on Splunk Search. 02-08-2023 10:03 PM
- Tagged How to extract usernames from Windows event log 4648 in Splunk? on Splunk Search. 02-08-2023 10:03 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
03-13-2023
08:40 PM
As per my initial question... Trying to find any powershell commands that were run on any system in the splunk data. If the command is found, show the complete command.
... View more
03-13-2023
07:31 PM
So if i ran this command: (index=wineventlog sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR tag=process) process=*powershell* (CommandLine="*-EncodedCommand*" OR CommandLine="*-enc*")
| eval command_hash=md5(CommandLine)
| lookup CommandLine_whitelist command_hash OUTPUTNEW command_hash AS isFound
| where isnull(command_hash) where would i be putting the CommandLine_whitelist file? Which location/tab etc? I understand that CommandLine_whitelist will contain (as per that eg above): "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noninteractive -noprofile -encodedCommand RwBlAHQALQBJAHQAZQBtAFAAcgBvAHAAZQByAHQAeQAgAEgASwBMAE0AOgBcAFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAVwBpAG4AZABvAHcAcwBcAEMAdQByAHIAZQBuAHQAVgBlAHIAcwBpAG8AbgBcAFUAbgBpAG4AcwB0AGEAbABsAFwAKgAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAHsAJABfAC4ARABpAHMAcABsAGEAeQBOAGEAbQBlAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAIAAtAGEAbgBkACAAJABfAC4AUABTAEMAaABpAGwAZABOAGEAbQBlAC4AbABlAG4AZwB0AGgAIAAtAGwAdAAgADMAOQAgAC0AYQBuAGQAIAAkAF8ALgBVAG4AaQBuAHMAdABhAGwAbABTAHQAcgBpAG4AZwAgAC0AbABpAGsAZQAgACIAKgBtAHMAaQBlAHgAZQBjACoAIgB9ACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIABEAGkAcwBwAGwAYQB5AE4AYQBtAGUALAAgAFAAUwBDAGgAaQBsAGQATgBhAG0AZQAsACAARABpAHMAcABsAGEAeQBWAGUAcgBzAGkAbwBuACwAIABJAG4AcwB0AGEAbABsAEQAYQB0AGUAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAEAAewBOAGEAbQBlAD0AJwBBAHAAcAAgAE4AYQBtAGUAJwA7AEUAeAA9AHsAJABfAC4ARABpAHMAcABsAGEAeQBOAGEAbQBlAH0AfQAsAGAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQAB7AE4AYQBtAGUAPQAYIFAAcgBvAGQAdQBjAHQAIABDAG8AZABlABggOwBFAHgAcAByAGUAcwBzAGkAbwBuAD0AewAkAF8ALgBQAFMAQwBoAGkAbABkAE4AYQBtAGUAfQB9ACwAYAANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIABAAHsATgBhAG0AZQA9ABggVgBlAHIAcwBpAG8AbgAZIDsARQB4AHAAcgBlAHMAcwBpAG8AbgA9AHsAJABfAC4ARABpAHMAcABsAGEAeQBWAGUAcgBzAGkAbwBuAH0AfQAsAGAADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAQAB7AE4AYQBtAGUAPQAYIEkAbgBzAHQAYQBsAGwAZQBkACAATwBuABkgOwBFAHgAcAByAGUAcwBzAGkAbwBuAD0AewAkAF8ALgBJAG4AcwB0AGEAbABsAEQAYQB0AGUAfQB9ACAAfAAgAFMAbwByAHQAIAAnAEEAcABwACAATgBhAG0AZQAnAA== -inputFormat xml -outputFormat xml Danke!
... View more
03-13-2023
05:48 PM
Thank you. I found that indeed. However, thought asking here might be quicker than scrolling through so much of that stuff 🙂
... View more
03-13-2023
05:17 PM
G'day,
Can someone please help me to understand how I can find the powershell commands (if any) an adversary has run on the system through Splunk data? I have all the windows security and powershell logs available. Just not sure how to do up a query that would not just find but also list the full ps command when it finds one.
Danke!
... View more
- Tags:
- powershell
Labels
- Labels:
-
other
02-09-2023
02:29 AM
@gcuselloI sent you a PM. Thanks
... View more
02-08-2023
10:03 PM
hi
Have a large index that contains event logs. Trying to extract usernames of EventID 4648.
How can I get this displayed along with the computer name it logged into?
Thanks in advance.
... View more
- Tags:
- 4648
Labels
- Labels:
-
field extraction
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-22-2023
01:28 AM
|
