1. Copyright © 2014 Splunk Inc.
Security Opera;ons Use
Cases: 'Cause Bears, Pandas,
and Sandworms
Live! Edi)on
Ryan Chapman
(& Lisa Tawfall)
Bechtel Corpora;on

2. 2
Disclaimer
During the course of this presenta;on, we may make forward looking statements regarding future
events or the expected performance of the company. We cau;on you that such statements reflect our
current expecta;ons and es;mates based on factors currently known to us and that actual events or
results could differ materially. For important factors that may cause actual results to differ from those
contained in our forward-looking statements, please review our filings with the SEC. The forward-
looking statements made in the this presenta;on are being made as of the ;me and date of its live
presenta;on. If reviewed aXer its live presenta;on, this presenta;on may not contain current or
accurate informa;on. We do not assume any obliga;on to update any forward looking statements we
may make.
In addi;on, any informa;on about our roadmap outlines our general product direc;on and is subject to
change at any ;me without no;ce. It is for informa;onal purposes only and shall not, be incorporated
into any contract or other commitment. Splunk undertakes no obliga;on either to develop the features
or func;onality described or to include any such feature or func;onality in a future release.

3. 3
Agenda
• Intro to Bechtel
• Who’s This Guy?
• Overview of Security @ Bechtel
• Why Splunk?
• Use Cases

4. 4
Bechtel Corpora;on
• Largest Construc;on & Civil Engineering Company in the U.S.
• 58,000 colleagues | 25,000 projects | 160 countries | 7 con;nents
• Target Rich Environment – Global Threats
• 2012 Goal: Develop World-Class SOC

5. 5
Ryan J. Chapman
• Network Security Monitoring Analyst
• Incident Handler
• CIRT / SOC Liaison
• “Did You Check Splunk?” Guy
ê No, Really. Did You Check Splunk?
@rj_chap

6. Security @ Bechtel

7. 7
Post Remedia;on Structure

8. 8
APT Events
Use Case BEFORE
SPLUNK
AFTER
SPLUNK
Event
EscalaAon
to CIRT
• 99% of Events • 2013-2014:
< 3%
• 2015:
< 1%
APT Events
Detected
• 1 APT Event • 2013: 269 APT Events
• 2014: 82 APT Events

9. 9
The Security Stack
External
Intense Monitoring
Full Packet Capture
DNS ProtecAon
Network Event Parsing
Firewall
ApplicaAon Firewall
Email Blocking
Behavior Analysis
APT DetecAon
Forensics
AV
Log Forwarding
Remediate
Detect
Respond
Deter

10. 10
Why Splunk?
• Berer than GREP?
• Parsing Individual Logs?
– 2.35TB/day License
• Primary Uses:
– Alert Genera;on
– Response!
ê The “5 W’s”
Because it’s Awesome!

11. 11
Why Splunk?
Bechtel is Target Rich!

12. 12
Obligatory Splunk Quote
“We wouldn’t be able to do our jobs
without Splunk.”

13. Use Case One

14. 14
• Saved Searches Are Awesome!
ê 25%+ of SOC Tickets
• Alert: PowerShell Using “ -enc”
ê Also Alerted: “ -exec bypass”
ê Not Caught by Security Stack Tools
• Used to Base64 Encode
ê Detec;on Avoidance Mechanism
Use Case 1
“Tripping Over The Needle”

15. 15
Saved Search
index=wls* EventID=4688 BaseFileName="powershell.exe"
CommandLine="* -enc*" NOT ([REDACTED])
| sort 0 _time
| table _time, Computer, SubjectDomainName,
SubjectUserName, BaseFileName, CommandLine,
CompanyName, CreatorProcessName, NewProcessName,
FileDescription, FileVersion, MD5
No Encoding For You!

16. 16
Saved Search Results
[Most Columns Removed]
_Ame Computer CommandLine
11/9/15
15:35
[REDACTED] powershell.exe -nop -w hidden -encodedcommand
JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkAT
wAuAE0AZQBtAG…AKQA7AA==
11/9/15
15:49
[REDACTED] powershell -nop -exec bypass -EncodedCommand
'SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMA
dAAgAG4AZQB0A…AKQA7AA=='

17. 17
Saved Search Results
Decoded Base64 – MOAR Base64 + Zipped!
$s=New-Object IO.MemoryStream(,
[Convert]::FromBase64String(“H4sIAAAAAAAAAL1We2/aSBD/
Gz7FqopkW+UZuJREi…DAAA"));
IEX (New-Object IO.StreamReader(New-Object
IO.Compression.GzipStream($s,
[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

18. 18
Saved Search Results
Decoding Con;nued
• Secondary PowerShell Script
ê $var_code == Shellcode
• Shellcode Creates Named Pipe
ê Inter-Process Communica;on
• Errrrrr…. No
ê ALL HANDS ON DECK

19. 19
Addi;onal Splunkage
index=wls* EventID=4688 Computer="[REDACTED]"
BaseFileName="cmd.exe" CommandLine="*"
| sort 0 _time
| table _time, Computer, SubjectDomainName,
SubjectUserName, BaseFileName, CommandLine,
CompanyName, CreatorProcessName, NewProcessName,
FileDescription, FileVersion, MD5
Event Code 4688 = Process Execu;on

20. 20
Addi;onal Splunkage
• c:windowssystem32windowspowershell
v1.0powershell.exe -ex bypass -noni -w hidden -nop Get-
GPPPassword
• net user 'Domain Admins' /domain
• reg query '[REDACTED]HKLMSoXwareMicrosoXWindows
NTCurrentVersion'
• net sessions
• wmic qfe list brief
Event Code 4688 – CommandLine Examples

21. 21
Addi;onal Splunkage
Event Code 4688 – CreatorProcessName Oddity
_Ame Computer CommandLine CreatorProcessName NewProcessName
11/9/15
17:06:6
[REDACTED] net user [REDACTED]
/domain
txt2adobe C:Windows
SysWOW64cmd.exe
11/9/15
18:00:01
[REDACTED] systeminfo txt2adobe C:Windows
SysWOW64cmd.exe
11/9/15
18:11:36
[REDACTED] dir 10.[REDACTED]
c$
txt2adobe C:Windows
SysWOW64cmd.exe

22. 22
Correla;ng Tool Results FTW!
• NSM (Splunk) + DFIR (Memory Analysis w/Vola;lity)
• PSTREE
ê hrpd.exe launched txt2adobe.exe
• NETSCAN
0x23d23ccf0 TCPv4 10.[REDACTED]:80
10.[REDACTED]:34752 CLOSED 1432 httpd.exe
0x23c6c2170 TCPv4 10.[REDACTED]:52382
10.[REDACTED]:443 ESTABLISHED 3644 txt2adobe.exe
No 4688 Events for “txt2adobe”

23. 23
Wait A Second…
• Addi;onal Pivo;ng:
ê IP/MAC Addresses, etc.
ê Found a Kali-based Host
…Iden;fied Aggressor…
• Red Team Pentest!
ê 0x0000FF > 0xFF0000
ê Thanks Splunk!
NOT IN OUR HOUSE!

24. Use Case Two

25. 25
Use Case 2
• Intel is Now Ubiquitous
ê Paid Feeds
ê Open Source (Blogs/Twirer)
ê That Girl You Worked with Two
Companies Ago
• Indicators of Compromise
ê IOCs Everywhere!
ê How Do We Process Them All?
Ve†ng Threat Intel

26. 26
You Get Intel… and YOU Get Intel!

27. 27
Automate All the Things

28. 28
IOC Triage (IOCSaw, WAM, TRAC)
INDICATOR # LAST FIRST COMMENT CATEGORY CREATED TRAC
bad.site.cc Ticket #54728
OSINT (India
Breach)
Targeted 2013-03-14T
01:37:15
#54728
palace.malware
.net
More dynamic
DNS blocks
Dynamic
DNS
2013-09-03T
20:19:09
#78508,
#53939
test-user123.
crime.com
Ticket #54728
OSINT (India
Breach)
Targeted 2013-03-14T
01:37:15
#54728
securelist.
com
223 07/14/2015
21:46:03
07/16/2014
22:53:45
32
Matched
Tickets
[Par;al Results]

29. 29
Hash Triage (NSRL* Lookup and TRAC)
HASH NSRL_FNAME NSRL_MFG NSRL_PROD TICKET
214AD74511D23EAA51AE82EDC3760AE2 RDS_250.iso NIST NSRL DVD #12345
E9A87BB87BB87BB6DC053238B0A87B33 #80000
EDCD313791506EDCD318A2A88B9E0HH1
72EDCD31A7AAD3102C5AA7758EEDBEEF #84507
AAA62D5F0E348F0E8AAAAAADDDDDDEAD #22222,
#33333
5A22E5AEE4DA2FE363B77F1A22E5AE93
21C46A95329F3F168888888880000000 #thisisfake
D41D8CD98F00B204E9800998ECF8427E J
*Na;onal SoXware Reference Library
[Par;al Results]

30. 30
Macros Rock Hard
• `hash_indices` Macro:
This is a S;ck-Up! Gimmie Those Hashes!
(index=wls* OR
index=bro_files OR
index=bro_http OR
index=bro_notice OR
index=bro_smtp_entities OR
index=fe OR
index=fireeye OR
sourcetype=sep12:risk OR
sourcetype=sep12:proactive OR
sourcetype=sep12:behavior) AND
file_hash!="-"

31. 31
Macros Rock Hard
• `hash_indices` Macro:
This is a S;ck-Up! Gimmie Those Hashes!
earliest=12/15/2015:00:00:00 latest=12/15/2015:17:30:41
`hash_indices`
(file_hash="B9A4DAC2192FD78CDA097BFA79F6E7B2" OR
file_hash="E7B2ED6FF40DAB2F235000B0299E7B23" OR
file_hash="E7B2B87136E2DC22F8D2740F3E6EE7B2”)

32. 32
Another Useful Macro
• `web_traffic` Macro: (index=isa* OR
index=bro_http OR
index=bro_conn OR
index=websense OR
sourcetype=pan_traffic OR
sourcetype=pan_threat)

33. 33
`web_traffic` wdmycloud.device2479816.wd2go.com
Another Useful Macro
• `web_traffic` Macro:
• Palo Alto
• ISA Proxy
• BRO

34. 34
Recap & Takeaways
• Saved Searches are Your Friend
• Catalogue Your Saved Searches
• Enable Command Line Audi;ng!
ê See Resources
• Macros are Your Friend
• CIM is Your Friend
• Troll Splunk>Answers, Splunk>Blogs and Splunkbase
‘Member These Things

35. 35
Resources
• Michael Gogh’s Splunk/Windows Logging Cheat Sheets
ê h`p://www.malwarearchaeology.com/cheat-sheets
ê Provide Key Event Codes
ê Explain How to Setup Logging
• Check out Cassava!
ê h`ps://github.com/BechtelCIRT/cassava
• “Forensic Inves;gator” by TekDefense
ê h`ps://splunkbase.splunk.com/app/2895/

36. Thank You
Security Opera;ons Use
Cases: 'Cause Bears, Pandas,
and Sandworms
Live! Edi)on
Ryan Chapman – @rj_chap
Bechtel
QUESTIONS?