Example WLS Splunk Searches

These are meant as examples only. Customization may be required for your specific environment. Results not guaranteed.

Many of these are built-in to the WLS app for Splunk along with EventID decoding and other useful features.

Bro

Bro PE / WLS MD5 NewHash match

`wlslogs` [search sourcetype=bro_files PE MD5 | dedup md5 | rename md5 as MD5 | fields MD5] NewHash=True| eval CallingProcess=coalesce(Process,CreatorProcessName) | eventstats dc(host) as hostCount by MD5 | dedup MD5 | table hostCount,Zone,Signed,CallingProcess,BaseFileName,CompanyName,InternalName,FileDescription,FileVersion,ProductVersion,MD5 | sort -hostCount

Command line parameters

Command line IPv4

`wlslogs` (EventID=592 OR EventID=4688) CommandLine="*"| rex
field=CommandLine "\s(?<cmd_ip>\d+\.\d+\.\d+\.\d+)\s" | where NOT
isnull(cmd_ip) AND NOT cmd_ip="127.0.0.1" | where cidrmatch("0.0.0.0/0",cmd_ip)`wlslogs` (EventID=592 OR EventID=4688) CommandLine="*" 

Command line redirect

`wlslogs` (EventID=592 OR EventID=4688) CommandLine="*>*"

Netsh usage

`wlslogs`EventID="592" OR EventID="4688" "netsh.exe" CommandLine="*netsh*"

Non-browser command line URL

`wlslogs` EventID="592" OR EventID="4688" NOT BaseFileName="firefox.exe" NOT BaseFileName="iexplore.exe" NOT BaseFileName="chrome.exe" CommandLine="*://*"

Registry usage

`wlslogs`EventID="592" OR EventID="4688" "reg.exe" CommandLine="*reg*"

Command Monitor

Obfuscated commands

`wlslogs` WLS_CommandMonitor Command="*^*"

Hardware

Disk errors

`wlslogs` ProviderName="Disk"

Display errors

`wlslogs` ProviderName="Display"

Hardware errors

`wlslogs` ProviderName="Microsoft-Windows-WHEA-Logger" | fillnull ErrorType value=0 | fillnull value="" | stats count by host,EventID,ErrorType

Low server disk space

| multisearch [ | search [ | search (WLS_WMI MonitorName="OperatingSystem") OR WMI_OperatingSystem ProductType>1 hoursago=24 | dedup host | fields host ] WLS_PerfCounter CategoryName="LogicalDisk" CounterName="% Free Space" | rename Value AS PercentFreeSpace ] [ | search [ | search (WLS_WMI MonitorName="OperatingSystem") OR WMI_OperatingSystem ProductType>1 hoursago=24 | dedup host | fields host ] WLS_PerfCounter CategoryName="LogicalDisk" CounterName="Free Megabytes" | rename Value AS FreeSpaceMB ]
| selfjoin host, GroupID, InstanceName
| search FreeSpaceMB=* PercentFreeSpace=* NOT (host="safe" InstanceName="E:")
| dedup host, InstanceName sortby -_time
| eval size=(FreeSpaceMB/(PercentFreeSpace/100))/1024
| eval used=size-(FreeSpaceMB/1024)
| eval avail=FreeSpaceMB/1024
| eval percent_used=100-PercentFreeSpace
| search avail<0.7 OR percent_used>95
| table host, InstanceName, size, used, avail, percent_used| rename host AS "Host", InstanceName AS "Volume", size AS "Size (GB)", used AS "Used (GB)", avail AS "Available (GB)", percent_used AS "Percent Used"

NTFS errors

`wlslogs` ProviderName="Ntfs"

Predicted drive failure

`wlslogs` WLS_WMI MonitorName="FailurePredictStatus" PredictFailure="True" | dedup host,InstanceName sortby -_time

Logon Activity

Multiple failed logons

`w​lslogs` EventID="529" OR EventID="530" OR EventID="531" OR EventID="532" OR EventID="533" OR EventID="534" OR EventID="535" OR EventID="536" OR EventID="537" OR EventID="539" OR EventID="4625" | eval auth_package=coalesce(AuthenticationPackage, AuthenticationPackageName)| eval logon_process=coalesce(LogonProcess, LogonProcessName) | eval logon_type=LogonType| eval logon_type_description=LogonTypeDescription| eval src_nt_domain=coalesce(CallerDomain, SubjectDomainName) | eval subject_user_name=coalesce(CallerUserName, SubjectUserName) | eval dest_nt_domain=coalesce(Domain, TargetDomainName) | eval target_user_name=coalesce(UserName, TargetUserName) | eval src_host_short=WorkstationName | eval original_user=target_user_name | fillnull value=0 original_user, dest_nt_domain, auth_package ,FailureReason| stats count dc(host) as hostCount BY original_user, dest_nt_domain, auth_package,FailureReason| search count>50

Misc

Alternate data stream execution

`w​lslogs` (EventID=4688 OR EventID=592) AlternateDataStream=True

Failed/failing system clock

`w​lslogs` "Possible bad clock"

Microsoft AV Detection

`wlslogs` ((ProviderName="Microsoft Antimalware" sourcetype="wls:System") OR sourcetype="wls:Microsoft-Windows-WindowsDefender/Operational") (EventID="1116" OR EventID="1117") | eval ThreatName=coalesce(ThreatName,Data7) | eval SeverityName=coalesce(SeverityName,Data9) | eval DetectionUser=coalesce(DetectionUser,Data19) | eval Path=coalesce(Path,Data21) | eval OriginName=coalesce(OriginName,Data23) | eval ExecutionName=coalesce(ExecutionName,Data25) | eval ActionName=coalesce(ActionName,Data30) | eval ErrorDescription=coalesce(ErrorDescription,Data33) | eval AdditionalActionsString=coalesce(AdditionalActionsString,Data37) | eval TypeName=coalesce(TypeName,Data27) | eval ProcessName=coalesce(ProcessName,Data18) | table _time,host,DetectionUser,ThreatName,SeverityName,TypeName,ProcessName,OriginName,ExecutionName,ActionName,ErrorDescription,AdditionalActionsString,Path

Processes

Launched by Internet Explorer

LogType=WindowsEventLog (EventID=592 OR EventID=4688)
CreatorProcessName=iexplore NOT BaseFileName="iexplore.exe"| dedup
BaseFileName,CommandLine

Non standard process extension

`wlslogs` EventID=4688 | regex BaseFileName="(?i)[^(exe)|(scr)]$"

Services

Abnormal service start

`wlslogs` EventID=4688 BaseFileName="svchost.exe" NOT CreatorProcessName="services" NOT CreatorProcessName="svchost"

New service install

`wlslogs` EventID="601"  OR EventID="4697"  OR EventID="7045"

Windows Errors

Application Error

`wlslogs` ProviderName="Application Error"

Application Hang

`wlslogs` ProviderName="Application Hang"

Application Popup

`wlslogs` ProviderName="Application Popup"

BSOD

`wlslogs` host=* EventID=1001 ProviderName="Microsoft-Windows-WER-SystemErrorReporting" Level="2"

Advertisements