Splunk Search

Lateral Movement Windows Logs

splunkcol
Builder

Hello there,

I have spent a good time researching lateral movement in Splunk, unfortunately I have not found much.

I have only seen answers suggesting to review the use cases of the Splunk Security Essentials APP but this use case on said app is based on Sysmon logs and I am only collecting the Security and Application logs using the Agent.

I also see very old responses where fields mention fields as "user" when currently called "Account_Name"

I would appreciate if someone can give me any suggestions to try to identify possible Lateral movements.

i found this

index=main sourcetype=WinEventLog:Security (EventCode=4624 OR EventCode=4672) Logon_Type=3 NOT Account_Name="*$" NOT Account_Name="ANONYMOUS LOGON" 

 

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @splunkcol,

In Splunk Security Essentials App, there's a sample of how to find lateral movements.

You should translate the example on your real data, in other words:

  • You have to find the relative field names in bothe the logs (e.g. in syslog there's "user" and in Wineventlog there's "Account_name".
  • than you have to follow the lateral movement logic in syslogs and Winevenlog to create you own search.

Security Essentials is a fantastic app to use as a starting point to create your own searches, it isn't a ready-to-use app, if you need this, you have to buy (it's a Premium App) Splunk Enterprise Security.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunkcol,

In Splunk Security Essentials App, there's a sample of how to find lateral movements.

You should translate the example on your real data, in other words:

  • You have to find the relative field names in bothe the logs (e.g. in syslog there's "user" and in Wineventlog there's "Account_name".
  • than you have to follow the lateral movement logic in syslogs and Winevenlog to create you own search.

Security Essentials is a fantastic app to use as a starting point to create your own searches, it isn't a ready-to-use app, if you need this, you have to buy (it's a Premium App) Splunk Enterprise Security.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @splunkcol,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...