killvxk/analyzing-windows-event-logs-in-splunk

在 Splunk 中分析 Windows 事件日志

适用场景

以下情况使用本技能：

• SOC 分析师调查与 Windows 身份验证、进程执行或 AD 变更相关的告警
• 检测工程师构建用于 Windows 威胁检测的 SPL 查询
• 事件响应人员需要 Windows 终端或域控制器活动的取证时间线
• 定期威胁狩猎（Threat Hunting）针对 Windows 特定的 ATT&CK 技术

不适用于 Linux/macOS 终端分析或纯网络调查。

前置条件

• Splunk，已接入 Windows 事件日志数据（sourcetype WinEventLog:Security、WinEventLog:System、XmlWinEventLog:Microsoft-Windows-Sysmon/Operational）
• 在终端上部署 Sysmon（System Monitor），使用 SwiftOnSecurity 或 Olaf Hartong 配置
• 为 Endpoint 和 Authentication 数据模型启用 CIM 数据模型加速
• 了解 Windows Security Event ID 和 Sysmon 事件类型

工作流程

步骤 1：身份验证攻击检测

暴力破解检测（EventCode 4625 — 登录失败）：

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625
| stats count, dc(TargetUserName) AS unique_users, values(TargetUserName) AS targeted_users
  by src_ip, Logon_Type, Status
| where count > 20
| eval attack_type = case(
    Logon_Type=3, "Network Brute Force",
    Logon_Type=10, "RDP Brute Force",
    Logon_Type=2, "Interactive Brute Force",
    1=1, "Other"
  )
| eval status_meaning = case(
    Status="0xc000006d", "Bad Username or Password",
    Status="0xc000006a", "Incorrect Password (valid user)",
    Status="0xc0000234", "Account Locked Out",
    Status="0xc0000072", "Account Disabled",
    1=1, Status
  )
| sort - count
| table src_ip, attack_type, status_meaning, count, unique_users, targeted_users

密码喷洒（Password Spray）检测：

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625 Logon_Type=3
| bin _time span=10m
| stats dc(TargetUserName) AS unique_users, count AS total_attempts,
  values(TargetUserName) AS users_targeted by src_ip, _time
| where unique_users > 10 AND total_attempts < unique_users * 3
| eval spray_confidence = if(unique_users > 25, "HIGH", "MEDIUM")

失败后成功登录（失陷指标（IOC）/Indicators of Compromise）：

index=wineventlog sourcetype="WinEventLog:Security"
(EventCode=4625 OR EventCode=4624) src_ip!="127.0.0.1"
| sort _time
| stats earliest(_time) AS first_seen, latest(_time) AS last_seen,
  sum(eval(if(EventCode=4625,1,0))) AS failures,
  sum(eval(if(EventCode=4624,1,0))) AS successes
  by src_ip, TargetUserName, ComputerName
| where failures > 10 AND successes > 0
| eval time_to_success = round((last_seen - first_seen)/60, 1)
| sort - failures

步骤 2：权限提升检测

新建管理员账户（T1136.001）：

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4720
| join TargetUserName type=left [
    search index=wineventlog EventCode=4732 TargetUserName="Administrators"
    | rename MemberName AS TargetUserName
  ]
| table _time, SubjectUserName, TargetUserName, ComputerName
| eval alert = "New account created and added to Administrators group"

分配特殊权限（EventCode 4672）：

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4672
SubjectUserName!="SYSTEM" SubjectUserName!="LOCAL SERVICE" SubjectUserName!="NETWORK SERVICE"
| stats count, values(PrivilegeList) AS privileges by SubjectUserName, ComputerName
| where count > 0
| search privileges IN ("SeDebugPrivilege", "SeTcbPrivilege", "SeBackupPrivilege",
  "SeRestorePrivilege", "SeAssignPrimaryTokenPrivilege")

令牌操纵（Token Manipulation）检测（T1134）：

index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
 GrantedAccess IN ("0x1010", "0x1038", "0x1fffff", "0x40")
| stats count by SourceImage, SourceUser, Computer, GrantedAccess
| where NOT match(SourceImage, "(svchost|csrss|wininit|MsMpEng|CrowdStrike)")
| sort - count

步骤 3：持久化机制检测

计划任务创建（T1053.005）：

index=wineventlog (sourcetype="WinEventLog:Security" EventCode=4698)
  OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      Image="*\\schtasks.exe")
| eval task_info = coalesce(TaskContent, CommandLine)
| search task_info="*powershell*" OR task_info="*cmd*" OR task_info="*http*" OR task_info="*\\Temp\\*"
| table _time, Computer, SubjectUserName, TaskName, task_info

注册表 Run 键修改（T1547.001）：

index=sysmon EventCode=13
TargetObject IN (
  "*\\CurrentVersion\\Run\\*",
  "*\\CurrentVersion\\RunOnce\\*",
  "*\\CurrentVersion\\RunServices\\*",
  "*\\Explorer\\Shell Folders\\*"
)
| stats count by Computer, Image, TargetObject, Details
| where NOT match(Image, "(explorer\.exe|msiexec\.exe|setup\.exe)")
| sort - count

WMI 事件订阅（T1546.003）：

index=sysmon EventCode=20 OR EventCode=21
| stats count by Computer, Operation, Consumer, EventNamespace
| where count > 0

步骤 4：横向移动检测

远程服务利用（T1021.002 — SMB/Windows 管理共享）：

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=3
| stats dc(ComputerName) AS unique_destinations, values(ComputerName) AS targets
  by src_ip, TargetUserName
| where unique_destinations > 3
| sort - unique_destinations
| table src_ip, TargetUserName, unique_destinations, targets

PsExec 检测（T1021.002）：

index=sysmon EventCode=1
(Image="*\\psexec.exe" OR Image="*\\psexesvc.exe"
 OR ParentImage="*\\psexesvc.exe"
 OR OriginalFileName="psexec.c")
| table _time, Computer, User, ParentImage, Image, CommandLine

RDP 横向移动（T1021.001）：

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=10
| stats count, dc(ComputerName) AS rdp_targets, values(ComputerName) AS destinations
  by src_ip, TargetUserName
| where rdp_targets > 2
| sort - rdp_targets

步骤 5：构建取证时间线

为被入侵主机创建全面时间线：

(index=wineventlog OR index=sysmon) Computer="WORKSTATION-042"
earliest="2024-03-14T00:00:00" latest="2024-03-16T00:00:00"
| eval event_description = case(
    EventCode=4624, "Logon: ".TargetUserName." (Type ".Logon_Type.")",
    EventCode=4625, "Failed Logon: ".TargetUserName,
    EventCode=4688 OR (sourcetype="XmlWinEventLog:*Sysmon*" AND EventCode=1),
      "Process: ".Image." CMD: ".CommandLine,
    EventCode=4698, "Scheduled Task: ".TaskName,
    EventCode=3, "Network: ".DestinationIp.":".DestinationPort,
    EventCode=11, "File Created: ".TargetFilename,
    EventCode=13, "Registry: ".TargetObject,
    1=1, "Event ".EventCode
  )
| sort _time
| table _time, EventCode, event_description, User, src_ip

步骤 6：创建富化查找表

构建 Windows Event ID 上下文参考查找表：

| inputlookup windows_eventcode_lookup.csv
| table EventCode, Description, ATT_CK_Technique, Severity

如果查找表不存在，创建它：

EventCode,Description,ATT_CK_Technique,Severity
4624,Successful Logon,T1078,Informational
4625,Failed Logon,T1110,Low
4648,Explicit Credential Logon,T1078,Medium
4672,Special Privileges Assigned,T1134,Medium
4688,New Process Created,T1059,Informational
4698,Scheduled Task Created,T1053.005,Medium
4720,User Account Created,T1136.001,High
4732,Member Added to Security Group,T1098,High
4768,Kerberos TGT Requested,T1558,Informational
4769,Kerberos Service Ticket,T1558.003,Low
4771,Kerberos Pre-Auth Failed,T1110,Low

核心概念

| 术语 | 定义 | |------|-----------| | EventCode 4624 | 登录成功事件 — Logon_Type 2（交互式）、3（网络）、10（RDP）、7（解锁） | | EventCode 4625 | 登录失败事件 — Status 代码指示失败原因（密码错误、账户锁定、账户禁用） | | Sysmon EventCode 1 | 进程创建，包含完整命令行、父进程及哈希信息 | | Sysmon EventCode 3 | 进程发起的网络连接 — 源/目的 IP、端口及进程上下文 | | Logon Type 3 | 网络登录（SMB、WMI、PowerShell Remoting）— 横向移动的关键指标 | | Logon Type 10 | 通过 RDP/Terminal Services 的远程交互式登录 |

工具与系统

• Splunk Enterprise：具有 SPL 查询引擎的 SIEM（安全信息和事件管理）平台，用于 Windows 事件日志分析和关联
• Sysmon（System Monitor）：Microsoft Sysinternals 工具，提供详细的进程、网络和文件活动日志
• Splunk CIM：通用信息模型（Common Information Model），将 Windows 事件映射到规范化字段以支持跨源查询
• Windows Event Forwarding（WEF）：内置 Windows 机制，将事件日志集中到收集服务器

常见场景

• Kerberoasting（T1558.003）：检测非标准服务账户中加密类型为 0x17（RC4）的 EventCode 4769
• DCSync（T1003.006）：检测来自非域控制器来源的携带 DS-Replication-Get-Changes 的 EventCode 4662
• 黄金票据（Golden Ticket，T1558.001）：检测具有异常票据属性（过长有效期、非标准加密）的 EventCode 4769
• 哈希传递（Pass-the-Hash，T1550.002）：检测来自意外来源、使用 NTLM 认证的 EventCode 4624 Logon_Type 3
• DLL 侧加载（DLL Side-Loading，T1574.002）：Sysmon EventCode 7 显示合法进程加载未签名 DLL

输出格式

WINDOWS EVENT LOG ANALYSIS — HOST: WORKSTATION-042
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Period:     2024-03-14 to 2024-03-15
Events:     12,847 total (Security: 9,231 | Sysmon: 3,616)

Authentication Summary:
  Successful Logons (4624):    487 (Type 3: 312, Type 10: 45, Type 2: 130)
  Failed Logons (4625):        847 (from 192.168.1.105 — BRUTE FORCE)
  Explicit Creds (4648):       12

Suspicious Findings:
  [HIGH]   847 failed logons followed by success at 14:35 from 192.168.1.105
  [HIGH]   New user "backdoor_admin" created (4720) at 14:38
  [HIGH]   User added to Administrators group (4732) at 14:38
  [MEDIUM] schtasks.exe creating persistence task at 14:42
  [MEDIUM] PowerShell encoded command execution at 14:45

ATT&CK Mapping:
  T1110.001 — Password Guessing (847 failed logons)
  T1136.001 — Local Account Creation (backdoor_admin)
  T1053.005 — Scheduled Task (persistence)
  T1059.001 — PowerShell (encoded execution)