This project demonstrates threat hunting activities using Splunk Enterprise and Sysmon telemetry.
The objective is to proactively identify suspicious behavior, investigate potential threats, and validate findings using real Windows event data.
| Component | Details |
|---|---|
| SIEM | Splunk Enterprise 10.4 |
| Endpoint Monitoring | Sysmon |
| Operating System | Windows 11 |
| Framework | MITRE ATT&CK |
Identify PowerShell execution that may indicate attacker activity.
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| search "powershell.exe"
PowerShell process execution events were successfully identified.
Identify command-line execution activity.
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| search "cmd.exe"
Command Prompt executions were detected and analyzed.
Identify account enumeration techniques commonly used by attackers.
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
("whoami.exe" OR "net.exe")
Account discovery activity was successfully identified.
Identify outbound network connections created by processes on the endpoint.
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| search "<EventID>3</EventID>"
Sysmon Network Connection events (Event ID 3) were detected and reviewed.
Identify file creation activity that could indicate payload delivery or malware staging.
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| search "<EventID>11</EventID>"
Sysmon File Creation events (Event ID 11) were successfully identified.
| Technique ID | Technique |
|---|---|
| T1059.001 | PowerShell |
| T1087 | Account Discovery |
| T1105 | Ingress Tool Transfer |
| T1049 | System Network Connections Discovery |
| T1059.003 | Windows Command Shell |
- Threat Hunting
- Splunk SPL
- Sysmon Analysis
- Windows Event Analysis
- Detection Engineering
- MITRE ATT&CK Mapping
- Security Monitoring
- Incident Investigation
Agata Gabara
Cybersecurity | SOC Analyst | Threat Hunter
GitHub: https://github.com/ag48665