Introduction
Mandiant’s free forensics tool, Redline®, is well-known
for its powerful ability to hunt for evil using IOCs, collect host-based
artifacts, and even analyze that collected data. While this gratis capability is fantastic, it
is limited to analyzing data from only one host at a time. But imagine the power and insight that can be
gained when looking at a large set of host-based data; especially when the
hosts are standardized using a base build or gold disk image. This would allow analysts to stack this data
and use statistics to find outliers and anomalies within the network. These discovered anomalies could include:
·
Unique services within an organization (names,
paths, service owners)
·
Unique processes within an organization (names,
paths, process owners)
·
Unique persistent binaries (names, paths,
owners)
·
Drive letters/mappings that don't meet corporate
standards
·
Infrequent user authentication (such as forgotten
or service accounts)
Any of the above example issues could be misconfigurations
or incidents--neither of which should be left unnoticed or unsolved.
Requirements and Prototyping
To solve the stacking problem, we had four major
requirements. We needed a platform that
could:
1)
Monitor a directory for incoming data
2)
Easily parse XML data (since both Redline and
MIR output evidence to XML)
3)
Handle large files and break them into
individual events
4)
Apply “big data” analytics to lots of hosts and
lots of data
After looking at the requirements and experimenting a
bit, Splunk seemed like a good fit. We
started our prototyping by parsing a few output files and creating dashboards within
our freely available side project the Splunk Forensic Investigator App. The architecture looks like the following:
 |
Figure 1: Architecture required to process Redline and
MIR files within Splunk
|
We gave this app the ability to process just a few Redline
and MIR output files such as system, network, and drivers. Then we solicited feedback and were pleased
with the response.
Results
Since the prototype gained interest, we continued the development
efforts and the Splunk Forensic Investigator app now handles the following 15
output files:
|
System
|
Network
|
Processes
|
Services
|
Ports
|
|
Tasks
|
Prefetch
|
ShimCache
|
DNS
|
User Accounts
|
|
URL History
|
Driver Modules
|
Persistence
|
File Listings
|
Event Logs
|
 |
| Figure 2: Main MIR Analytics dashboard |
Additionally, every processed output type includes both
visualization dashboards and analysis dashboards. Visualization dashboards are designed flush
out the anomalies using statistics such as counts, unique counts, most
frequent, and least frequent events. An
example can be seen in Figure 3’s
visualization example.
 |
Figure 3:
Example visualization dashboard which shows least and most common
attributes
|
The analysis dashboards parse the XML output from Redline
and MIR to display it in a human readable and searchable format. An example can be seen below in Figure 4.
 |
Figure 4:
Example analysis dashboard which shows raw event data
|
Conclusion
Head nod to the "Add-on for OpenIOC by Megan" for ideas: https://splunkbase.splunk.com/app/1517/
