Splunk - Basics

Learn the basics of Splunk.

THM Room https://tryhackme.com/room/splunk101

TASK 1 : Introduction to Splunk

Virtual machine deployed.

No Answer

TASK 2 : Navigating Splunk

I’m ready to look at Splunk apps.

No Answer

TASK 3 : Splunk Apps

What is the ‘Folder name’ for the add-on?

Install the app on the desktop : splunk-add-on-for-microsoft-sysmon_1062.tgz then navigate to the apps :

Sysmon

Answer : TA-microsoft-sysmon

What is the Version?

Answer : 10.6.2

TASK 4 : Adding Data

Upload the Splunk tutorial data on the desktop. How many events are in this source?

Upload >zip file on desktop > next > submit > search

Number Of Events

Answer : 109,864

TASK 5 : Splunk Queries

Use Splunk to Search for the phrase ‘failed password’ using tutorialdata.zip as the source.

No Answer.

What is the sourcetype?

Sourcetype

Answer : www1/secure

In the search result, look at the Patterns tab.

No Answer.

What is the last username in this tab?

Last Username

Answer : myuan

Search for failed password events for this specific username. How many events are returned?

Events

Answer : 16

TASK 6 : Sigma Rules

Use the Select document feature. What is the Splunk query for ‘sigma: APT29’?

sigma: APT29

Answer : CommandLine=”-noni -ep bypass $$

Use the Github Sigma repo. What is the Splunk query for ‘CACTUSTORCH Remote Thread Creation’?

By the hint : Check the Windows rules. Copy and paste into uncoder.io.

GO to this repo in the windows part related to thread : https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread

Then copy the code of “sysmon_cactustorch.yml” into encoder.io https://uncoder.io/ to translate the rule in splunk.

Answer :

(source="WinEventLog:*" (SourceImage="*\\System32\\cscript.exe" OR SourceImage="*\\System32\\wscript.exe" OR SourceImage="*\\System32\\mshta.exe" OR SourceImage="*\\winword.exe" OR SourceImage="*\\excel.exe") TargetImage="*\\SysWOW64\\*" NOT StartModule="*")

Splunk - Basics

TASK 1 : Introduction to Splunk

Virtual machine deployed.

TASK 2 : Navigating Splunk

I’m ready to look at Splunk apps.

TASK 3 : Splunk Apps

What is the ‘Folder name’ for the add-on?

What is the Version?

TASK 4 : Adding Data

Upload the Splunk tutorial data on the desktop. How many events are in this source?

TASK 5 : Splunk Queries

Use Splunk to Search for the phrase ‘failed password’ using tutorialdata.zip as the source.

What is the sourcetype?

In the search result, look at the Patterns tab.

What is the last username in this tab?

Search for failed password events for this specific username. How many events are returned?

TASK 6 : Sigma Rules

Use the Select document feature. What is the Splunk query for ‘sigma: APT29’?

Use the Github Sigma repo. What is the Splunk query for ‘CACTUSTORCH Remote Thread Creation’?

TASK 7 : Dashboards & Visualizations

What is the highest EventID?

TASK 8 : Alerts

have a general understanding on how to create an alert in Splunk.

TASK 9 : Conclusion

I know the fundamentals of Splunk.

Splunk - Basics

TASK 1 : Introduction to Splunk

Virtual machine deployed.

TASK 2 : Navigating Splunk

I’m ready to look at Splunk apps.

TASK 3 : Splunk Apps

What is the ‘Folder name’ for the add-on?

What is the Version?

TASK 4 : Adding Data

Upload the Splunk tutorial data on the desktop. How many events are in this source?

TASK 5 : Splunk Queries

Use Splunk to Search for the phrase ‘failed password’ using tutorialdata.zip as the source.

What is the sourcetype?

In the search result, look at the Patterns tab.

What is the last username in this tab?

Search for failed password events for this specific username. How many events are returned?

TASK 6 : Sigma Rules

Use the Select document feature. What is the Splunk query for ‘sigma: APT29’?

Use the Github Sigma repo. What is the Splunk query for ‘CACTUSTORCH Remote Thread Creation’?

TASK 7 : Dashboards & Visualizations

What is the highest EventID?

TASK 8 : Alerts

have a general understanding on how to create an alert in Splunk.

TASK 9 : Conclusion

I know the fundamentals of Splunk.

Further Reading

Splunk 2

Osquery - The Basics

Investigating Windows