Detecting Attacker Behavior With Splunk Based On Analytics

Navigate to http://[Target IP]:8000, open the “Search & Reporting” application, and find through an analytics-driven SPL search against all data the source process images that are creating an unusually high number of threads in other processes. Enter the outlier process name as your answer where the number of injected threads is greater than two standard deviations above the average. Answer format: _.exe

Hint: Count :eyes: SourceImage

index=* (EventCode=8 OR “CreateRemoteThread” OR “thread creation”) | stats count as ThreadCount by SourceProcess
| eventstats avg(ThreadCount) as avgThreads, stdev(ThreadCount) as stdevThreads
| where ThreadCount > (avgThreads + (2 * stdevThreads))
| table SourceProcess, ThreadCount
then check source image with highest number

index=“main” sourcetype=“WinEventLog:Sysmon” EventCode=8 | bin _time span=1h | stats count as TargetImage by _time, SourceImage | streamstats avg(TargetImage) as avg stdev(TargetImage) as stdev by Image
| sort -TargetImage

Interestingly, the alert contains a Mitre TTP number. One can simply look for the TTP number that is in the alert.
index=“main” sourcetype=“WinEventLog:Sysmon” EventCode=8 “technique_id=T1055”
| table _time, host, TaskCategory, SourceImage, TargetImage