splunk>enterprise
Administrator ▾Settings ▾
ES
Enterprise Security
Splunk App for Enterprise Security · v7.3.0
DAY 25 LAB · LAB 25 — RUN A HUNT· week 4
Hunt LOLBins downloading from internet — PEAK methodology.
- ›Hypothesis: adversary using rundll32/mshta/regsvr32/certutil/bitsadmin.
- ›Run pre-loaded SPL.
- ›Document TPs, FPs, gaps.
- ›Codify true positives as a correlation search.
Hint: certutil.exe -urlcache is a textbook download primitive. 7 occurrences = malicious.
New Search
supported: search field=value (wildcards) · stats count by f1,f2 · where field op N · sort -field · top N field · head N · table f1 f2