TryHackMe: Complete Beginner (Supplements)
- author:: Nathan Acks
- date:: 2021-11-11
There are three different event source fields in Splunk:
src_ipcontains source IP addresses only (if known).
src_hostcontains (generally fully qualified) source hostnames only (if known).
srccontains a mix of both hostnames and IP addresses, but only one of these at a time.
However, events can contain both a
src_ip and a
src_host, correlating these two fields is a good way to determine hostnames from IP addresses or IP addresses from hostnames.
For network connections,
dest follow similar logic.
Most Windows logs use hostnames rather than IP addresses.
Apparently, USB storage and filesystem names are stored in the Windows registry, so registry event logs will contain this information. The “name” that is shown in the File Explorer is known as the
friendlyname in the registry.
Network share information is stored/logged by the registry similarly. Network share registry keys are the share path, with
\ characters replaced by
Be aware that the user recorded in the registry logs can be an application rather than a human!
Unfortunately, it looks like Sysmon doesn’t record
friendlyname values, but only drive paths. However, Sysmon does record both the
ParentCommandLine attributes for all executed applications; this is much finer-grained data than most anti-virus solutions. I can see why Kevin Beaumont likes it so much!
* in Splunk matches one or more characters, so
field=* is an effective way of removing unset fields from a search. The
* wildcard can even be used to specify
Also recall that
EventCode=1 corresponds to process execution.
Obtaining Memory Samples
Tools for obtaining memory dumps from running systems:
- FTK Imager
- win32dd.exe / win64dd.exe
These generate uncompressed .raw dumps of system memory. Basically everything can work with these.
For powered off or hibernating Windows systems, grab %SystemDrive%/hiberfil.sys, which is a compressed copy of the system’s memory. Linux systems that are hibernating also contain hibernation files or write memory contents to their swap partitions (though it’s not clear how to deal with those).
For virtual machines:
- VMware - .vmem
- Hyper-V - .bin
- Parallels - .mem
- VirtualBox - .sav
In all cases except VirtualBox, these files are maintained during run-time, and thus can provide a memory image without shutting the VM off (though I presume that it’s desirable to suspend it temporarily when copying). VirtualBox .sav files are kind of useless though, as they’re only partial; treat these VMs as if they were running on bare metal (for the purpose of memory dumps).