Windows 7 and Windows 2012 Splunk Logging Cheat Sheet

Splunk Logging Cheat Sheet is meant to assist you in getting started to set up Splunk alerts & reports for more critical Windows-security associated events. However, the list doesn’t include some common items which must be for every Log-Management & Information Security Program. Begin with these samples & add them the way you understand better what’s in logs & what you require to monitor & alert on.

Windows 7 and Windows 2012 Splunk Logging Cheat Sheet

Windows Logging-Configuration

Before Gathering anything meaningful using Splunk, or another log-management solution, Windows logging & auditing needs to be properly Enabled & Configured before one can Gather & Harvest logs to Splunk. Center for Internet-Security Benchmarks offers some guidance on what to design. However, this doesn’t go further enough to audit and log what’s required for the best Information-Security program. Windows-Logging Cheat-Sheet has the information needed for best & full security logging. This will help you understand the way to Enable & Configure-Windows logging & auditing settings. Moreover, this will allow you to capture meaningful & actionable security-linked data.

Reports

These are queries that are saved to have reference & can get launched as required.

Alerts

These are queries that you need want to email or send to a smartphone to keep you alerted when something is separate from the norm & requires to be checked into immediately. Don’t get alert-heavy or staff will ignore them as it was the incident in Target & Neiman-Marcus breaches.

Dashboards

This is a collection of alerts and reports which are saved to the dashboard view for a quick reference. It’s normally used for SOC’s & NOC’s which monitor critical activity. Furthermore, dashboards are left up to every user as companies have various requirements & preferences at what they need to see.

Critical-events monitor

  1. New process beginning:

Event-Code-4688 will get when an executable or process starts.

  1. User logon-success:

Event Code-4624 will get when a user has logons successfully to a system.

  1. Share accessed:

Event Code-5140 will get when a client connects to a file share.

  1. New service-installed:

Event Code-7045 will get when a service is fixed.

  1. Network connection executed

Event Code-5156 will get when a network connection is complete from source to destination. This includes the ports utilized & processes used to start the connection. Moreover, these need to use Windows Firewall.

  1. File-auditing:

Event Code-4663 will get when a new file is modified, added, or deleted.

  1. Registry-auditing:

Event Code-4657 will get when a fresh registry item is modified, deleted, or added.

  1. Windows-PowerShell-command line-execution

Event-Code-500 will get when a PowerShell is completed logging command-line utilized.

  1. Windows firewall changes:

Event Code-2004 will get when fresh firewall instructions are placed.

  1. Schedule jobs added

Event Code-106 will get when a fresh scheduled responsibility is added.

Filtering events

One can filter events by Message and not via event code: It’s common to blacklist event codes that are excessive or noisy in a way that impacts storage & licensing. Moreover, enabling Process-Creation Success (4688) Windows Firewall-Filtering Platform Connection (5156 and 5158), and Process-Terminate (4689) they’ll be at the top of four event codes in a Splunk index.

Filtering via the content of the Field name or Message is an excellent way to do it. Immediately one understands what normal noise is, and has less risk to be misused or significant to security monitoring you will filter the ones out at server or client. With windows, Splunk restricts the blacklist to just ten entries, thus you’ll require chaining the same events in a single line. Example of best exclusion includes

The Splunk Queries need to be both an Alert & Report. Remember alerts needs to be actionable, hence when they are off something new &/or odd occurs and one needs to respond & investigate.

MONITOR FOR PROCESSES STARTING – 4688

Monitor Administrative/Suspicious Processes

This list depends on in-built Windows-administrative utilities & recognized hacking utilities which are seen utilized in exploitation. Moreover, expanding this list as required to add utilities utilized at hacking attacks. Additionally, one doesn’t need an alert on every process initiation. Other administrative tools are noisy & normally utilized or auto-executed frequently. This shouldn’t be incorporated to make the alert extra actionable & accurate that anything suspicious occurred.

Monitor Whitelisting bypass efforts

Hackers often utilize PowerShell in exploiting an organization due to PowerShell capability which helps in avoiding using in-built utilities & dropping extra malware files at the disk. Viewing policy & profile bypasses enables one to detect hacking activities.

Monitor PowerShell bypass tries

Hackers often utilize PowerShell in exploiting a scheme due to PowerShell’s capability to prevent using in-built utilities & dropping extra malware files on disk. Watching policy & profile bypasses enables one to detect the hacking activity.

MONITOR FOR USER-LOGONS – 4624 and 4625

  1. Monitor for Logon-Success

Logging that is for failed-logons looks obvious, However, when user credential becomes compromised & their credentials utilized for exploitation, successful-logins remains the main indicator of malicious-activity & system crawling. Furthermore, this alert seems to be for successful logins more than two & excludes domain-controllers which detects when a rogue-user-account crawls thru systems in one’s network.

  1. Logon Failures Monitor

Watch for extreme logon failures, particularly on Internet-facing systems & systems which contain any confidential information. This detects brute-force tries & users who have unsuccessful altered their credentials on different devices like smartphones. Furthermore, one will add “stats-count” to view for quantity, excluding certain accounts that you know are best & normally fail. Try and avoid excluding administrative accounts because they’re the ones that the hackers are up to.

  1. Monitor for Guest-Logon Failures and Administrative

Hackers & malware normally try to brute-force recognized accounts, like that of Administrator & Guest. The alert will look at & alert you if you configured attempts more than five.

FILE SHARES for MONITOR – 5140

  1. File Shares for Monitor being accessed

When a system has interfered, hackers will jump or connect to different systems which infect or steal information. Watch an account that crawls across file shares. Other management accounts that do this normally exclude the systems they usually connect.

Moreover, other activities from management accounts like new processes launching alert you to malicious behavior when omitted in the alert.

SERVICE CHANGES MONITOR – 7045 and 7040

  1. New-Service Installs Monitor

Monitoring a new service install is very crucial. This is because hackers normally use a new service to gain persistence for malware when your system restarts. Every retail Point-of-Sale breach involved one or more new services. This could be easily detected using an alert alone.

  1. Monitor for Service-State Changes

Monitoring service-state changes show when a service is changed. Hackers normally use an existing service that avoids new-service detection & modifies ServiceDll to figure out a malicious payload-gaining persistence for the malware as the system restarts. Unluckily the details aren’t in logs, but the alert can direct you to check into a service state to enable auditing or change on keys that trigger rarely used services and watch ServiceDll changes. Few services will start & stop regularly & this requires to be omitted. Additionally, you can use registry-auditing (4657) which allows you to monitor changes to ServiceDll value.

NETWORK CONNECTIONS MONITOR – 5156

  1. Suspicious Network-IP Monitor

This doesn’t require the use of a Windows Firewall. At networks where it’s normally not utilized, you will use Group-Policy that allows you to set Windows-Firewall to any configuration thus no blocking can happen. The traffic is got in logs & more significantly the process makes the connection. Additionally one can form exclusions via IP addresses like broadcast IPs & via process names which reduces the output & makes it extra actionable. Lookup command benefits this query immensely via excluding items.

FILE CHANGES MONITOR – 4663

  1. New files Monitor

It needs directories or files that have auditing-set on every object. One needs to audit directories that are well-known for malware like AppData\Local, Roaming, \Users\Public, and LocalLow for the following:

  1. Crypto events Monitor

Includes setting-auditing at a File-Server Share that enables huge amounts of file-changes from crypto-event to be noticed. Moreover, it looks at a huge quantity of variations greater than 1000 in a single hour to notice events. One can use similar settings as shown above as the required is to monitor NEW files.

REGISTRY CHANGES MONITOR – 4657

  1. Registry Changes Monitor

Adding auditing to identified exploited registry keys is a suitable way of catching malicious activity.

Furthermore, registry keys shouldn’t change often not unless something is updated or installed. The aim is to check for NEW stuff & changes to recognized high-risk items including the RunOnce and Run keys.

WINDOWS POWERSHELL-COMMAND LINE MONITOR – 500

  1. PowerShell Command-Execution Monitor

Hackers often utilize PowerShell which exploits a structure due to PowerShell capability & to prevent using in-built utilities & drop extra malware at the disk. Monitoring PowerShell command lines that are performed can get possibly malicious behavior. Furthermore, a PowerShell log comes with some odd formatting. A sample below indicates a distinct non-RegEx process to parse odd-logs using Splunk “split” rule.

Furthermore, PowerShell logs are worst like using the “split” command. The logs aren’t in standard Windows logs & will require to be placed to Splunk inputs.conf-file. This helps in collecting them. “Windows PowerShell” logs might be found under Applications & Services Logs at Windows PowerShell

WINDOWS-FIREWALL CHANGES MONITOR – 2004 and 2005

  1. Additions to Firewall-Rules Monitor

Malware & hackers often add firewall rule which enables access to Windows application or service.

The logs aren’t in standard Windows logs & will require to be placed to Splunk inputs.conf-file to allow collection.

Windows-firewall logs is available under Applications & Services Logs > Microsoft > Windows > Windows Firewall Advanced-Security > Firewall

  1. Changes in Firewall Rules Monitor

Malware & hackers normally change firewall rules to enable access to Windows applications or services. The logs aren’t in standard Windows logs & will require to be placed to Splunk inputs.conf-file for collection.

WINDOWS-POWERSHELL OBFUSCATION – TICKS & SPECIAL CHARACTERS MONITOR

  1. PowerShell-Obfuscation with 4688 Monitor

Hackers normally use PowerShell obfuscation code to protect what they’re doing. Monitoring Process Command-Line executions can get dangerous malicious obfuscated PowerShell. Moreover, the query available below checks for & counts the number of semicolons, ticks & dollar signs which detects the use of obfuscation of PowerShell with the help of Security log & Process Execution 4688-events using Process Command-Line logging permitted.

  1. PowerShell-Obfuscation with 400 Monitor

Hackers often utilize obfuscation of PowerShell-code hiding whatever they’re doing. Monitoring this Process Command-Line execution can get a malicious obfuscated PowerShell. Moreover, the query below will help & get the number of semicolons, dollar signs, ticks to notice the usage of PowerShell obfuscation using “Windows-PowerShell” log(v2-v5) 400-events. Windows PowerShell logs can be found at Applications & Services Logs > Windows PowerShell.

WINDOWS POWERSHELL-BASE64 ENCODED OBFUSCATION MONITOR

  1. Monitor for PowerShell Obfuscation with 4104 or 400

Hackers normally use PowerShell code obfuscation to protect what they’re doing. Checking PowerShell commands size which hides things similar to Base64-encoded scripts could catch malicious obfuscated PowerShell. The query below checks for the size of the script block above 1000 characters with the help of the “Windows PowerShell” or “PowerShell/Operation” log. Windows PowerShell & PowerShell Operational logs can be found at applications & Services Logs > Windows PowerShell. Also Applications & Services Logs > PowerShell/Operational.

BLACKLIST UNDESIRABLE ITEMS USING SPLUNK-UNIVERSAL FORWARDER

Overview

With improved logging other Windows-Cheat Sheets suggests, there will unluckily be more events that are generated, & noise. More Event-IDs or Message in an Event ID doesn’t provide security value & therefore it can be released against being directed to Splunk taking-up valued licensing. Idea is to exclude or blacklist items at Universal Forwarder before they’re referred to Splunk & take up valuable licenses.

The opposite is whitelisting where one tells Universal Forwarder only to gather certain products which is a different option & operate identically. If one cannot blacklist sufficient items in Universal Forwarder & needs to do more, you’ll be required to utilize Splunk Heavy-Forwarder, or use a different Syslog agent including nxlog or “Windows-Logging Service”.

LIMITS

There are just 10 whitelist or blacklist items in every sourcetype. This is limiting to logs like the Security log which has tons of messages and events. More of which we don’t require to collect. There’s an ability to hold more items within a single blacklist item.

FORMAT

The format of the blacklist is RegEx, though not exactly common RegEx. The following can offer sufficient information & detail to make what you require. The 1st is a straight-blacklist via Event ID:

blacklist=4689,5158

The following option is to hold more parts or messages into a single blacklist entry. With the following, it will drop some Splunk events from having much space at Splunk. These are generally worthless events for security purposes & are noisy. Remember that it’s by Message, Event ID, & Type within the message.

The following item is holding more same items and there are no spaces in between the

BLACKLIST UNDESIRABLE ITEMS USING SPLUNK UNIVERSAL-FORWARDER

Each Event-ID or kind of message needs to be different blacklists. This excludes via Process Command-Line, the single blacklist item and it’s recommended to use more as it will more unique thing which you can exclude.

AUDIT REGISTRY USING SPLUNK UNIVERSAL-FORWARDER

The Splunk Universal Forwarder enables one to monitor Registry for Create, Set, Delete, & Renamed products to keys, data & values. They are also Close, Query, and Open but would be noisy to monitor.

Leave a Comment