Hunter DFIR
WEB
Buscar…
⌃K
Links

Splunk

WEB

Buscar las IPs que han interactuado con una web

index="botsv1" imreallynotbatman.com sourcetype="stream:http"
| stats count(src_ip) as "Source IP" by src_ip
| sort + "Source IP"

Listas URIs visitadas por una IP

index="botsv1" sourcetype="stream:http" status=200 src="40.80.148.42" dest="192.168.250.70" | stats count by uri | sort - count

Buscar alertas desde una IP en Suricata

index="botsv1" sourcetype="suricata" src="40.80.148.42" | search event_type=alert | stats count(alert.signature) as "Alert" by alert.signature | sort - "Alert"

Buscar escaneos

index=botsv1 imreallynotbatman.com sourcetype="stream:http" http_method="POST"
| stats count by src_ip

Buscar Headers (indicios de nmap)

index=botsv1 imreallynotbatman.com sourcetype="stream:http" http_method="POST" c_ip="40.80.148.42" | stats count by src_headers| sort -count

Averiguar CMS

index=botsv1 imreallynotbatman.com sourcetype="stream:http" http_method="POST" c_ip="40.80.148.42"
| stats count by url

Encontrar "Defacements"

index=botsv1 sourcetype="suricata" src_ip="192.168.250.70" dest_ip="23.22.63.114"

Resolver DNS

index=botsv1 sourcetype="suricata" src_ip="192.168.250.70" dest_ip="23.22.63.114"

Detectar ataques fuerza bruta web

sourcetype="stream:http" imreallynotbatman.com
| regex (passw)
| top limit=20 src_ip

Localizar contraseñas enviadas en POST

index=botsv1 sourcetype="stream:http" http_method=POST *passwd*
| table form_data
index=botsv1 sourcetype="stream:http" http_method=POST form_data=*username*passwd*
| rex field=form_data "passwd=(?<password>\w+)"
| rex field=form_data "username=(?<user>\w+)"
| table _time, password, user
| sort by _time

Localizar archivos subidos

index=botsv1 sourcetype=stream:http dest="192.168.250.70" "multipart/form-data" | stats count by part_filename{}

Localizar un Hash

index=botsv1 3791.exe
| stats count by sourcetype
index=botsv1 3791.exe sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| stats values(process_name) by MD5
index="botsv1" 3791.exe sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" commandline"3791.exe"
| stats values(process_name) by MD5

Otros

Procesos

index="botsv1" earliest=0 Image="*\\cmd.exe" | stats values(CommandLine) by host
Malware - Anterior
Sysinternals
Próximo - Malware
Inetsim
Última actualización 11mo ago