Detecting system outbreaks with Sysmon and Splunk

This Splunk search will identify a potential network outbreak by displaying hosts who make a network connection to a given number of unique destination hosts. For example, a compromised host may be spreading a payload, being used as a beachhead for lateral movement or probing internal hosts. This would result in a larger than normal number of unique connections.

If you know that in any given day no host should be connecting to more than two other hosts on the internal network, then you can look for machines that exceed this number. Keep in mind that the search needs to be customized to your environment. Running the search as is will result in many false positives.

Tip: The search relies on Sysmon as the data source. This can be replaced with some other tool. You could even use this search to identify AD accounts logging into multiple systems. Have fun with it :)

The below search string will show Computers who connect to more than 4 unique hosts. To limit the search scope, you can filter based on port, hostname, etc. This assumes that you have the Sysmon Splunk app installed.

sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" | stats values(DestinationHostname) as DestinationHostname by Computer | where mvcount(DestinationHostname) > 4

Ryan St. Germain

Ryan St. Germain