Фақат кўрсатиш
0:05
S… Speaker 1 (2026-04-13 19-13-06)
In this video,
0:06
S… Speaker 1 (2026-04-13 19-13-06)
we're going to take a look at some examples of common queries you
0:11
S… Speaker 1 (2026-04-13 19-13-06)
can do in ELK using the KQL search
0:15
S… Speaker 1 (2026-04-13 19-13-06)
language.
0:16
S… Speaker 2 (2026-04-13 19-13-06)
Now,
0:17
S… Speaker 1 (2026-04-13 19-13-06)
a lot of these are going to be similar to what we did if you watched the video on the common
0:21
S… Speaker 1 (2026-04-13 19-13-06)
Splunk queries.
0:22
S… Speaker 1 (2026-04-13 19-13-06)
A lot of those are going to be similar.
0:24
S… Speaker 2 (2026-04-13 19-13-06)
And KQL,
0:25
S… Speaker 1 (2026-04-13 19-13-06)
with it being the more simplistic kind of query language,
0:29
S… Speaker 1 (2026-04-13 19-13-06)
if you will,
0:30
S… Speaker 1 (2026-04-13 19-13-06)
a lot of these are just going to be searching for keywords.
0:35
S… Speaker 1 (2026-04-13 19-13-06)
or searching for specific event IDs or something like
0:39
S… Speaker 2 (2026-04-13 19-13-06)
that, because KQL,
0:41
S… Speaker 1 (2026-04-13 19-13-06)
again, is much more simplistic,
0:43
S… Speaker 1 (2026-04-13 19-13-06)
and it is basically just searching through fields.
0:48
S… Speaker 1 (2026-04-13 19-13-06)
Now, we talked,
0:49
S… Speaker 1 (2026-04-13 19-13-06)
again, if you've watched the Common Splunk Queries video
0:53
S… Speaker 1 (2026-04-13 19-13-06)
as part of this course,
0:54
S… Speaker 1 (2026-04-13 19-13-06)
we've talked about building good queries previously in that
0:59
S… Speaker 1 (2026-04-13 19-13-06)
video, so we're not going to rehash,
1:01
S… Speaker 1 (2026-04-13 19-13-06)
you know, the process for building a good query or the hypothesis part
1:05
S… Speaker 1 (2026-04-13 19-13-06)
of it or anything like that.
1:06
S… Speaker 1 (2026-04-13 19-13-06)
We've also already talked about some of the best practices for
1:10
S… Speaker 1 (2026-04-13 19-13-06)
elk searches using KQL.
1:14
S… Speaker 1 (2026-04-13 19-13-06)
in our ELK introduction video.
1:16
S… Speaker 3 (2026-04-13 19-13-06)
So in this one,
1:17
S… Speaker 1 (2026-04-13 19-13-06)
we're just going to take a look at some of the common queries.
1:20
S… Speaker 1 (2026-04-13 19-13-06)
So we're going to take a look at searching for suspicious account logins,
1:25
S… Speaker 1 (2026-04-13 19-13-06)
different process launches,
1:27
S… Speaker 1 (2026-04-13 19-13-06)
specifically suspicious one,
1:30
S… Speaker 3 (2026-04-13 19-13-06)
that was hard to say,
1:31
S… Speaker 1 (2026-04-13 19-13-06)
any sort of unexpected or unknown outbound network
1:35
S… Speaker 2 (2026-04-13 19-13-06)
connections.
1:36
S… Speaker 1 (2026-04-13 19-13-06)
We'll look at some suspicious PowerShell activity like encoded
1:40
S… Speaker 1 (2026-04-13 19-13-06)
commands and downloads.
1:42
S… Speaker 1 (2026-04-13 19-13-06)
We'll look for evidence of various different types of persistence
1:47
S… Speaker 2 (2026-04-13 19-13-06)
techniques,
1:48
S… Speaker 1 (2026-04-13 19-13-06)
specifically the creation of new scheduled tasks and
1:52
S… Speaker 1 (2026-04-13 19-13-06)
malicious services.
1:53
S… Speaker 3 (2026-04-13 19-13-06)
So with that,
1:55
S… Speaker 1 (2026-04-13 19-13-06)
let's go ahead and jump over to our lab environment and we'll take a look
1:59
S… Speaker 1 (2026-04-13 19-13-06)
at those queries in the ELK system.
2:02
S… Speaker 3 (2026-04-13 19-13-06)
All right,
2:03
S… Speaker 3 (2026-04-13 19-13-06)
here we are back in Elk,
2:05
S… Speaker 1 (2026-04-13 19-13-06)
and we do have the,
2:08
S… Speaker 1 (2026-04-13 19-13-06)
we're in the Discover section,
2:09
S… Speaker 1 (2026-04-13 19-13-06)
and we do have our time frame set for the last year.
2:13
S… Speaker 3 (2026-04-13 19-13-06)
So just,
2:14
S… Speaker 2 (2026-04-13 19-13-06)
this is going to be fairly quick,
2:16
S… Speaker 1 (2026-04-13 19-13-06)
because again, we're going to be primarily just kind of searching for event IDs
2:20
S… Speaker 1 (2026-04-13 19-13-06)
and keywords.
2:21
S… Speaker 1 (2026-04-13 19-13-06)
So if we're looking for suspicious account logins,
2:25
S… Speaker 1 (2026-04-13 19-13-06)
one way we can do that is by looking for event ID 4648.
2:32
S… Speaker 1 (2026-04-13 19-13-06)
That is different than just a regular successful login.
2:36
S… Speaker 1 (2026-04-13 19-13-06)
That's a login was attempted using explicit credentials,
2:40
S… Speaker 1 (2026-04-13 19-13-06)
which is not a common method for
2:45
S… Speaker 1 (2026-04-13 19-13-06)
user accounts normally logging in.
2:49
S… Speaker 1 (2026-04-13 19-13-06)
So we are going to search for event code.
2:51
S… Speaker 1 (2026-04-13 19-13-06)
So event .code colon 4648.
2:55
S… Speaker 1 (2026-04-13 19-13-06)
And that will show us any.
2:58
S… Speaker 1 (2026-04-13 19-13-06)
logins using explicit credentials,
3:01
S… Speaker 1 (2026-04-13 19-13-06)
which can be a sign of malicious activity.
3:04
S… Speaker 2 (2026-04-13 19-13-06)
Again, it's an indicator.
3:06
S… Speaker 1 (2026-04-13 19-13-06)
It doesn't guarantee suspicious activity.
3:09
S… Speaker 2 (2026-04-13 19-13-06)
But as you see here,
3:10
S… Speaker 1 (2026-04-13 19-13-06)
out of the 4 ,000 hits we had previously,
3:13
S… Speaker 1 (2026-04-13 19-13-06)
we only have four results for this event.
3:17
S… Speaker 1 (2026-04-13 19-13-06)
So this could be a sign of suspected malicious activity.
3:22
S… Speaker 1 (2026-04-13 19-13-06)
Another thing we can do is look to see process launches
3:27
S… Speaker 1 (2026-04-13 19-13-06)
to see if there is anything suspicious there.
3:29
S… Speaker 2 (2026-04-13 19-13-06)
And again,
3:30
S… Speaker 1 (2026-04-13 19-13-06)
that would be a simple event code search.
3:33
S… Speaker 1 (2026-04-13 19-13-06)
And this would be using Sysmon event code number one.
3:38
S… Speaker 3 (2026-04-13 19-13-06)
Get rid of that message.
3:39
S… Speaker 1 (2026-04-13 19-13-06)
And we see we have 10 different results here.
3:42
S… Speaker 1 (2026-04-13 19-13-06)
And again, just like we have seen previously,
3:45
S… Speaker 1 (2026-04-13 19-13-06)
you can expand these to be able to see.
3:47
S… Speaker 1 (2026-04-13 19-13-06)
So we are matching the process create rule here.
3:50
S… Speaker 1 (2026-04-13 19-13-06)
We can see the information about the process created.
3:53
S… Speaker 1 (2026-04-13 19-13-06)
In this case, this was a scheduled task being created.
3:56
S… Speaker 1 (2026-04-13 19-13-06)
And this does appear that it was the creation of a
4:00
S… Speaker 1 (2026-04-13 19-13-06)
suspicious scheduled task.
4:03
S… Speaker 1 (2026-04-13 19-13-06)
in a lab environment because we see it's named for a flag,
4:06
S… Speaker 1 (2026-04-13 19-13-06)
but we also see because it's launching an application in the administrator
4:11
S… Speaker 1 (2026-04-13 19-13-06)
app data roaming that doesn't
4:15
S… Speaker 1 (2026-04-13 19-13-06)
quite look like it should be there.
4:19
S… Speaker 1 (2026-04-13 19-13-06)
So that's definitely a suspicious indicator there.
4:23
S… Speaker 1 (2026-04-13 19-13-06)
We can also look for suspicious network connections.
4:26
S… Speaker 1 (2026-04-13 19-13-06)
Again, very simple search.
4:28
S… Speaker 1 (2026-04-13 19-13-06)
We're just searching for a different event code.
4:31
S… Speaker 1 (2026-04-13 19-13-06)
Unlike Splunk,
4:32
S… Speaker 1 (2026-04-13 19-13-06)
we can't really do any kind of formatting with tables or anything like
4:36
S… Speaker 2 (2026-04-13 19-13-06)
that here.
4:37
S… Speaker 1 (2026-04-13 19-13-06)
These are just simple raw searches.
4:39
S… Speaker 1 (2026-04-13 19-13-06)
But we can look around and we can still make use of the available fields
4:44
S… Speaker 1 (2026-04-13 19-13-06)
here on the side to see if we have any sort of
4:48
S… Speaker 1 (2026-04-13 19-13-06)
suspicious destination IPs.
4:51
S… Speaker 1 (2026-04-13 19-13-06)
And we can see the top five values here.
4:53
S… Speaker 1 (2026-04-13 19-13-06)
It looks like we have two IPs listed here.
4:55
S… Speaker 1 (2026-04-13 19-13-06)
Any suspicious ports.
4:57
S… Speaker 1 (2026-04-13 19-13-06)
We have port 9200,
4:59
S… Speaker 1 (2026-04-13 19-13-06)
which is...
5:00
S… Speaker 2 (2026-04-13 19-13-06)
actually just for the logging components here,
5:03
S… Speaker 2 (2026-04-13 19-13-06)
but we also have some connections going over port 80.
5:06
S… Speaker 2 (2026-04-13 19-13-06)
We can add that to the filter here just by hitting the plus,
5:09
S… Speaker 2 (2026-04-13 19-13-06)
and it narrows it down,
5:11
S… Speaker 2 (2026-04-13 19-13-06)
and we only have two connections here,
5:12
S… Speaker 2 (2026-04-13 19-13-06)
and we can see immediately that jumps out at us.
5:15
S… Speaker 2 (2026-04-13 19-13-06)
Image is PowerShell .exe,
5:18
S… Speaker 2 (2026-04-13 19-13-06)
so PowerShell initiating a network connection on port 80.
5:22
S… Speaker 2 (2026-04-13 19-13-06)
is immediately suspicious.
5:24
S… Speaker 2 (2026-04-13 19-13-06)
So an easy way there to see if we have any suspicious
5:28
S… Speaker 2 (2026-04-13 19-13-06)
network connections.
5:31
S… Speaker 2 (2026-04-13 19-13-06)
Now if we want to look for any sort of encoded
5:35
S… Speaker 2 (2026-04-13 19-13-06)
PowerShell,
5:36
S… Speaker 2 (2026-04-13 19-13-06)
there's a couple of different events we want to look at.
5:39
S… Speaker 2 (2026-04-13 19-13-06)
So we're going to actually contain two of those inside the parentheses
5:43
S… Speaker 2 (2026-04-13 19-13-06)
to group them.
5:44
S… Speaker 2 (2026-04-13 19-13-06)
So we're going to look at event code 4103.
5:48
S… Speaker 2 (2026-04-13 19-13-06)
or event code 4104 for PowerShell.
5:52
S… Speaker 2 (2026-04-13 19-13-06)
And then we'll make sure that parentheses closed.
5:55
S… Speaker 2 (2026-04-13 19-13-06)
And then we want to include that we're going to search just in the message
5:59
S… Speaker 1 (2026-04-13 19-13-06)
field.
6:00
S… Speaker 2 (2026-04-13 19-13-06)
And if you remember looking at Splunk,
6:04
S… Speaker 2 (2026-04-13 19-13-06)
we did this with the search command by searching in the message field.
6:07
S… Speaker 2 (2026-04-13 19-13-06)
In Elk,
6:08
S… Speaker 2 (2026-04-13 19-13-06)
we're just going to look in the message field using it like
6:12
S… Speaker 2 (2026-04-13 19-13-06)
a regular field.
6:14
S… Speaker 2 (2026-04-13 19-13-06)
But we are going to use wildcard here.
6:17
S… Speaker 1 (2026-04-13 19-13-06)
You see it auto -completed,
6:18
S… Speaker 2 (2026-04-13 19-13-06)
the quotation marks.
6:20
S… Speaker 2 (2026-04-13 19-13-06)
And we're going to search for encoded.
6:22
S… Speaker 2 (2026-04-13 19-13-06)
And the wildcard here.
6:26
S… Speaker 2 (2026-04-13 19-13-06)
Search, no results,
6:27
S… Speaker 2 (2026-04-13 19-13-06)
but again, perfectly fine to not find results in a threat hunt.
6:31
S… Speaker 2 (2026-04-13 19-13-06)
If you're sure that your query is correct and you find no results,
6:35
S… Speaker 2 (2026-04-13 19-13-06)
that's usually a good thing with a threat hunt.
6:40
S… Speaker 2 (2026-04-13 19-13-06)
So another command we can do to look for malicious PowerShell
6:45
S… Speaker 2 (2026-04-13 19-13-06)
downloads,
6:46
S… Speaker 2 (2026-04-13 19-13-06)
we can do,
6:48
S… Speaker 2 (2026-04-13 19-13-06)
let's see how we want to do this.
6:51
S… Speaker 2 (2026-04-13 19-13-06)
We could look for event ID one and look for the
6:55
S… Speaker 2 (2026-04-13 19-13-06)
PowerShell image that way,
6:57
S… Speaker 2 (2026-04-13 19-13-06)
or we could just look in the message field.
7:02
S… Speaker 2 (2026-04-13 19-13-06)
There's a couple of different things we want to look for.
7:05
S… Speaker 2 (2026-04-13 19-13-06)
Remember, these are done with invoke.
7:08
S… Speaker 2 (2026-04-13 19-13-06)
Web request is a common method that attackers will use
7:13
S… Speaker 2 (2026-04-13 19-13-06)
to download using PowerShell.
7:16
S… Speaker 2 (2026-04-13 19-13-06)
But this also can be done with the IWR
7:22
S… Speaker 2 (2026-04-13 19-13-06)
shorthand.
7:23
S… Speaker 2 (2026-04-13 19-13-06)
So that's an easy way to just search the message.
7:26
S… Speaker 2 (2026-04-13 19-13-06)
So we're not searching any event fields.
7:28
S… Speaker 2 (2026-04-13 19-13-06)
Now, granted,
7:29
S… Speaker 2 (2026-04-13 19-13-06)
The fact that our search is more broad,
7:32
S… Speaker 2 (2026-04-13 19-13-06)
if we have more events that we're searching for,
7:34
S… Speaker 1 (2026-04-13 19-13-06)
okay, we only have,
7:35
S… Speaker 2 (2026-04-13 19-13-06)
we don't have that many in this instance of elk here,
7:38
S… Speaker 2 (2026-04-13 19-13-06)
but if we're searching through millions of events,
7:41
S… Speaker 2 (2026-04-13 19-13-06)
this might be a little too broad of a search.
7:44
S… Speaker 1 (2026-04-13 19-13-06)
Again,
7:45
S… Speaker 2 (2026-04-13 19-13-06)
we do not have anything suspicious here.
7:48
S… Speaker 1 (2026-04-13 19-13-06)
Now,
7:49
S… Speaker 2 (2026-04-13 19-13-06)
I'm curious, what if we were to expand this?
7:52
S… Speaker 2 (2026-04-13 19-13-06)
Let's see.
7:55
S… Speaker 2 (2026-04-13 19-13-06)
Let me actually correct this because I am missing the field
7:59
S… Speaker 1 (2026-04-13 19-13-06)
name.
8:00
S… Speaker 2 (2026-04-13 19-13-06)
Shouldn't matter too much here because that just means it was searching
8:04
S… Speaker 2 (2026-04-13 19-13-06)
anything in the event,
8:06
S… Speaker 2 (2026-04-13 19-13-06)
not just in the message field.
8:09
S… Speaker 2 (2026-04-13 19-13-06)
But we want to make sure.
8:10
S… Speaker 2 (2026-04-13 19-13-06)
Now let's also search for IEX,
8:14
S… Speaker 2 (2026-04-13 19-13-06)
which is another way of invoke expression that
8:19
S… Speaker 2 (2026-04-13 19-13-06)
attackers will sometimes use.
8:20
S… Speaker 2 (2026-04-13 19-13-06)
No results there either.
8:23
S… Speaker 2 (2026-04-13 19-13-06)
So I'm not going to continue expanding on that.
8:25
S… Speaker 2 (2026-04-13 19-13-06)
You get the idea of just some ways you can look for suspicious
8:29
S… Speaker 2 (2026-04-13 19-13-06)
PowerShell usage.
8:33
S… Speaker 1 (2026-04-13 19-13-06)
Now,
8:34
S… Speaker 2 (2026-04-13 19-13-06)
what if we wanted to look for scheduled tasks?
8:36
S… Speaker 2 (2026-04-13 19-13-06)
Again, a simple event code.
8:39
S… Speaker 2 (2026-04-13 19-13-06)
We're searching for 4698.
8:42
S… Speaker 2 (2026-04-13 19-13-06)
We see no results there.
8:45
S… Speaker 1 (2026-04-13 19-13-06)
No big deal.
8:47
S… Speaker 2 (2026-04-13 19-13-06)
Schedule.
8:48
S… Speaker 2 (2026-04-13 19-13-06)
Let's see if we have any malicious services created.
8:52
S… Speaker 2 (2026-04-13 19-13-06)
Remember, this can be one of two event codes.
8:57
S… Speaker 2 (2026-04-13 19-13-06)
So let's look for the other one of 7045.
9:00
S… Speaker 2 (2026-04-13 19-13-06)
Actually,
9:02
S… Speaker 2 (2026-04-13 19-13-06)
I want to do this in the other ELK instance.
9:06
S… Speaker 2 (2026-04-13 19-13-06)
We'll switch over to this one because I'm pretty sure we do have a hit
9:10
S… Speaker 2 (2026-04-13 19-13-06)
in this one.
9:11
S… Speaker 1 (2026-04-13 19-13-06)
There we go.
9:11
S… Speaker 2 (2026-04-13 19-13-06)
We actually have several hits for one of those
9:16
S… Speaker 2 (2026-04-13 19-13-06)
event IDs.
9:18
S… Speaker 2 (2026-04-13 19-13-06)
Let's expand.
9:19
S… Speaker 2 (2026-04-13 19-13-06)
Let's see.
9:20
S… Speaker 1 (2026-04-13 19-13-06)
We've got...
9:21
S… Speaker 2 (2026-04-13 19-13-06)
Several services that were created.
9:24
S… Speaker 2 (2026-04-13 19-13-06)
Let's look through our fields to see what kind of options we have.
9:28
S… Speaker 2 (2026-04-13 19-13-06)
If we have any kind of service name or anything.
9:32
S… Speaker 2 (2026-04-13 19-13-06)
We do have the image.
9:34
S… Speaker 1 (2026-04-13 19-13-06)
Let's
9:39
S… Speaker 1 (2026-04-13 19-13-06)
see.
9:39
S… Speaker 2 (2026-04-13 19-13-06)
Process name.
9:41
S… Speaker 1 (2026-04-13 19-13-06)
Here we go.
9:42
S… Speaker 2 (2026-04-13 19-13-06)
Service names.
9:43
S… Speaker 2 (2026-04-13 19-13-06)
Let's just take a look through here.
9:45
S… Speaker 2 (2026-04-13 19-13-06)
We see the top five values we have here.
9:49
S… Speaker 2 (2026-04-13 19-13-06)
Nothing out of these top five looks that suspicious.
9:53
S… Speaker 1 (2026-04-13 19-13-06)
This
9:57
S… Speaker 2 (2026-04-13 19-13-06)
one could be because it does appear to be potentially random
10:02
S… Speaker 1 (2026-04-13 19-13-06)
characters.
10:03
S… Speaker 2 (2026-04-13 19-13-06)
Could be suspicious,
10:05
S… Speaker 2 (2026-04-13 19-13-06)
but it may be a system process really
10:09
S… Speaker 1 (2026-04-13 19-13-06)
hard to tell.
10:10
S… Speaker 1 (2026-04-13 19-13-06)
What we can do,
10:10
S… Speaker 2 (2026-04-13 19-13-06)
though, is add it to the filter and look at the event itself
10:15
S… Speaker 2 (2026-04-13 19-13-06)
to just to get some context about it to see how
10:19
S… Speaker 2 (2026-04-13 19-13-06)
this service was created.
10:22
S… Speaker 2 (2026-04-13 19-13-06)
Looks like service host created its clipboard service group.
10:26
S… Speaker 2 (2026-04-13 19-13-06)
May not actually be malicious in nature.
10:30
S… Speaker 2 (2026-04-13 19-13-06)
But you get the idea of ways you can search for these malicious service
10:35
S… Speaker 2 (2026-04-13 19-13-06)
creation, or at least suspicious service creation.
10:37
S… Speaker 2 (2026-04-13 19-13-06)
So again,
10:38
S… Speaker 2 (2026-04-13 19-13-06)
when we're talking about KQL,
10:39
S… Speaker 2 (2026-04-13 19-13-06)
these are going to be your more simplistic searches,
10:42
S… Speaker 2 (2026-04-13 19-13-06)
just searching for keywords or specific event
10:46
S… Speaker 2 (2026-04-13 19-13-06)
IDs, just because of the more simple way
10:51
S… Speaker 2 (2026-04-13 19-13-06)
that KQL syntax works and the capabilities of it.

Бу транскрипт AI (автомат сўзлашувни таниб олиш) томонидан яратилган. Хатолар бўлиши мумкин - муҳим фойдаланиш учун оригинал аудио билан текширинг. AI сиёсати

❤️ STT.aiни севасанми? Дўстларингга айт!
Тақриз
Ушбу транскриптнинг AI резюмесини яратиш учун "Тафсиллаш" тугмасини босинг.
Тақсимланмоқда...
Бу транскрипт ҳақида AIдан сўранг
Ушбу транскрипт ҳақида бирор нарса сўранг — AI тегишли қисмларни топиб жавоб беради.