Module 4: Additional Splunk Hunting Queries

These queries are from extra practical exercises I worked through after the main module sections. I consolidated them on this page so they are easier to reference later.

Back to the main module notes: Module 4: Understanding Log Sources & Investigating with Splunk

Skill assessment walkthrough: Module 4: Skill Assessment

Queries on this page

Related

These are extra searches I ran after the module, mostly to practice the same pivot habit on different question types. Not part of the core walkthrough, but they stuck because each one changed how I thought about the next search.

Which process is injecting threads everywhere?

index=* EventCode=8
| stats count as threads_created by SourceImage
| eventstats avg(threads_created) as avg stdev(threads_created) as stdev
| eval threshold = avg + 2*stdev
| where threads_created > threshold
| table SourceImage, threads_created, avg, stdev, threshold
| sort - threads_created

What password did the attacker use with PsExec?

Different angle on lateral movement from the PsExec scenarios in the main notes. Here the answer was sitting in the command line.

index=* EventCode=1 CommandLine="*psexec*"
| table _time, ComputerName, User, CommandLine, ParentImage
| sort _time

What port did the C2 server come back in on?

This one followed the beaconing searches from Spot the Unusual. Outbound traffic found the C2 IP; flipping source and destination found how it came back in.

index=* EventCode=3
(SourceIp="<c2_ip_1>" OR SourceIp="<c2_ip_2>")
| table _time, ComputerName, SourceIp, SourcePort, DestinationIp, DestinationPort, Image
| sort _time

Which account requested the most Kerberos tickets?

After network pivots, I practiced simpler auth-side counting. Sometimes the fastest search is just stats and sort.

index=* EventCode=4768
| stats count as ticket_requests by Account_Name
| sort - ticket_requests
| head 10

How many different machines did SYSTEM touch?

index=* EventCode=4624 Account_Name="SYSTEM"
| stats dc(ComputerName) as distinct_computers

Which accounts did all their logging-in inside a tight window?

index=* EventCode=4624 Account_Name="*"
| search NOT Account_Name="*$*"
| stats count AS logins, range(_time) AS span by Account_Name
| where span < 600
| sort - logins

References

[HTB Academy] Certified Defensive Security Analyst (CDSA) - Module 4: Understanding Log Sources & Investigating with Splunk. https://academy.hackthebox.com/

[spl-threat-hunting-library] Splunk SPL threat-hunting queries from CDSA Module 4. https://github.com/kismatkunwar89/spl-threat-hunting-library