analyzing-windows-event-logs-in-splunk
在 Splunk 中分析 Windows Security、System 和 Sysmon 事件日志,使用映射到 MITRE ATT&CK 技术的 SPL 查询检测身份验证攻击、权限提升(Privilege Escalation)、持久化(Persistence)机制和横向移动 (Lateral Movement)。适用于 SOC 分析师调查基于 Windows 的威胁、构建检测查询,或对 Windows 终端和域控制器执行取证时间线分析。
Best use case
analyzing-windows-event-logs-in-splunk is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
在 Splunk 中分析 Windows Security、System 和 Sysmon 事件日志,使用映射到 MITRE ATT&CK 技术的 SPL 查询检测身份验证攻击、权限提升(Privilege Escalation)、持久化(Persistence)机制和横向移动 (Lateral Movement)。适用于 SOC 分析师调查基于 Windows 的威胁、构建检测查询,或对 Windows 终端和域控制器执行取证时间线分析。
Teams using analyzing-windows-event-logs-in-splunk should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/analyzing-windows-event-logs-in-splunk/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How analyzing-windows-event-logs-in-splunk Compares
| Feature / Agent | analyzing-windows-event-logs-in-splunk | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
在 Splunk 中分析 Windows Security、System 和 Sysmon 事件日志,使用映射到 MITRE ATT&CK 技术的 SPL 查询检测身份验证攻击、权限提升(Privilege Escalation)、持久化(Persistence)机制和横向移动 (Lateral Movement)。适用于 SOC 分析师调查基于 Windows 的威胁、构建检测查询,或对 Windows 终端和域控制器执行取证时间线分析。
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# 在 Splunk 中分析 Windows 事件日志
## 适用场景
以下情况使用本技能:
- SOC 分析师调查与 Windows 身份验证、进程执行或 AD 变更相关的告警
- 检测工程师构建用于 Windows 威胁检测的 SPL 查询
- 事件响应人员需要 Windows 终端或域控制器活动的取证时间线
- 定期威胁狩猎(Threat Hunting)针对 Windows 特定的 ATT&CK 技术
**不适用于** Linux/macOS 终端分析或纯网络调查。
## 前置条件
- Splunk,已接入 Windows 事件日志数据(sourcetype `WinEventLog:Security`、`WinEventLog:System`、`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`)
- 在终端上部署 Sysmon(System Monitor),使用 SwiftOnSecurity 或 Olaf Hartong 配置
- 为 Endpoint 和 Authentication 数据模型启用 CIM 数据模型加速
- 了解 Windows Security Event ID 和 Sysmon 事件类型
## 工作流程
### 步骤 1:身份验证攻击检测
**暴力破解检测(EventCode 4625 — 登录失败):**
```spl
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625
| stats count, dc(TargetUserName) AS unique_users, values(TargetUserName) AS targeted_users
by src_ip, Logon_Type, Status
| where count > 20
| eval attack_type = case(
Logon_Type=3, "Network Brute Force",
Logon_Type=10, "RDP Brute Force",
Logon_Type=2, "Interactive Brute Force",
1=1, "Other"
)
| eval status_meaning = case(
Status="0xc000006d", "Bad Username or Password",
Status="0xc000006a", "Incorrect Password (valid user)",
Status="0xc0000234", "Account Locked Out",
Status="0xc0000072", "Account Disabled",
1=1, Status
)
| sort - count
| table src_ip, attack_type, status_meaning, count, unique_users, targeted_users
```
**密码喷洒(Password Spray)检测:**
```spl
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4625 Logon_Type=3
| bin _time span=10m
| stats dc(TargetUserName) AS unique_users, count AS total_attempts,
values(TargetUserName) AS users_targeted by src_ip, _time
| where unique_users > 10 AND total_attempts < unique_users * 3
| eval spray_confidence = if(unique_users > 25, "HIGH", "MEDIUM")
```
**失败后成功登录(失陷指标(IOC)/Indicators of Compromise):**
```spl
index=wineventlog sourcetype="WinEventLog:Security"
(EventCode=4625 OR EventCode=4624) src_ip!="127.0.0.1"
| sort _time
| stats earliest(_time) AS first_seen, latest(_time) AS last_seen,
sum(eval(if(EventCode=4625,1,0))) AS failures,
sum(eval(if(EventCode=4624,1,0))) AS successes
by src_ip, TargetUserName, ComputerName
| where failures > 10 AND successes > 0
| eval time_to_success = round((last_seen - first_seen)/60, 1)
| sort - failures
```
### 步骤 2:权限提升检测
**新建管理员账户(T1136.001):**
```spl
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4720
| join TargetUserName type=left [
search index=wineventlog EventCode=4732 TargetUserName="Administrators"
| rename MemberName AS TargetUserName
]
| table _time, SubjectUserName, TargetUserName, ComputerName
| eval alert = "New account created and added to Administrators group"
```
**分配特殊权限(EventCode 4672):**
```spl
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4672
SubjectUserName!="SYSTEM" SubjectUserName!="LOCAL SERVICE" SubjectUserName!="NETWORK SERVICE"
| stats count, values(PrivilegeList) AS privileges by SubjectUserName, ComputerName
| where count > 0
| search privileges IN ("SeDebugPrivilege", "SeTcbPrivilege", "SeBackupPrivilege",
"SeRestorePrivilege", "SeAssignPrimaryTokenPrivilege")
```
**令牌操纵(Token Manipulation)检测(T1134):**
```spl
index=sysmon EventCode=10 TargetImage="*\\lsass.exe"
GrantedAccess IN ("0x1010", "0x1038", "0x1fffff", "0x40")
| stats count by SourceImage, SourceUser, Computer, GrantedAccess
| where NOT match(SourceImage, "(svchost|csrss|wininit|MsMpEng|CrowdStrike)")
| sort - count
```
### 步骤 3:持久化机制检测
**计划任务创建(T1053.005):**
```spl
index=wineventlog (sourcetype="WinEventLog:Security" EventCode=4698)
OR (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
Image="*\\schtasks.exe")
| eval task_info = coalesce(TaskContent, CommandLine)
| search task_info="*powershell*" OR task_info="*cmd*" OR task_info="*http*" OR task_info="*\\Temp\\*"
| table _time, Computer, SubjectUserName, TaskName, task_info
```
**注册表 Run 键修改(T1547.001):**
```spl
index=sysmon EventCode=13
TargetObject IN (
"*\\CurrentVersion\\Run\\*",
"*\\CurrentVersion\\RunOnce\\*",
"*\\CurrentVersion\\RunServices\\*",
"*\\Explorer\\Shell Folders\\*"
)
| stats count by Computer, Image, TargetObject, Details
| where NOT match(Image, "(explorer\.exe|msiexec\.exe|setup\.exe)")
| sort - count
```
**WMI 事件订阅(T1546.003):**
```spl
index=sysmon EventCode=20 OR EventCode=21
| stats count by Computer, Operation, Consumer, EventNamespace
| where count > 0
```
### 步骤 4:横向移动检测
**远程服务利用(T1021.002 — SMB/Windows 管理共享):**
```spl
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=3
| stats dc(ComputerName) AS unique_destinations, values(ComputerName) AS targets
by src_ip, TargetUserName
| where unique_destinations > 3
| sort - unique_destinations
| table src_ip, TargetUserName, unique_destinations, targets
```
**PsExec 检测(T1021.002):**
```spl
index=sysmon EventCode=1
(Image="*\\psexec.exe" OR Image="*\\psexesvc.exe"
OR ParentImage="*\\psexesvc.exe"
OR OriginalFileName="psexec.c")
| table _time, Computer, User, ParentImage, Image, CommandLine
```
**RDP 横向移动(T1021.001):**
```spl
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 Logon_Type=10
| stats count, dc(ComputerName) AS rdp_targets, values(ComputerName) AS destinations
by src_ip, TargetUserName
| where rdp_targets > 2
| sort - rdp_targets
```
### 步骤 5:构建取证时间线
为被入侵主机创建全面时间线:
```spl
(index=wineventlog OR index=sysmon) Computer="WORKSTATION-042"
earliest="2024-03-14T00:00:00" latest="2024-03-16T00:00:00"
| eval event_description = case(
EventCode=4624, "Logon: ".TargetUserName." (Type ".Logon_Type.")",
EventCode=4625, "Failed Logon: ".TargetUserName,
EventCode=4688 OR (sourcetype="XmlWinEventLog:*Sysmon*" AND EventCode=1),
"Process: ".Image." CMD: ".CommandLine,
EventCode=4698, "Scheduled Task: ".TaskName,
EventCode=3, "Network: ".DestinationIp.":".DestinationPort,
EventCode=11, "File Created: ".TargetFilename,
EventCode=13, "Registry: ".TargetObject,
1=1, "Event ".EventCode
)
| sort _time
| table _time, EventCode, event_description, User, src_ip
```
### 步骤 6:创建富化查找表
构建 Windows Event ID 上下文参考查找表:
```spl
| inputlookup windows_eventcode_lookup.csv
| table EventCode, Description, ATT_CK_Technique, Severity
```
如果查找表不存在,创建它:
```csv
EventCode,Description,ATT_CK_Technique,Severity
4624,Successful Logon,T1078,Informational
4625,Failed Logon,T1110,Low
4648,Explicit Credential Logon,T1078,Medium
4672,Special Privileges Assigned,T1134,Medium
4688,New Process Created,T1059,Informational
4698,Scheduled Task Created,T1053.005,Medium
4720,User Account Created,T1136.001,High
4732,Member Added to Security Group,T1098,High
4768,Kerberos TGT Requested,T1558,Informational
4769,Kerberos Service Ticket,T1558.003,Low
4771,Kerberos Pre-Auth Failed,T1110,Low
```
## 核心概念
| 术语 | 定义 |
|------|-----------|
| **EventCode 4624** | 登录成功事件 — Logon_Type 2(交互式)、3(网络)、10(RDP)、7(解锁) |
| **EventCode 4625** | 登录失败事件 — Status 代码指示失败原因(密码错误、账户锁定、账户禁用) |
| **Sysmon EventCode 1** | 进程创建,包含完整命令行、父进程及哈希信息 |
| **Sysmon EventCode 3** | 进程发起的网络连接 — 源/目的 IP、端口及进程上下文 |
| **Logon Type 3** | 网络登录(SMB、WMI、PowerShell Remoting)— 横向移动的关键指标 |
| **Logon Type 10** | 通过 RDP/Terminal Services 的远程交互式登录 |
## 工具与系统
- **Splunk Enterprise**:具有 SPL 查询引擎的 SIEM(安全信息和事件管理)平台,用于 Windows 事件日志分析和关联
- **Sysmon(System Monitor)**:Microsoft Sysinternals 工具,提供详细的进程、网络和文件活动日志
- **Splunk CIM**:通用信息模型(Common Information Model),将 Windows 事件映射到规范化字段以支持跨源查询
- **Windows Event Forwarding(WEF)**:内置 Windows 机制,将事件日志集中到收集服务器
## 常见场景
- **Kerberoasting(T1558.003)**:检测非标准服务账户中加密类型为 0x17(RC4)的 EventCode 4769
- **DCSync(T1003.006)**:检测来自非域控制器来源的携带 DS-Replication-Get-Changes 的 EventCode 4662
- **黄金票据(Golden Ticket,T1558.001)**:检测具有异常票据属性(过长有效期、非标准加密)的 EventCode 4769
- **哈希传递(Pass-the-Hash,T1550.002)**:检测来自意外来源、使用 NTLM 认证的 EventCode 4624 Logon_Type 3
- **DLL 侧加载(DLL Side-Loading,T1574.002)**:Sysmon EventCode 7 显示合法进程加载未签名 DLL
## 输出格式
```
WINDOWS EVENT LOG ANALYSIS — HOST: WORKSTATION-042
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Period: 2024-03-14 to 2024-03-15
Events: 12,847 total (Security: 9,231 | Sysmon: 3,616)
Authentication Summary:
Successful Logons (4624): 487 (Type 3: 312, Type 10: 45, Type 2: 130)
Failed Logons (4625): 847 (from 192.168.1.105 — BRUTE FORCE)
Explicit Creds (4648): 12
Suspicious Findings:
[HIGH] 847 failed logons followed by success at 14:35 from 192.168.1.105
[HIGH] New user "backdoor_admin" created (4720) at 14:38
[HIGH] User added to Administrators group (4732) at 14:38
[MEDIUM] schtasks.exe creating persistence task at 14:42
[MEDIUM] PowerShell encoded command execution at 14:45
ATT&CK Mapping:
T1110.001 — Password Guessing (847 failed logons)
T1136.001 — Local Account Creation (backdoor_admin)
T1053.005 — Scheduled Task (persistence)
T1059.001 — PowerShell (encoded execution)
```Related Skills
triaging-security-alerts-in-splunk
在 Splunk Enterprise Security 中对安全告警进行分类,通过 SPL 查询和事件审查(Incident Review) 仪表板对重要事件进行严重性分类、调查、关联相关遥测并做出升级或关闭决策。 适用于 SOC 分析师需要处理关联搜索产生的告警队列、确定调查优先级, 或需要为交接给二/三级分析师记录分类决策时。
performing-windows-artifact-analysis-with-eric-zimmerman-tools
使用 Eric Zimmerman 的开源 EZ Tools 套件(包括 KAPE、MFTECmd、PECmd、LECmd、JLECmd 和 Timeline Explorer)执行全面的 Windows 取证制品分析,解析注册表 hive、预取文件、事件日志和文件系统元数据。
implementing-network-intrusion-prevention-with-suricata
使用自定义规则、Emerging Threats 规则集和内联流量检测部署和配置 Suricata 作为网络入侵防御系统,实现实时威胁阻断。
hunting-for-persistence-mechanisms-in-windows
系统性地狩猎 Windows 终端中的攻击者持久化机制,涵盖注册表、服务、启动文件夹和 WMI 事件订阅。
hunting-for-lolbins-execution-in-endpoint-logs
通过分析终端进程创建日志,识别合法 Windows 系统二进制文件(LOLBin)被用于恶意目的的可疑执行模式,狩猎攻击者的 LOLBin 滥用行为。
hardening-windows-endpoint-with-cis-benchmark
使用 CIS(互联网安全中心)Benchmark 建议对 Windows 端点进行加固, 以减少攻击面、执行安全基线并满足合规要求。适用于部署新 Windows 工作站或服务器、 修复审计发现或为组织建立全面安全基线的场景。适用于涉及 Windows 加固、 CIS Benchmark、GPO 安全基线或端点配置合规的请求。
extracting-windows-event-logs-artifacts
使用 Chainsaw、Hayabusa 和 EvtxECmd 提取、解析和分析 Windows 事件日志(EVTX),以检测横向移动、持久化和权限提升。
detecting-sql-injection-via-waf-logs
分析 WAF(Web 应用防火墙,ModSecurity/AWS WAF/Cloudflare)日志,检测 SQL 注入(SQL Injection)攻击活动。 解析 ModSecurity 审计日志和 JSON WAF 事件日志,识别 SQLi 模式(UNION SELECT、OR 1=1、SLEEP()、BENCHMARK()), 追踪攻击源,关联多阶段注入尝试,并生成带 OWASP 分类的事件报告。
detecting-lateral-movement-with-splunk
使用针对 Windows 身份验证日志、SMB 流量和远程服务滥用的 Splunk SPL 查询,检测跨网络的攻击者横向移动。
detecting-golden-ticket-attacks-in-kerberos-logs
通过分析 Kerberos TGT 异常(包括加密类型不匹配、不可能的票据生命周期、不存在的账户以及域控制器事件日志中的伪造 PAC 签名),检测 Active Directory 中的黄金票据攻击。
detecting-evasion-techniques-in-endpoint-logs
检测端点日志中对手使用的防御规避技术,包括日志篡改、时间戳伪造、进程注入和安全工具禁用。 适用于调查可疑端点行为、为规避战术构建检测规则,或针对隐蔽对手活动进行威胁狩猎的场景。
correlating-security-events-in-qradar
使用 AQL(Ariel Query Language)、自定义规则、构建块和告警管理, 在 IBM QRadar SIEM 中关联安全事件,检测跨网络、端点和应用日志源的多阶段攻击。 适用于 SOC 分析师需要调查 QRadar 告警、构建关联规则或调优检测逻辑以减少误报时。