admu-sec/htb-spl-cheatsheet

# HTB Splunk SPL 技巧表 ## 认证与登录 ### Kerberos TGT 请求（事件代码 4768） ``` index=* sourcetype="WinEventLog:Security" EventCode=4768 | stats count by Account_Name | sort -count ``` ### 每个账户的独立计算机（事件代码 4624） ``` index=* sourcetype="WinEventLog:Security" EventCode=4624 Account_Name=SYSTEM | stats dc(ComputerName) as distinct_computers ``` ### 10 分钟内的登录活动（事件代码 4624） ``` index=* sourcetype="WinEventLog:Security" EventCode=4624 | stats min(_time) as first_login max(_time) as last_login count as attempts by Account_Name | eval duration_minutes = (last_login - first_login) / 60 | where duration_minutes < 10 | sort -attempts ``` ## 进程执行（事件代码 1） ### 网络查看 ``` index=* EventCode=1 CommandLine="*net view*" | table _time, ComputerName, User, CommandLine ``` ### rundll32 与父进程 ``` index=* EventCode=1 Image="*rundll32.exe*" | table _time, Image, ParentImage, CommandLine, User ``` ### PsExec ``` index=* EventCode=1 Image="*PsExec*" OR CommandLine="*psexec*" | table _time, CommandLine, User, ParentImage ``` ### 初始感染 - 可疑进程 ``` index=* EventCode=1 (Image="*demon.exe*" OR Image="*randomfile.exe*" OR Image="*SharpHound*") | table _time, Image, ParentImage, CommandLine, User | sort _time ``` ### 按时间排序的所有进程 ``` index=* EventCode=1 | table _time, Image, ParentImage, CommandLine, User | sort _time ``` ## DLL 加载（事件代码 7） ### 每个进程的 clr.dll ``` index=* EventCode=7 ImageLoaded="*clr.dll*" | stats count by Image | sort -count ``` ### 可疑的 clr.dll 加载（排除合法） ``` index=* EventCode=7 ImageLoaded="*clr.dll*" | search NOT Image="*powershell*" NOT Image="*taskhostw*" NOT Image="*msiexec*" NOT Image="*sdiaghost*" NOT Image="*mmc*" NOT Image="*Corsair*" NOT Image="*VisualStudio*" NOT Image="*Teams*" | stats count by Image | sort -count ``` ## 进程注入（事件代码 8） ### 线程注入异常 - 标准差 ``` index=* EventCode=8 | stats count by SourceImage | eventstats avg(count) as avg stdev(count) as stdev | eval threshold = avg + (2 * stdev) | where count > threshold | table SourceImage, count, avg, stdev, threshold | sort -count ``` ### 特定进程中的远程线程 ``` index=* EventCode=8 TargetImage="*rundll32.exe*" | table _time, SourceImage, TargetImage, User ``` ## LSASS 泄露（事件代码 10） ### 访问 lsass 的进程 ``` index=* EventCode=10 TargetImage="*lsass.exe*" | table _time, SourceImage, SourceUser, GrantedAccess ``` ## 进程终止（事件代码 5） ### 临时进程 ``` index=* EventCode=5 Image="*notepad.exe*" OR Image="*rundll32.exe*" OR Image="*randomfile.exe*" | table _time, Image, User ``` ## 网络连接（事件代码 3） ### 每个进程的所有目标 ``` index=* EventCode=3 | stats count by DestinationIp, Image | sort -count ``` ### 内部网络连接 ``` index=* EventCode=3 DestinationIp="10.0.0.*" | stats count by DestinationIp, Image | sort -count ``` ### SharpHound ``` index=* EventCode=3 Image="*SharpHound.exe*" | stats count ``` ### C2 出站 ``` index=* EventCode=3 (Image="*demon.exe*" OR Image="*randomfile.exe*") | stats count by DestinationIp | sort -count ``` ### C2 入站 ``` index=* EventCode=3 (SourceIp="10.0.0.186" OR SourceIp="10.0.0.91") | stats count by SourceIp, DestinationIp, DestinationPort | sort -count ``` ## 通用 ### Sourcetypes 概览 ``` index=* | stats count by sourcetype | sort -count ``` ### 安全日志中的事件代码 ``` index=* sourcetype="WinEventLog:Security" | stats count by EventCode | sort -count ```