Splunk tstats example8/17/2023 ![]() Surprisingly nothing immediately came up which searching for: index=botsv3 earliest=0 I’m going to start by seeing if I can definitively determine who is a domain admin by searching through the data. What is the first executable uploaded to the domain admin account’s compromised endpoint system? Answer guidance: Include the file extension. Index=botsv3 earliest=0 dest_port=3333 Question 42 answer: In this guide, question 314 is question 40.īased on the data from question 40, we can simply look at the uri_path field and infer the filename from there: Question 41 answer:Ĭolonel,definitelydontinvestigatethisfile.shīased on the information gathered for question 314, what file can be inferred to contain the attack tools? Answer guidance: Include the file extension. You can find the answer to this question by running that query and looking at what filenames the base64 blobs are being saved to in /tmp. Index=botsv3 earliest=0 colonel.c OR definitelydontinvestigatethisfile.sh OR loot.txt OR blargh.tgz OR suitecrm.sql | reverse I decide to reverse the order of these results to find the earliest mention of these files and am met with gigantic blobs of Base64 being saved to files in /tmp/: We can infer from this that blargh.tgz contains the contents of both suitecrm.sql and loot.txt based on the command syntax. One of the resulting events has the following commandline value: cmdline: "tar" "czvf" "blargh.tgz" "suitecrm.sql" "loot.txt" I’ll investigate using: index=botsv3 earliest=0 While reviewing some of the osquery data from the pack_fim_file_events query, I notice some interesting files in the “/tmp” directory that I want to investigate further: Index=botsv3 earliest=0 /tmp/*.* sourcetype!=ps sourcetype!=lsof NOT phpsessionclean I immediately see some things I want to filter out: We know it’s likely that we’ll be able to find these files in the /tmp directory based on the question, so I’m going to start pretty broad here: What are the names of these files? Answer guidance: Comma separated without spaces, in alphabetical order, include the file extension where applicable. Searching for TERM(127.0.0.During the attack, two files are remotely streamed to the /tmp directory of the on-premises Linux server by the adversary. See Use the TERM directive to match terms that contain minor breakers. For more information about how Splunk software breaks events up into searchable segments, see About segmentation in Getting Data In. When you use the TERM directive, the Splunk software expects to see the term you specify as a token in the lexicon in the. This is illustrated in the examples below. For example, you cannot use TERM to search for Maria Dubois because there is a space between the names. The TERM directive only works for terms that are bounded by major breakers, but the term you are searching for cannot contain major breakers. ![]() If you specify TERM(127.0.0.1), the search treats the IP address as a single term, instead of individual numbers, and returns all events that contain the IP address 127.0.0.1. If you search for the IP address 127.0.0.1, Splunk software searches for 127 AND 0 AND 1 and returns events that contain those numbers anywhere in the event. For example, the IP address 127.0.0.1 contains the period (. Use the TERM directive to ignore the minor breakers and match whatever is inside the parentheses as a single term. When data is indexed, characters such as periods and underscores are recognized as minor breakers between terms. Is bound by major breakers, such as spaces or commas.Contains minor breakers, such as periods or underscores.The TERM directive is useful for more efficiently searching for a term that: The following search only matches events that contain localhost in uppercase in the host field. For example, if you search for CASE(error), your search returns results containing only the specified case of the term, which is error. You can use the CASE directive to perform case-sensitive matches for terms and field values. For example, if you search for Error, any case of that term is returned, such as Error, error, and ERROR. For more information about the PREFIX() directive, see tstats in the Search Reference.īy default, searches are case-insensitive. The CASE() and TERM() directives are similar to the PREFIX() directive used with the tstats command because they match strings in your raw data. TERM Syntax: TERM() Description: Match whatever is inside the parentheses as a single term in the index, even if it contains characters that are usually recognized as minor breakers, such as periods or underscores. If you want to search for a specific term or phrase in your Splunk index, use the CASE() or TERM() directives to do an exact match of the entire term.ĬASE Syntax: CASE() Description: Search for case-sensitive matches for terms and field values.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |