Home » Cyber Security – Certificate IV » VU23225 Investigate Windows security features » Detailed Report on VU23225 Investigate Windows Security Features – Lesson 06

Detailed Report on VU23225 Investigate Windows Security Features – Lesson 06

Overview

The document titled “VU23225 Investigate Windows Security Features – Lesson 06” focuses on threat hunting in Windows using Splunk as a SIEM tool. It covers the introduction to threat hunting, understanding Windows Event Logs, identifying key Windows threats, leveraging Splunk for threat detection, and utilizing specific Splunk queries and apps for effective threat hunting.

1. Objectives

The lesson sets out the following objectives:

  • Introduction to Threat Hunting.
  • Overview of the threat hunting process.
  • Role of Splunk in threat hunting.
  • Understanding Windows Event Logs and common event log IDs.
  • Identifying key Windows threats.
  • Leveraging Splunk for threat hunting.
  • Creating and using Splunk queries for threat detection.
  • Exploring Splunk apps and add-ons for enhanced threat hunting.

2. Introduction to Threat Hunting

What is Threat Hunting?

  • A proactive cybersecurity approach to search for signs of malicious activity or potential threats within an organization’s IT infrastructure.
  • Goes beyond traditional security measures by seeking out advanced threats that may have evaded initial detection.
  • Involves continuous monitoring and analysis of data sources like event logs, network traffic, and endpoint data to uncover indicators of compromise (IOCs).

Role of Splunk in Threat Hunting

  • Splunk collects, analyzes, and visualizes machine-generated data from various sources, making it invaluable for threat hunting.
  • Provides real-time data ingestion, indexing, and search capabilities.
  • Offers a centralized view of IT infrastructure and facilitates data correlation from multiple sources.
  • Allows security analysts to develop complex queries to search through Windows event logs and identify potential threats.
  • Supports integration with security-related apps and add-ons like Splunk Enterprise Security and Splunk Phantom.

3. Understanding Windows Event Logs

Types of Windows Event Logs:

  • Security Log: Records security-related events like user authentication and access control.
  • System Log: Captures information about system events and errors.
  • Application Log: Contains events generated by applications running on the system.

Common Event Log IDs and their Meanings:

  • Process Related: Event ID 4688 (Process Creation), Event ID 4689 (Process Termination).
  • File Related: Event ID 5140 (File Creation), Event ID 4656 (File Access), Event ID 4663 (File Permissions Modified).
  • Firewall Related: Event ID 5156 (Firewall Rule Match).
  • Network Access: Event ID 5145 (Network Share Access).
  • Account Related: Event ID 4624 (Successful Account Logon), Event ID 4625 (Failed Account Logon), Event ID 4720 (User Account Creation), Event ID 4722 (User Account Enabled), Event ID 4724 (User Account Password Set), Event ID 4732 (User Account Added to Group), Event ID 4738 (User Account Changed).
  • Privilege Related: Event ID 4672 (Privilege Use), Event ID 4704 (User Right Assigned), Event ID 4673 (Privilege Rights Adjusted).

Event IDs generated from Sysmon:

  • Event ID 1 (Process Creation), Event ID 2 (File Creation Time Changed), Event ID 3 (Network Connection), Event ID 7 (Image Loaded), Event ID 8 (CreateRemoteThread), Event ID 11 (File Create), Event ID 12 (Registry Object Create or Delete), Event ID 13 (Registry Value Set), Event ID 17 (Pipe Created), Event ID 22 (DLL Loaded).

4. Key Windows Threats

Identified Key Threats:

  • Malware Infections: Monitor for suspicious processes, file modifications, and network connections.
  • Account Compromise: Detect unauthorized access attempts and failed login attempts, analyze unusual user activity or privilege escalation.
  • Insider Threats: Monitor for unauthorized data access or exfiltration, detect suspicious behavior by privileged users.
  • Brute-Force Attacks: Identify repeated failed login attempts and analyze patterns of brute-force attacks.
  • Data Breaches: Detect unauthorized file or database access, monitor unusual data transfers or file modifications.

5. Leveraging Splunk for Threat Hunting

Key Aspects of Leveraging Splunk:

  • Log Collection and Ingestion: Collect logs from various sources and centralize them for analysis.
  • Building Search Queries: Construct queries using keywords, logical operators, and functions to filter data.
  • Creating Alerts and Notifications: Define conditions to trigger alerts for real-time notifications and response.
  • Correlation and Anomaly Detection: Correlate data from different sources to uncover complex attack patterns.
  • Visualization and Dashboards: Create customized dashboards and visual representations of data for quick identification of trends and anomalies.
  • Integration with Threat Intelligence: Incorporate external threat intelligence feeds to enhance detection capabilities.

6. Splunk Queries for Threat Detection

Searching for Common Threats:

  • Building Queries for Specific Event Log IDs: Use the ‘EventCode’ field in Splunk to search for specific event IDs.
  • Refining Queries: Enhance effectiveness by incorporating additional search criteria like time range, source IP addresses, user accounts, and file paths.
  • Utilizing Splunk’s Alerting and Reporting Features: Create alerts and schedule reports based on predefined queries for specific event log IDs.

Query Examples:

  • Malware Infections: Search for suspicious processes and network connections.
  • Account Compromise: Detect failed login attempts and analyze user activity.
  • Appearance of New Accounts: Detect new account creation and users added to groups.
  • Insider Threats: Monitor file access by privileged users and detect data exfiltration attempts.
  • Brute-Force Attacks: Identify repeated failed login attempts and analyze patterns.
  • Data Breaches: Detect unauthorized file access and monitor data transfers to external devices.

7. Splunk Apps and Add-ons for Threat Hunting

Splunk Apps:

  • Windows SOHO Security: Centralizes security operations for small office and home office environments, providing high-fidelity visualizations, security alerts, and MITRE integration.
  • Other Threat Hunting Apps: 63 apps available on the Splunk App Store designed to assist in threat hunting, including log analysis and visualization aids.

Conclusion

The document provides a comprehensive guide to threat hunting in Windows using Splunk. It emphasizes the importance of understanding Windows Event Logs and leveraging Splunk’s capabilities to identify and mitigate key threats. The detailed examples and queries offer practical insights for effective threat detection and response.

 

Scroll to Top