Detecting Common User/Domain Recon- Splunk

Modify and employ the Splunk search provided at the end of this section on all ingested data (All time) to find all process names that made LDAP queries where the filter includes the string (samAccountType=805306368). Enter the missing process name from the following list as your answer. N/A, Rubeus, SharpHound, mmc, powershell, _

index=main earliest=1690195896 latest=1690285475 source="WinEventLog:SilkService-Log"
| spath input=Message 
| rename XmlEventData.* as * 
| table _time, ComputerName, ProcessName, ProcessId, DistinguishedName, SearchFilter
| sort 0 _time
| search SearchFilter="*(samAccountType=805306368)*"
| stats min(_time) as _time, max(_time) as maxTime, count, values(SearchFilter) as SearchFilter by ComputerName, ProcessName, ProcessId
| where count > 10
| convert ctime(maxTime)

I’ve tried to modify the search a few different ways but can only find about 7 process names, non of which work as the answer. I’ve switched the time frame to be All time so I know that’s not the issue.

Try to remove the time range from the query and modify the Event Count. I hope it helps.

You can take out the any time filter from you query and you could return only results from ProcessName using stats

it worked but using All time (real time) filter did not work for me. I played around with the other timings

I got the answer.
But it is not clear to me what the learning/message was from the exercise.

1 Like

getting use to the more complex searches in Splunk I suppose