soc operations

Analyzing Windows Event Logs in Splunk

Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.

active-directoryevent-logsmitre-attacksocsplunksysmonwindows-events
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

Use this skill when:

  • SOC analysts investigate alerts related to Windows authentication, process execution, or AD changes
  • Detection engineers build SPL queries for Windows-based threat detection
  • Incident responders need forensic timelines of Windows endpoint or domain controller activity
  • Periodic threat hunting targets Windows-specific ATT&CK techniques

Do not use for Linux/macOS endpoint analysis or network-only investigations.

Prerequisites

  • Splunk with Windows Event Log data ingested (sourcetype WinEventLog:Security, WinEventLog:System, XmlWinEventLog:Microsoft-Windows-Sysmon/Operational)
  • Sysmon deployed on endpoints with SwiftOnSecurity or Olaf Hartong configuration
  • CIM data model acceleration for Endpoint and Authentication data models
  • Knowledge of Windows Security Event IDs and Sysmon event types

Workflow

Step 1: Authentication Attack Detection

Brute Force Detection (EventCode 4625 — Failed Logon):

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625
| stats count, dc(TargetUserName) AS unique_users, values(TargetUserName) AS targeted_users
  by src_ip, Logon_Type, Status
| where count > 20
| eval attack_type = case(
    Logon_Type=3, "Network Brute Force",
    Logon_Type=10, "RDP Brute Force",
    Logon_Type=2, "Interactive Brute Force",
    1=1, "Other"
  )
| eval status_meaning = case(
    Status="0xc000006d", "Bad Username or Password",
    Status="0xc000006a", "Incorrect Password (valid user)",
    Status="0xc0000234", "Account Locked Out",
    Status="0xc0000072", "Account Disabled",
    1=1, Status
  )
| sort - count
| table src_ip, attack_type, status_meaning, count, unique_users, targeted_users

Password Spray Detection:

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625 Logon_Type=3
| bin _time span=10m
| stats dc(TargetUserName) AS unique_users, count AS total_attempts,
  values(TargetUserName) AS users_targeted by src_ip, _time
| where unique_users > 10 AND total_attempts < unique_users * 3
| eval spray_confidence = if(unique_users > 25, "HIGH", "MEDIUM")

Successful Logon After Failures (Compromise Indicator):

index=wineventlog sourcetype="WinEventLog:Security"
(EventCode=4625 OR EventCode=4624) src_ip!="127.0.0.1"
| sort _time
| stats earliest(_time) AS first_seen, latest(_time) AS last_seen,
  sum(eval(if(EventCode=4625,1,0))) AS failures,
  sum(eval(if(EventCode=4624,1,0))) AS successes
  by src_ip, TargetUserName, ComputerName
| where failures > 10 AND successes > 0
| eval time_to_success = round((last_seen - first_seen)/60, 1)
| sort - failures

Step 2: Privilege Escalation Detection

New Admin Account Created (T1136.001):

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4720
| join TargetUserName type=left [
    search index=wineventlog EventCode=4732 TargetUserName="Administrators"
    | rename MemberName AS TargetUserName
  ]
| table _time, SubjectUserName, TargetUserName, ComputerName
| eval alert = "New account created and added to Administrators group"

Special Privileges Assigned (EventCode 4672):

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4672
SubjectUserName!="SYSTEM" SubjectUserName!="LOCAL SERVICE" SubjectUserName!="NETWORK SERVICE"
| stats count, values(PrivilegeList) AS privileges by SubjectUserName, ComputerName
| where count > 0
| search privileges IN ("SeDebugPrivilege", "SeTcbPrivilege", "SeBackupPrivilege",
  "SeRestorePrivilege", "SeAssignPrimaryTokenPrivilege")

Token Manipulation Detection (T1134):

index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
GrantedAccess IN ("0x1010", "0x1038", "0x1fffff", "0x40")
| stats count by SourceImage, SourceUser, Computer, GrantedAccess
| where NOT match(SourceImage, "(svchost|csrss|wininit|MsMpEng|CrowdStrike)")
| sort - count

Step 3: Persistence Mechanism Detection

Scheduled Task Creation (T1053.005):

index=wineventlog (sourcetype="WinEventLog:Security" EventCode=4698)
  OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      Image="*\\schtasks.exe")
| eval task_info = coalesce(TaskContent, CommandLine)
| search task_info="*powershell*" OR task_info="*cmd*" OR task_info="*http*" OR task_info="*\\Temp\\*"
| table _time, Computer, SubjectUserName, TaskName, task_info

Registry Run Key Modification (T1547.001):

index=sysmon EventCode=13
TargetObject IN (
  "*\\CurrentVersion\\Run\\*",
  "*\\CurrentVersion\\RunOnce\\*",
  "*\\CurrentVersion\\RunServices\\*",
  "*\\Explorer\\Shell Folders\\*"
)
| stats count by Computer, Image, TargetObject, Details
| where NOT match(Image, "(explorer\.exe|msiexec\.exe|setup\.exe)")
| sort - count

WMI Event Subscription (T1546.003):

index=sysmon EventCode=20 OR EventCode=21
| stats count by Computer, Operation, Consumer, EventNamespace
| where count > 0

Step 4: Lateral Movement Detection

Remote Service Exploitation (T1021.002 — SMB/Windows Admin Shares):

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=3
| stats dc(ComputerName) AS unique_destinations, values(ComputerName) AS targets
  by src_ip, TargetUserName
| where unique_destinations > 3
| sort - unique_destinations
| table src_ip, TargetUserName, unique_destinations, targets

PsExec Detection (T1021.002):

index=sysmon EventCode=1
(Image="*\\psexec.exe" OR Image="*\\psexesvc.exe"
 OR ParentImage="*\\psexesvc.exe"
 OR OriginalFileName="psexec.c")
| table _time, Computer, User, ParentImage, Image, CommandLine

RDP Lateral Movement (T1021.001):

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=10
| stats count, dc(ComputerName) AS rdp_targets, values(ComputerName) AS destinations
  by src_ip, TargetUserName
| where rdp_targets > 2
| sort - rdp_targets

Step 5: Build Forensic Timeline

Create comprehensive timeline for a compromised host:

(index=wineventlog OR index=sysmon) Computer="WORKSTATION-042"
earliest="2024-03-14T00:00:00" latest="2024-03-16T00:00:00"
| eval event_description = case(
    EventCode=4624, "Logon: ".TargetUserName." (Type ".Logon_Type.")",
    EventCode=4625, "Failed Logon: ".TargetUserName,
    EventCode=4688 OR (sourcetype="XmlWinEventLog:*Sysmon*" AND EventCode=1),
      "Process: ".Image." CMD: ".CommandLine,
    EventCode=4698, "Scheduled Task: ".TaskName,
    EventCode=3, "Network: ".DestinationIp.":".DestinationPort,
    EventCode=11, "File Created: ".TargetFilename,
    EventCode=13, "Registry: ".TargetObject,
    1=1, "Event ".EventCode
  )
| sort _time
| table _time, EventCode, event_description, User, src_ip

Step 6: Create Lookup Tables for Enrichment

Build reference lookups for Windows Event ID context:

| inputlookup windows_eventcode_lookup.csv
| table EventCode, Description, ATT_CK_Technique, Severity

If lookup doesn't exist, create it:

EventCode,Description,ATT_CK_Technique,Severity
4624,Successful Logon,T1078,Informational
4625,Failed Logon,T1110,Low
4648,Explicit Credential Logon,T1078,Medium
4672,Special Privileges Assigned,T1134,Medium
4688,New Process Created,T1059,Informational
4698,Scheduled Task Created,T1053.005,Medium
4720,User Account Created,T1136.001,High
4732,Member Added to Security Group,T1098,High
4768,Kerberos TGT Requested,T1558,Informational
4769,Kerberos Service Ticket,T1558.003,Low
4771,Kerberos Pre-Auth Failed,T1110,Low

Key Concepts

Term Definition
EventCode 4624 Successful logon event — Logon_Type 2 (interactive), 3 (network), 10 (RDP), 7 (unlock)
EventCode 4625 Failed logon event — Status code indicates failure reason (bad password, account locked, disabled)
Sysmon EventCode 1 Process creation with full command line, parent process, and hash information
Sysmon EventCode 3 Network connection initiated by a process — source/dest IP, port, and process context
Logon Type 3 Network logon (SMB, WMI, PowerShell Remoting) — key indicator of lateral movement
Logon Type 10 Remote interactive logon via RDP/Terminal Services

Tools & Systems

  • Splunk Enterprise: SIEM platform with SPL query engine for Windows event log analysis and correlation
  • Sysmon (System Monitor): Microsoft Sysinternals tool providing detailed process, network, and file activity logging
  • Splunk CIM: Common Information Model mapping Windows events to normalized fields for cross-source queries
  • Windows Event Forwarding (WEF): Built-in Windows mechanism for centralizing event logs to a collector server

Common Scenarios

  • Kerberoasting (T1558.003): Detect EventCode 4769 with encryption type 0x17 (RC4) for non-standard service accounts
  • DCSync (T1003.006): Detect EventCode 4662 with DS-Replication-Get-Changes from non-DC sources
  • Golden Ticket (T1558.001): Detect EventCode 4769 with abnormal ticket properties (long lifetime, non-standard encryption)
  • Pass-the-Hash (T1550.002): Detect EventCode 4624 Logon_Type 3 with NTLM authentication from unexpected sources
  • DLL Side-Loading (T1574.002): Sysmon EventCode 7 showing unsigned DLLs loaded by legitimate processes

Output Format

WINDOWS EVENT LOG ANALYSIS — HOST: WORKSTATION-042
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Period:     2024-03-14 to 2024-03-15
Events:     12,847 total (Security: 9,231 | Sysmon: 3,616)
 
Authentication Summary:
  Successful Logons (4624):    487 (Type 3: 312, Type 10: 45, Type 2: 130)
  Failed Logons (4625):        847 (from 192.168.1.105 — BRUTE FORCE)
  Explicit Creds (4648):       12
 
Suspicious Findings:
  [HIGH]   847 failed logons followed by success at 14:35 from 192.168.1.105
  [HIGH]   New user "backdoor_admin" created (4720) at 14:38
  [HIGH]   User added to Administrators group (4732) at 14:38
  [MEDIUM] schtasks.exe creating persistence task at 14:42
  [MEDIUM] PowerShell encoded command execution at 14:45
 
ATT&CK Mapping:
  T1110.001 — Password Guessing (847 failed logons)
  T1136.001 — Local Account Creation (backdoor_admin)
  T1053.005 — Scheduled Task (persistence)
  T1059.001 — PowerShell (encoded execution)
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.0 KB

API Reference: Analyzing Windows Event Logs in Splunk

splunk-sdk Connection

import splunklib.client as client
service = client.connect(host="splunk", port=8089, username="admin", password="pass")

Key Windows Security Event IDs

EventCode Description ATT&CK Technique
4624 Successful logon T1078
4625 Failed logon T1110
4648 Explicit credential logon T1078
4672 Special privileges assigned T1134
4688 New process created T1059
4698 Scheduled task created T1053.005
4720 User account created T1136.001
4732 Member added to security group T1098
4768 Kerberos TGT requested T1558
4769 Kerberos service ticket T1558.003

Key Sysmon Event IDs

EventCode Description
1 Process creation (full command line, hashes)
3 Network connection
7 Image loaded (DLL)
10 Process access (LSASS credential dumping)
11 File creation
13 Registry value set
22 DNS query

Logon Types

Type Description Context
2 Interactive Local console logon
3 Network SMB, WMI, PowerShell Remoting
7 Unlock Workstation unlock
9 NewCredentials runas /netonly
10 RemoteInteractive RDP logon

SPL Detection Patterns

# Brute force detection
index=wineventlog EventCode=4625 | stats count by src_ip | where count > 20
 
# Kerberoasting (T1558.003)
index=wineventlog EventCode=4769 Ticket_Encryption_Type=0x17
| where ServiceName != "krbtgt"
 
# DCSync detection (T1003.006)
index=wineventlog EventCode=4662
| where ObjectType="*domainDNS*"
| search Properties="*Replicating Directory Changes*"

References

Scripts 1

agent.py6.9 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for analyzing Windows event logs in Splunk for SOC operations."""

import os
import json
import argparse
from datetime import datetime

import splunklib.client as client
import splunklib.results as results


def connect(host, port, username, password):
    """Connect to Splunk Enterprise."""
    return client.connect(
        host=host, port=port, username=username, password=password, autologin=True
    )


def search(service, query, earliest="-24h", latest="now"):
    """Run a blocking Splunk search and return results."""
    job = service.jobs.create(
        f"search {query}",
        **{"earliest_time": earliest, "latest_time": latest, "exec_mode": "blocking"}
    )
    reader = results.JSONResultsReader(job.results(output_mode="json"))
    rows = [r for r in reader if isinstance(r, dict)]
    job.cancel()
    return rows


def detect_brute_force(service, earliest="-24h", threshold=20):
    """Detect brute force via EventCode 4625 with logon type classification."""
    query = (
        'index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625 '
        "| stats count, dc(TargetUserName) as unique_users, "
        "values(TargetUserName) as targeted_users by src_ip, Logon_Type, Status "
        f"| where count > {threshold} "
        '| eval attack_type=case(Logon_Type=3,"Network",Logon_Type=10,"RDP",'
        'Logon_Type=2,"Interactive",1=1,"Other") '
        "| sort -count"
    )
    return search(service, query, earliest)


def detect_password_spray(service, earliest="-24h"):
    """Detect password spray attacks targeting many accounts from one source."""
    query = (
        'index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625 Logon_Type=3 '
        "| bin _time span=10m "
        "| stats dc(TargetUserName) as unique_users, count as total by src_ip, _time "
        "| where unique_users > 10 AND total < unique_users * 3 "
        '| eval confidence=if(unique_users > 25, "HIGH", "MEDIUM")'
    )
    return search(service, query, earliest)


def detect_new_admin_accounts(service, earliest="-7d"):
    """Detect new accounts added to the Administrators group (T1136.001)."""
    query = (
        'index=wineventlog sourcetype="WinEventLog:Security" EventCode=4720 '
        '| join TargetUserName type=left [search index=wineventlog EventCode=4732 '
        'TargetUserName="Administrators" | rename MemberName as TargetUserName] '
        "| table _time, SubjectUserName, TargetUserName, ComputerName"
    )
    return search(service, query, earliest)


def detect_lsass_access(service, earliest="-24h"):
    """Detect LSASS credential dumping via Sysmon Event 10 (T1003.001)."""
    query = (
        'index=sysmon EventCode=10 TargetImage="*\\\\lsass.exe" '
        'GrantedAccess IN ("0x1010","0x1038","0x1fffff","0x40") '
        "| stats count by SourceImage, SourceUser, Computer, GrantedAccess "
        '| where NOT match(SourceImage, "(svchost|csrss|wininit|MsMpEng)") '
        "| sort -count"
    )
    return search(service, query, earliest)


def detect_lateral_movement_smb(service, earliest="-24h"):
    """Detect SMB lateral movement via Type 3 logons to many hosts (T1021.002)."""
    query = (
        'index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=3 '
        "| stats dc(ComputerName) as targets, values(ComputerName) as dest_hosts "
        "by src_ip, TargetUserName "
        "| where targets > 3 | sort -targets"
    )
    return search(service, query, earliest)


def detect_psexec(service, earliest="-24h"):
    """Detect PsExec execution via Sysmon process creation (T1021.002)."""
    query = (
        "index=sysmon EventCode=1 "
        '(Image="*\\\\psexec.exe" OR Image="*\\\\psexesvc.exe" '
        'OR ParentImage="*\\\\psexesvc.exe") '
        "| table _time, Computer, User, ParentImage, Image, CommandLine"
    )
    return search(service, query, earliest)


def build_forensic_timeline(service, hostname, earliest, latest="now"):
    """Build a comprehensive forensic timeline for a host."""
    query = (
        f'(index=wineventlog OR index=sysmon) Computer="{hostname}" '
        "| eval desc=case("
        '    EventCode=4624, "Logon: ".TargetUserName." (Type ".Logon_Type.")",'
        '    EventCode=4625, "Failed Logon: ".TargetUserName,'
        '    EventCode=1, "Process: ".Image," CMD: ".CommandLine,'
        '    EventCode=3, "Network: ".DestinationIp.":".DestinationPort,'
        '    EventCode=11, "File Created: ".TargetFilename,'
        '    EventCode=13, "Registry: ".TargetObject,'
        '    1=1, "Event ".EventCode) '
        "| sort _time | table _time, EventCode, desc, User, src_ip"
    )
    return search(service, query, earliest, latest)


def main():
    parser = argparse.ArgumentParser(description="Windows Event Log Splunk Analysis Agent")
    parser.add_argument("--host", default=os.getenv("SPLUNK_HOST", "localhost"))
    parser.add_argument("--port", type=int, default=int(os.getenv("SPLUNK_PORT", "8089")))
    parser.add_argument("--username", default=os.getenv("SPLUNK_USERNAME", "admin"))
    parser.add_argument("--password", default=os.getenv("SPLUNK_PASSWORD", ""))
    parser.add_argument("--earliest", default="-24h")
    parser.add_argument("--hostname", help="Target hostname for timeline")
    parser.add_argument("--action", choices=[
        "brute_force", "password_spray", "new_admin", "lsass_access",
        "lateral_smb", "psexec", "timeline", "full_hunt"
    ], default="full_hunt")
    args = parser.parse_args()

    svc = connect(args.host, args.port, args.username, args.password)
    findings = {}

    if args.action in ("brute_force", "full_hunt"):
        findings["brute_force"] = detect_brute_force(svc, args.earliest)
        print(f"[+] Brute force sources: {len(findings['brute_force'])}")

    if args.action in ("password_spray", "full_hunt"):
        findings["password_spray"] = detect_password_spray(svc, args.earliest)
        print(f"[+] Password spray events: {len(findings['password_spray'])}")

    if args.action in ("new_admin", "full_hunt"):
        findings["new_admin"] = detect_new_admin_accounts(svc)
        print(f"[+] New admin accounts: {len(findings['new_admin'])}")

    if args.action in ("lsass_access", "full_hunt"):
        findings["lsass_access"] = detect_lsass_access(svc, args.earliest)
        print(f"[+] LSASS access events: {len(findings['lsass_access'])}")

    if args.action in ("lateral_smb", "full_hunt"):
        findings["lateral_smb"] = detect_lateral_movement_smb(svc, args.earliest)
        print(f"[+] Lateral movement paths: {len(findings['lateral_smb'])}")

    if args.action == "timeline" and args.hostname:
        findings["timeline"] = build_forensic_timeline(svc, args.hostname, args.earliest)
        print(f"[+] Timeline events: {len(findings['timeline'])}")

    print(json.dumps({"generated_at": datetime.utcnow().isoformat(), "findings": findings}, indent=2, default=str))


if __name__ == "__main__":
    main()
Keep exploring