Claude
Skills
Sign in
Back

analyzing-windows-event-logs-in-splunk

Included with Lifetime
$97 forever

Analyzes Windows Security, System, and Sysmon event logs in Splunk to detect authentication attacks, privilege escalation, persistence mechanisms, and lateral movement using SPL queries mapped to MITRE ATT&CK techniques. Use when SOC analysts need to investigate Windows-based threats, build detection queries, or perform forensic timeline analysis of Windows endpoints and domain controllers.

Securitysocsplunkwindows-eventssysmonevent-logsmitre-attackactive-directoryscripts

What this skill does

# Analyzing Windows Event Logs in Splunk

## When to Use

Use this skill when:
- SOC analysts investigate alerts related to Windows authentication, process execution, or AD changes
- Detection engineers build SPL queries for Windows-based threat detection
- Incident responders need forensic timelines of Windows endpoint or domain controller activity
- Periodic threat hunting targets Windows-specific ATT&CK techniques

**Do not use** for Linux/macOS endpoint analysis or network-only investigations.

## Prerequisites

- Splunk with Windows Event Log data ingested (sourcetype `WinEventLog:Security`, `WinEventLog:System`, `XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`)
- Sysmon deployed on endpoints with SwiftOnSecurity or Olaf Hartong configuration
- CIM data model acceleration for Endpoint and Authentication data models
- Knowledge of Windows Security Event IDs and Sysmon event types

## Workflow

### Step 1: Authentication Attack Detection

**Brute Force Detection (EventCode 4625 — Failed Logon):**
```spl
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625
| stats count, dc(TargetUserName) AS unique_users, values(TargetUserName) AS targeted_users
  by src_ip, Logon_Type, Status
| where count > 20
| eval attack_type = case(
    Logon_Type=3, "Network Brute Force",
    Logon_Type=10, "RDP Brute Force",
    Logon_Type=2, "Interactive Brute Force",
    1=1, "Other"
  )
| eval status_meaning = case(
    Status="0xc000006d", "Bad Username or Password",
    Status="0xc000006a", "Incorrect Password (valid user)",
    Status="0xc0000234", "Account Locked Out",
    Status="0xc0000072", "Account Disabled",
    1=1, Status
  )
| sort - count
| table src_ip, attack_type, status_meaning, count, unique_users, targeted_users
```

**Password Spray Detection:**
```spl
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625 Logon_Type=3
| bin _time span=10m
| stats dc(TargetUserName) AS unique_users, count AS total_attempts,
  values(TargetUserName) AS users_targeted by src_ip, _time
| where unique_users > 10 AND total_attempts < unique_users * 3
| eval spray_confidence = if(unique_users > 25, "HIGH", "MEDIUM")
```

**Successful Logon After Failures (Compromise Indicator):**
```spl
index=wineventlog sourcetype="WinEventLog:Security"
(EventCode=4625 OR EventCode=4624) src_ip!="127.0.0.1"
| sort _time
| stats earliest(_time) AS first_seen, latest(_time) AS last_seen,
  sum(eval(if(EventCode=4625,1,0))) AS failures,
  sum(eval(if(EventCode=4624,1,0))) AS successes
  by src_ip, TargetUserName, ComputerName
| where failures > 10 AND successes > 0
| eval time_to_success = round((last_seen - first_seen)/60, 1)
| sort - failures
```

### Step 2: Privilege Escalation Detection

**New Admin Account Created (T1136.001):**
```spl
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4720
| join TargetUserName type=left [
    search index=wineventlog EventCode=4732 TargetUserName="Administrators"
    | rename MemberName AS TargetUserName
  ]
| table _time, SubjectUserName, TargetUserName, ComputerName
| eval alert = "New account created and added to Administrators group"
```

**Special Privileges Assigned (EventCode 4672):**
```spl
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4672
SubjectUserName!="SYSTEM" SubjectUserName!="LOCAL SERVICE" SubjectUserName!="NETWORK SERVICE"
| stats count, values(PrivilegeList) AS privileges by SubjectUserName, ComputerName
| where count > 0
| search privileges IN ("SeDebugPrivilege", "SeTcbPrivilege", "SeBackupPrivilege",
  "SeRestorePrivilege", "SeAssignPrimaryTokenPrivilege")
```

**Token Manipulation Detection (T1134):**
```spl
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
GrantedAccess IN ("0x1010", "0x1038", "0x1fffff", "0x40")
| stats count by SourceImage, SourceUser, Computer, GrantedAccess
| where NOT match(SourceImage, "(svchost|csrss|wininit|MsMpEng|CrowdStrike)")
| sort - count
```

### Step 3: Persistence Mechanism Detection

**Scheduled Task Creation (T1053.005):**
```spl
index=wineventlog (sourcetype="WinEventLog:Security" EventCode=4698)
  OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      Image="*\\schtasks.exe")
| eval task_info = coalesce(TaskContent, CommandLine)
| search task_info="*powershell*" OR task_info="*cmd*" OR task_info="*http*" OR task_info="*\\Temp\\*"
| table _time, Computer, SubjectUserName, TaskName, task_info
```

**Registry Run Key Modification (T1547.001):**
```spl
index=sysmon EventCode=13
TargetObject IN (
  "*\\CurrentVersion\\Run\\*",
  "*\\CurrentVersion\\RunOnce\\*",
  "*\\CurrentVersion\\RunServices\\*",
  "*\\Explorer\\Shell Folders\\*"
)
| stats count by Computer, Image, TargetObject, Details
| where NOT match(Image, "(explorer\.exe|msiexec\.exe|setup\.exe)")
| sort - count
```

**WMI Event Subscription (T1546.003):**
```spl
index=sysmon EventCode=20 OR EventCode=21
| stats count by Computer, Operation, Consumer, EventNamespace
| where count > 0
```

### Step 4: Lateral Movement Detection

**Remote Service Exploitation (T1021.002 — SMB/Windows Admin Shares):**
```spl
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=3
| stats dc(ComputerName) AS unique_destinations, values(ComputerName) AS targets
  by src_ip, TargetUserName
| where unique_destinations > 3
| sort - unique_destinations
| table src_ip, TargetUserName, unique_destinations, targets
```

**PsExec Detection (T1021.002):**
```spl
index=sysmon EventCode=1
(Image="*\\psexec.exe" OR Image="*\\psexesvc.exe"
 OR ParentImage="*\\psexesvc.exe"
 OR OriginalFileName="psexec.c")
| table _time, Computer, User, ParentImage, Image, CommandLine
```

**RDP Lateral Movement (T1021.001):**
```spl
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=10
| stats count, dc(ComputerName) AS rdp_targets, values(ComputerName) AS destinations
  by src_ip, TargetUserName
| where rdp_targets > 2
| sort - rdp_targets
```

### Step 5: Build Forensic Timeline

Create comprehensive timeline for a compromised host:

```spl
(index=wineventlog OR index=sysmon) Computer="WORKSTATION-042"
earliest="2024-03-14T00:00:00" latest="2024-03-16T00:00:00"
| eval event_description = case(
    EventCode=4624, "Logon: ".TargetUserName." (Type ".Logon_Type.")",
    EventCode=4625, "Failed Logon: ".TargetUserName,
    EventCode=4688 OR (sourcetype="XmlWinEventLog:*Sysmon*" AND EventCode=1),
      "Process: ".Image." CMD: ".CommandLine,
    EventCode=4698, "Scheduled Task: ".TaskName,
    EventCode=3, "Network: ".DestinationIp.":".DestinationPort,
    EventCode=11, "File Created: ".TargetFilename,
    EventCode=13, "Registry: ".TargetObject,
    1=1, "Event ".EventCode
  )
| sort _time
| table _time, EventCode, event_description, User, src_ip
```

### Step 6: Create Lookup Tables for Enrichment

Build reference lookups for Windows Event ID context:

```spl
| inputlookup windows_eventcode_lookup.csv
| table EventCode, Description, ATT_CK_Technique, Severity
```

If lookup doesn't exist, create it:

```csv
EventCode,Description,ATT_CK_Technique,Severity
4624,Successful Logon,T1078,Informational
4625,Failed Logon,T1110,Low
4648,Explicit Credential Logon,T1078,Medium
4672,Special Privileges Assigned,T1134,Medium
4688,New Process Created,T1059,Informational
4698,Scheduled Task Created,T1053.005,Medium
4720,User Account Created,T1136.001,High
4732,Member Added to Security Group,T1098,High
4768,Kerberos TGT Requested,T1558,Informational
4769,Kerberos Service Ticket,T1558.003,Low
4771,Kerberos Pre-Auth Failed,T1110,Low
```

## Key Concepts

| Term | Definition |
|------|-----------|
| **EventCode 4624** | Successful logon event — Logon_Type 2 (interactive), 3 (network), 10 (RDP), 7 (unlock) |
| **EventCode 4625** | Failed logon event — Status code indicates failure reason (bad password, account locked, disabled) |
| **Sysmon EventCode 1** | Process creation with full command line, parent process, and hash information |
| **Sysmon EventCode 3** | Net
Files: 4
Size: 30.9 KB
Complexity: 68/100
Category: Security
Source: https://github.com/mukul975/anthropic-cybersecurity-skills/tree/main/skills/analyzing-windows-event-logs-in-splunk

Related in Security

mac-ops

Included

Comprehensive macOS workstation operations — diagnose kernel panics, identify failing drives, audit launchd startup items, decode wake reasons, triage TCC permission denials, manage APFS snapshots, recover from no-boot. Use for: Mac is slow, slow bootup, won't boot, kernel panic, kernel_task hot, mds_stores CPU, photoanalysisd, cloudd, login loop, gray screen, sleep wake failure, drive failing, IO errors, APFS snapshots eating space, Time Machine local snapshots, Spotlight indexing, launchd, LaunchAgent, LaunchDaemon, login items, TCC permissions, Full Disk Access, Screen Recording denied, Gatekeeper, quarantine, com.apple.quarantine, app is damaged, helper tool, /Library/PrivilegedHelperTools, pmset, wake reasons, dark wake, sysdiagnose, panic.ips, DiagnosticReports, configuration profile, MDM profile, remote diagnostics over SSH.

Securityscripts

a11y-audit

Included

Run accessibility audits on web projects combining automated scanning (axe-core, Lighthouse) with WCAG 2.1 AA compliance mapping, manual check guidance, and structured reporting. Output is configurable: markdown report only, markdown plus machine-readable JSON, or markdown plus issue tracker integration. Use this skill whenever the user mentions "accessibility audit", "a11y audit", "WCAG audit", "accessibility check", "compliance scan", or asks to check a web project for accessibility issues. Also trigger when the user wants to verify WCAG conformance or map findings to a specific standard (CAN-ASC-6.2, EN 301 549, ADA/AODA).

Securityscripts

erpclaw

Included

AI-native ERP system with self-extending OS. Full accounting, invoicing, inventory, purchasing, tax, billing, HR, payroll, advanced accounting (ASC 606/842, intercompany, consolidation), and financial reporting. 413 actions across 14 domains, 43 expansion modules. Constitutional guardrails, adversarial audit, schema migration. Double-entry GL, immutable audit trail, US GAAP.

Securityscripts

assess

Included

Assesses and rates quality 0-10 across multiple dimensions (correctness, maintainability, security, performance, testability, simplicity) with pros/cons analysis. Compares against project conventions and prior decisions from memory. Produces structured evaluation reports with actionable improvement suggestions. Use when evaluating code, designs, architectures, or comparing alternative approaches.

Securityscripts

spring-boot-security-jwt

Included

Provides JWT authentication and authorization patterns for Spring Boot 3.5.x covering token generation with JJWT, Bearer/cookie authentication, database/OAuth2 integration, and RBAC/permission-based access control using Spring Security 6.x. Use when implementing authentication or authorization in Spring Boot applications.

Securityscripts

code-hardcode-audit

Included

Detect hardcoded values, magic numbers, and leaked secrets. TRIGGERS - hardcode audit, magic numbers, PLR2004, secret scanning.

Securityscripts
Sign up & unlock — $97