Splunk Search

Lateral Movement Windows Logs

splunkcol
Contributor

Hello there,

I have spent a good time researching lateral movement in Splunk, unfortunately I have not found much.

I have only seen answers suggesting to review the use cases of the Splunk Security Essentials APP but this use case on said app is based on Sysmon logs and I am only collecting the Security and Application logs using the Agent.

I also see very old responses where fields mention fields as "user" when currently called "Account_Name"

I would appreciate if someone can give me any suggestions to try to identify possible Lateral movements.

i found this

index=main sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4672) Logon_Type=3 NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON" 

 

Labels (4)
0 Karma
1 Solution

gcusello
Esteemed Legend

Hi @splunkcol,

In Splunk Security Essentials App, there's a sample of how to find lateral movements.

You should translate the example on your real data, in other words:

  • You have to find the relative field names in bothe the logs (e.g. in syslog there's "user" and in Wineventlog there's "Account_name".
  • than you have to follow the lateral movement logic in syslogs and Winevenlog to create you own search.

Security Essentials is a fantastic app to use as a starting point to create your own searches, it isn't a ready-to-use app, if you need this, you have to buy (it's a Premium App) Splunk Enterprise Security.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
Esteemed Legend

Hi @splunkcol,

In Splunk Security Essentials App, there's a sample of how to find lateral movements.

You should translate the example on your real data, in other words:

  • You have to find the relative field names in bothe the logs (e.g. in syslog there's "user" and in Wineventlog there's "Account_name".
  • than you have to follow the lateral movement logic in syslogs and Winevenlog to create you own search.

Security Essentials is a fantastic app to use as a starting point to create your own searches, it isn't a ready-to-use app, if you need this, you have to buy (it's a Premium App) Splunk Enterprise Security.

Ciao.

Giuseppe

0 Karma

gcusello
Esteemed Legend

Hi @splunkcol,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...