mirror of https://gitlab.com/curben/blog
129 lines
7.4 KiB
Markdown
129 lines
7.4 KiB
Markdown
---
|
|
title: Splunk Threat Hunting
|
|
layout: page
|
|
date: 2025-01-15
|
|
updated: 2025-08-03
|
|
---
|
|
|
|
- [Generate ad_users.csv](ldap-ad-users)
|
|
- [Generate ldap_assets.csv](ldap-ad-computers)
|
|
- [Generate cmdb_ci_list_lookup.csv](https://gitlab.com/curben/splunk-scripts/-/tree/main/Splunk_TA_snow)
|
|
- [Domain Admins Report](domain-admin-report)
|
|
- [Protected Group Monitoring](protected-group-monitoring)
|
|
- [3LOSH IoC](3losh-ioc)
|
|
- [AD Account Deletion](ad-account-deletion)
|
|
- [AD Database Dump](ad-database-dump)
|
|
- [AD Database Read](ad-database-read)
|
|
- [AD Password Policy Change](ad-password-policy-change)
|
|
- [AD Password Policy Modified](ad-password-policy-modified)
|
|
- [AWS AssumeRoot API operation](aws-assumeroot-api-operation)
|
|
- [Account Discovery Using DIR, WHOAMI, and NET](account-discovery-using-dir-whoami-and-net)
|
|
- [Account Lockout in Administrator Groups](account-lockout-in-administrator-groups)
|
|
- [AppLocker Audit](applocker-audit)
|
|
- [Anonymous Authentication Attempt from Foreign IP](anonymous-authentication-attempt-from-foreign-ip)
|
|
- [Authentication Against a New Domain Controller](authentication-against-a-new-domain-controller)
|
|
- [Authentication from Foreign IP](authentication-from-foreign-ip)
|
|
- [VPN Web Traffic from Foreign IP](vpn-web-traffic-from-foreign-ip)
|
|
- [BadRabbit IoC](badrabbit-ioc)
|
|
- [Basic Brute Force Detection](basic-brute-force-detection)
|
|
- [Basic Scanning](basic-scanning)
|
|
- [LoLBin execution](lolbin-execution)
|
|
- [Non-Chrome process accessing Chrome registry](non-chrome-process-accessing-chrome-registry)
|
|
- [Chrome spawned from user profile](chrome-spawned-from-user-profile)
|
|
- [Clear-text password search](clear-text-password-search)
|
|
- [ClickFix detection](clickfix-detection)
|
|
- [dllFake IoC](dllfake-ioc)
|
|
- [Internal Proxies Creation](internal-proxies-creation)
|
|
- [CVE-2023-23397 Outlook SMB](cve-2023-23397-outlook-smb)
|
|
- [Cloudflared/Tailscaled tunnel detection](cloudflared-tailscaled-tunnel-detection)
|
|
- [Cobalt Strike IOC](cobalt-strike-ioc)
|
|
- [cmd.exe/powershell.exe auto-start](cmd-exe-powershell-exe-auto-start)
|
|
- [Credential Manager/SAM Dump](credential-manager-sam-dump)
|
|
- [DCSync detection](dcsync-detection)
|
|
- [Defender Incident](defender-incident)
|
|
- [Defender traffic blocked by Windows Firewall](defender-traffic-blocked-by-windows-firewall)
|
|
- [Domain Administrator enabled/disabled](domain-administrator-enabled-disabled)
|
|
- [Deprioritise Windows Defender](deprioritise-windows-defender)
|
|
- [Disable Microsoft Defender](disable-microsoft-defender)
|
|
- [Disable Microsoft Defender (Powershell Script)](disable-microsoft-defender-powershell-script)
|
|
- [Disable Microsoft Defender (Registry)](disable-microsoft-defender-registry)
|
|
- [EvilProxy IoC](evilproxy-ioc)
|
|
- [Excessive AWS WAF Blocked Events](excessive-aws-waf-blocked-events)
|
|
- [Excessive Account Lockout](excessive-account-lockout)
|
|
- [Excessive Blocked Websites](excessive-blocked-websites)
|
|
- [Excessive RDP](excessive-rdp)
|
|
- [File hiding using attrib.exe observed](file-hiding-using-attrib-exe-observed)
|
|
- [FileFix detection](filefix-detection)
|
|
- [Gootloader IOC](gootloader-ioc)
|
|
- [Headless Browser](headless-browser)
|
|
- [ie4uinit.exe/msxsl.exe abuse](ie4uinit-exe-msxsl-exe-abuse)
|
|
- [Impacket detection](impacket-detection)
|
|
- [InnoDownloadPlugin user-agent observed](innodownloadplugin-user-agent-observed)
|
|
- [Kerberos Certificate Spoofing](kerberos-certificate-spoofing)
|
|
- [Kerberos TGT request without password](kerberos-tgt-request-without-password)
|
|
- [Kerberos Pre-Authentication Flag Disabled in UserAccountControl](kerberos-pre-authentication-flag-disabled-in-useraccountcontrol)
|
|
- [Kerberos TGT request with weak encryption](kerberos-tgt-request-with-weak-encryption)
|
|
- [Kerberos service ticket request with weak encryption](kerberos-service-ticket-request-with-weak-encryption)
|
|
- [Kernel driver service was installed](kernel-driver-service-was-installed)
|
|
- [LSASS.exe Read](lsass-exe-read)
|
|
- [LSASS.exe driver loading](lsass-exe-driver-loading)
|
|
- [Large Powershell Module](large-powershell-module)
|
|
- [LockBit 3.0](lockbit-3-0)
|
|
- [Logon from External Network](logon-from-external-network)
|
|
- [Logon with NewCredentials type](logon-with-newcredentials-type)
|
|
- [Malicious Host Threat Intelligence](malicious-host-threat-intelligence)
|
|
- [Microsoft Public Symbol download](microsoft-public-symbol-download)
|
|
- [Monthly Inactive Accounts Report](monthly-inactive-accounts-report)
|
|
- [Multiple Account Passwords changed by an Administrator](multiple-account-passwords-changed-by-an-administrator)
|
|
- [Named pipe usage](named-pipe-usage)
|
|
- [New Interactive Logon from a Service Account](new-interactive-logon-from-a-service-account)
|
|
- [New Network Share detected](new-network-share-detected)
|
|
- [NodeJS spawning cmd.exe](nodejs-spawning-cmd-exe)
|
|
- [OneNote IOC](onenote-ioc)
|
|
- [Open Port 53](open-port-53)
|
|
- [Plaintext credential](plaintext-credential)
|
|
- [Possible ShareFinder/Netscan/Sharphound/CobaltStrike Usage](possible-sharefinder-netscan-sharphound-cobaltstrike-usage)
|
|
- [PowerShell Web Downloads](powershell-web-downloads)
|
|
- [PowerShell Web Downloads (Operational)](powershell-web-downloads-operational)
|
|
- [Protected Group Monitoring](protected-group-monitoring)
|
|
- [Privileged Group Monitoring](privileged-group-monitoring)
|
|
- [Privileged Service with SeDebugPrivilege was called](privileged-service-with-sedebugprivilege-was-called)
|
|
- [Qbot IoC](qbot-ioc)
|
|
- [Rclone/Restic Exfiltration](rclone-restic-exfiltration)
|
|
- [Reboot to safe mode](reboot-to-safe-mode)
|
|
- [Regasm.exe execution](regasm-exe-execution)
|
|
- [Regsvcs.exe process injection](regsvcs-exe-process-injection)
|
|
- [Remote Desktop tool installation/execution](remote-desktop-tool-installation-execution)
|
|
- [Remote Desktop tool auto-start](remote-desktop-tool-auto-start)
|
|
- [Remote Desktop tool scheduled task](remote-desktop-tool-scheduled-task)
|
|
- [RestartManager abuse](restartmanager-abuse)
|
|
- [Restricted Admin Mode Detection](restricted-admin-mode-detection)
|
|
- [Rundll32 Dumping LSASS Memory](rundll32-dumping-lsass-memory)
|
|
- [Rundll32 Scheduled Task](rundll32-scheduled-task)
|
|
- [SIDHistory compromise](sidhistory-compromise)
|
|
- [SQL Server spawning Cmd.exe](sql-server-spawning-cmd-exe)
|
|
- [Splunk Events Deletion](splunk-events-deletion)
|
|
- [SafeDllSearchMode is modified](safedllsearchmode-is-modified)
|
|
- [Suspicious Logon/Logoff Events](suspicious-logon-logoff-events)
|
|
- [Suspicious Netscaler CLI](suspicious-netscaler-cli)
|
|
- [Suspicious Network Settings](suspicious-network-settings)
|
|
- [Suspicious WMI](suspicious-wmi)
|
|
- [UPnP enablement](upnp-enablement)
|
|
- [Unauthorised Reverse Proxy Tunnel](unauthorised-reverse-proxy-tunnel)
|
|
- [Unauthorised Computer Account Creation](unauthorised-computer-account-creation)
|
|
- [Unusual Scheduled Task](unusual-scheduled-task)
|
|
- [Unusual User Agent](unusual-user-agent)
|
|
- [Unusual printui.exe path](unusual-printui-exe-path)
|
|
- [User Login with Local Credentials](user-login-with-local-credentials)
|
|
- [VSCode tunnel](vscode-tunnel)
|
|
- [Volt Typhoon IOC](volt-typhoon-ioc)
|
|
- [Volume Shadow Copy](volume-shadow-copy)
|
|
- [Volume Shadow Delete](volume-shadow-delete)
|
|
- [Windows Event Log Clearing Events](windows-event-log-clearing-events)
|
|
- [Windows System Event Log Clearing Events](windows-system-event-log-clearing-events)
|
|
- [Windows Firewall Modification](windows-firewall-modification)
|
|
- [Windows JScript execution](windows-jscript-execution)
|
|
- [Windows Sandbox execution](windows-sandbox-execution)
|
|
- [Windows Script Executed from ZIP](windows-script-executed-from-zip)
|
|
- [WinRAR Spawning Shell Application](winrar-spawning-shell-application)
|