GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → airbus-cert → Splunk-ETW

airbus-cert / Splunk-ETW

Licence: Apache-2.0 license
A Splunk Technology Add-on to forward filtered ETW events.

Programming Languages

C#
18002 projects
CMake
9771 projects
ruby
36898 projects - #4 most used programming language

Labels

windowsdfiretwsplunk-addon

Projects that are alternatives of or similar to Splunk-ETW

PSTrace
Trace ScriptBlock execution for powershell v2
Stars: ✭ 38 (+46.15%)
Mutual labels:  dfir, etw
Blue-Team-Notes
You didn't think I'd go and leave the blue team out, right?
Stars: ✭ 899 (+3357.69%)
Mutual labels:  dfir
CCXDigger
The CyberCX Digger project is designed to help Australian organisations determine if they have been impacted by certain high profile cyber security incidents. Digger provides threat hunting functionality packaged in a simple-to-use tool, allowing users to detect certain attacker activities; all for free.
Stars: ✭ 45 (+73.08%)
Mutual labels:  dfir
BlueCloud
Cyber Range including Velociraptor + HELK system with a Windows VM for security testing and R&D. Azure and AWS terraform support.
Stars: ✭ 88 (+238.46%)
Mutual labels:  dfir
Packrat
Live system forensic collector
Stars: ✭ 16 (-38.46%)
Mutual labels:  dfir
GetConsoleHistoryAndOutput
An Incident Response tool to extract console command history and screen output buffer
Stars: ✭ 41 (+57.69%)
Mutual labels:  dfir
Detectionlab
Automate the creation of a lab environment complete with security tooling and logging best practices
Stars: ✭ 3,237 (+12350%)
Mutual labels:  dfir
dnslog
Minimalistic DNS logging tool
Stars: ✭ 40 (+53.85%)
Mutual labels:  dfir
hayabusa
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Stars: ✭ 908 (+3392.31%)
Mutual labels:  dfir
zeek-docs
Documentation for Zeek
Stars: ✭ 41 (+57.69%)
Mutual labels:  dfir
TA-Sysmon-deploy
Deploy and maintain Symon through the Splunk Deployment Sever
Stars: ✭ 31 (+19.23%)
Mutual labels:  dfir
TA-bigfix
Splunk technical add-on (TA) for ingesting BigFix client, relay, and server logs. Includes REST inputs for ingesting assets, relevant fixlets, action summaries, and analysis results.
Stars: ✭ 15 (-42.31%)
Mutual labels:  splunk-addon
TA ETW
Splunk Technology Add-On (TA) for collecting ETW events from Windows systems
Stars: ✭ 17 (-34.62%)
Mutual labels:  etw
EventTranscript.db-Research
A repo for centralizing ongoing research on the new Windows 10/11 DFIR artifact, EventTranscript.db.
Stars: ✭ 33 (+26.92%)
Mutual labels:  dfir
Queries
SQLite queries
Stars: ✭ 57 (+119.23%)
Mutual labels:  dfir
Adtimeline
Timeline of Active Directory changes with replication metadata
Stars: ✭ 252 (+869.23%)
Mutual labels:  dfir
TheHiveHooks
This is a python tool aiming to make using TheHive webhooks easier.
Stars: ✭ 22 (-15.38%)
Mutual labels:  dfir
RdpCacheStitcher
RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps.
Stars: ✭ 176 (+576.92%)
Mutual labels:  dfir
MindMaps
#ThreatHunting #DFIR #Malware #Detection Mind Maps
Stars: ✭ 224 (+761.54%)
Mutual labels:  dfir
INDXRipper
Carve file metadata from NTFS index ($I30) attributes
Stars: ✭ 32 (+23.08%)
Mutual labels:  dfir
View All Similar Projects ➔

Splunk-ETW

A Splunk Technology Add-on to forward filtered ETW events.

The main purpose of this plugin is to select, filter and forward ETW events to Splunk.

Build from source

Splunk-ETW is written in C# and powered by cmake:

git clone https://github.com/airbus-cert/Splunk-ETW
mkdir build
cd build
cmake ..\Splunk-ETW
cmake --build . --target package --config release

These commands will produce Splunk-ETW.tar.gz.

To build the Test solution:

cmake ..\Splunk-ETW -DBUILD_TESTS=ON

Install add-on

Download the Splunk-ETW.tar.gz from the latest release. Then you can simply install the add-on using the splunk.exe command-line tool:

splunk.exe install app .\Splunk-ETW.tar.gz
splunk.exe enable app Splunk-ETW

Then you have to add the Splunk-ETW stanza to your main inputs.conf. The value must match an entry in the profile/ folder. By default, there is a single cert profile provided. The associated inputs.conf stanza would look like that:

[Splunk-ETW://cert]

Then just restart the Splunk service:

splunk.exe restart

You can of course add your own profiles!

Creating a profile

Splunk-ETW can load multiple profiles from the profile folder. Each profile is an INI file describing which events will be forwarded to the Splunk indexer.

To add a foo profile:

  • Create a foo.ini file inside the profile folder.
  • Add the associated line into the main CMakeList.txt file (copy and adjust the line underInstall config files).

To use the foo profile, just add the following line into the inputs.conf of the Splunk Universal Forwarder:

[Splunk-ETW://foo]

Configuring the profile

Now that you have your profile registered into the Forwarder, edit the .ini file and add the providers and filters you want (see details below).

Once you are satisfied with your profile, rebuild and reinstall the project as previously described.

Adding a provider by name

To add a provider by name just add the following line into your profile file:

[Microsoft-Windows-WMI-Activity]

To add a provider by GUID you have to specify the type of provider:

  • Manifest for manifest-based provider
  • TL TraceLogging provider
  • WPP Windows PreProcessor provider
; identical to [Microsoft-Windows-WMI-Activity]
[Manifest{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}]

; TraceLogging provider
[TL{8e805eb3-6a8f-4a1e-90fa-a831d94e54a1}]

; Windows Pre Processor provider
[WPP{8e805eb3-6a8f-4a1e-90fa-a831d94e54a1}]

Filtering by ID

In order to forward only some events produced by a provider, you can specify the relevant event ID:

; only forward event id 23 of Microsoft-Windows-WMI-Activity provider
[Microsoft-Windows-WMI-Activity://23]

You can add several IDs by adding more stanzas:

; Forward events 22 and 23 of Microsoft-Windows-WMI-Activity provider

[Microsoft-Windows-WMI-Activity://22]

[Microsoft-Windows-WMI-Activity://23]

You can filter by event ID for all kinds of providers:

; Filter event ID 23 of Manifest provider 1418EF04-B0B4-4623-BF7E-D74AB47BBDAA
[Manifest{1418EF04-B0B4-4623-BF7E-D74AB47BBDAA}://23]

Filtering by field value

Splunk-ETW can filter forwarded events by field value. We can add a list of <field_nalme> = <field_value> under the event forward definition. All events which have the field with the associated value will be forwarded. For example, event ID 23 of the Microsoft-Windows-WMI-Activity provider has a field named IsLocal. This field takes the value 0 when a process is created using the Win32_Process::Create method through the network, like in a lateral movement scenario. If we are only interested in this scenario we can apply the following filter:

[Microsoft-Windows-WMI-Activity://23]
IsLocal = 0

Airbus CERT Profile

The Airbus CERT default profile comes with the following simple use-cases:

Detecting remote execution via WMI

WMI allows creating processes through the WIN32_Process class which exposes a static Create method. It can be invoked using the folowing PowerShell command:

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd /c systeminfo"

This method can be used for lateral movement.

WMI has a dedicated ETW provider named Microsoft-Windows-WMI-Activity and a dedicated event ID for the Create method: 23. Splunk-ETW will forward these events with the following config line:

[Microsoft-Windows-WMI-Activity://23]

Detecting PrintDemon

PrintDemon, aka CVE-2020-1048, can be detected by monitoring printer driver installation; in particular the installation of the driver named Generic / Text Only. The ETW provider Microsoft-Windows-PrintService generates event ID 316 with the name of the driver included into the Param1 field.

Splunk-ETW can forward this event if and only if the value of Param1 is equal to Generic / Text Only, with the following config line:

[Microsoft-Windows-PrintService://316]
Param1=Generic / Text Only

Detecting BlueKeep

BlueKeep, aka CVE-2019-0708, is a vulnerability which targets the RDP protocol. Exploiting this vulnerability requires closing a particular channel named ms_t120. The ETW provider Microsoft-Windows-RemoteDesktopServices-RdpCoreTS monitors all closed channels by firing event ID 148 with the field ChannelName set to the name of the channel.

Splunk-ETW can forward this event if and only if the value of ChannelName is equal to ms_t120, with the following config line:

[Microsoft-Windows-RemoteDesktopServices-RdpCoreTS://148]
ChannelName=ms_t120

Credits and references

Greetz to vector-sec for his original work on TA_ETW!

Our previous work on ETW:

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].