Splunk Tradecraft

Splunk Tradecraft

Splunk Searches

NOTE: I will provide here general search templates. The exact conditions can be adjusted to best suit the task at hand.

Evidence of Authentication

EventID 4648: A logon was attempted using explicit credentials

Event Description: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4648

Evidence of RDP Connection from the point of view of the source system

index=*event-logEventID=4648TargetServerName IN ("*SERVER1*", "*SERVER2*")TargetInfo IN ("TERMSRV*")NOT "*$"NOT SubjectUserName IN ("LOCAL SERVICE")| rename host as logging_host, IpAddress as src_ip| table _time, EventID, logging_host, src_ip, SubjectUserName, TargetUserName, TargetServerName, TargetInfo, ProcessName

Evidence of RDP from the point of view of the source and destination systems

index=*event-logEventID=4648TargetServerName IN ("*SERVER1*", "*SERVER2*")TargetInfo IN ("TERMSRV*")NOT "*$"NOT SubjectUserName IN ("LOCAL SERVICE")| rename host as logging_host, IpAddress as src_ip| table _time, EventID, logging_host, src_ip, SubjectUserName, TargetUserName, TargetServerName, TargetInfo, ProcessName| append    [ search index=*event-log      EventID=4624      Logon_Type=10      (host="SERVER1" OR host="SERVER2")      | rename host as TargetServerName      | table _time, EventID, src_ip, TargetUserName, TargetServerName, ProcessName ]