curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

page(threat-hunting): Clear-text password search

This commit is contained in:
Ming Di Leom 2025-04-09 10:18:07 +00:00
parent 7bbc0ec694
commit 8f13865138
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
source/threat-hunting/index.md
View File

@ -2,7 +2,7 @@
title: Splunk Threat Hunting
layout: page
date: 2025-01-15
updated: 2025-04-08
updated: 2025-04-09
---
Some searches utilise [cmdb_ci_list_lookup](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow) lookup.
@ -387,6 +387,16 @@ SPL:
| table Time, index, host, EventCode, EventDescription, parent_process, parent_process_path, process, user, Name, Email
```
## Clear-text password search
References: [1](https://blog.talosintelligence.com/uat-5918-targets-critical-infra-in-taiwan/#credential-extraction), [2](https://thedfirreport.com/2024/08/26/blacksuit-ransomware/#collection), [3](https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/#credential-access)
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.process_name="findstr.exe" Processes.process="*password*" BY index, host, Processes.signature_id, Processes.signature, Processes.parent_process, Processes.process, Processes.user, _time span=1s
| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
```
## ClickFix detection
Description: Detecting ClickFix execution via the Windows Run dialog.