Splunk -Threat Hunting Playbook 1

Splunk - Threat Hunting with Windows OS Logs (threat data)

hypothesis: Adversaries might be using a non system account to access LSASS and extract credentials from memory.

Reference Links:
https://attack.mitre.org/techniques/T...
https://adsecurity.org/?page_id=1821#...
http://clymb3r.wordpress.com/2013/04/...


SPL Queries Used:
1. Looking for non-system accounts getting a handle to and accessing lsass


index=mordor EventID=4656 OR EventID=4663 ObjectName="*lsass.exe*" NOT SubjectUserName="*%$*"
| table EventID Category ObjectName AccessMask Hostname SubjectUserName ProcessName

2. Processes opening handles and accessing lsass with potential dll in memory



index=mordor EventID=10 TargetImage="*lsass.exe*" CallTrace="*UNKNOWN*"
| stats count by _time Hostname SourceImage TargetImage GrantedAccess SourceProcessGUID

3. Look for processes loading few known dlls as loaded by Mimikatz to interact with the credentials



index=mordor EventID=7 ImageLoaded IN ("*samlib.dll*", "*vaultcli.dll*", "*hid.dll*", "*winscard.dll*", "*crypt.dll*")
| stats values(ImageLoaded) dc(ImageLoaded) as ImageLoaded by Image
| sort -ImageLoaded

4. Processed opening handles and accessing lsass with potential dll's loaded in a memory and processes loading few known dlls as loaded by tools like mimikatz

index=mordor EventID=7 ImageLoaded IN ("*samlib.dll*", "*vaultcli.dll*", "*hid.dll*", "*winscard.dll*", "*crypt.dll*")
| fields ProcessGUID ImageLoaded TargetImage Hostname Image SourceImage ProcessName ObjectName
| join ProcessGUID
[search index=mordor EventID=10 TargetImage="*lsass.exe*" CallTrace="*UNKNOWN*"
| table Image TargetImage Image ImageLoaded _time Hostname]
| table TargetImage Image ImageLoaded _time Hostname