Sysmon + Splunk Alerting

When playing for the blue team, there’s a fair chance you’ll need to get some alerting in place to warn you of some potential bad in your network. The following searches were written with Splunk + sysmon, however should be portable to most SIEM solutions. You may need to tailor these searches to your own specific environment.

Note. Some alerts are a WIP. I also know they could be written better, but they work for me. :)

Adversaries can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code.

index=windows sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" ParentImage="C:\\Windows\\System32\\mshta.exe" ParentCommandLine="mshta.exe *script:http*"
| sort -_time
| table _time EventCode ParentImage ParentCommandLine Image CommandLine SourceHostname SourceIp

This search alerts when regsvr32.exe is invocated to execute a script that would give an attacker the ability to execute code in a manner that is likely to bypass application white-listing, and possibly AEP applications.

index=windows LogName="Microsoft-Windows-Sysmon/Operational" EventCode=1 Image="C:\\Windows\\System32\\regsvr32.exe" CommandLine="*/s /u /i:* scrobj.dll"
| table _time ComputerName user Image CommandLine ParentImage ParentCommandLine

Office (should) never be running a scripting tool.

index=windows sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" ParentImage="C:\\Program Files (x86)\\Microsoft Office\\*.exe" Image="C:\\Windows\\Sys*\\WindowsPowerShell\\v1.0\powershell.exe" OR Image="C:\\Windows\\System32\\wscript.exe" OR Image="C:\\Windows\\System32\\cscript.exe" OR Image="C:\\Windows\\System32\\cmd.exe"
| table _time Image CommandLine ParentImage ParentCommandLine

Suspicious powershell is also another one to look for.

index=windows sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" Image="*powershell.exe" CommandLine="*enc*" OR CommandLine="*iex*" OR CommandLine="*Invoke-Expression*" OR CommandLine="*FromBase64String*" OR CommandLine="*DownloadString*" OR CommandLine="*System.Net.WebClient*" OR CommandLine="*-sta*" OR CommandLine="*-ec*" 
| table _time EventCode ComputerName ParentImage Image CommandLine IntegrityLevel
| sort -_time

There are plenty of other potential IOC sysmon can log and you can alert on. I highly recommend getting sysmon deployed across your endpoints with logging aggregated to a SIEM, and looking through the myriad of ways attackers can run code or attempt to move around the network.

itsec guy. sometimes i internet. oscp/penetration testing/red team.