New Release SPLK-5001 Splunk Questions

Thefile_aclfield, which contains access controls associated with files affected by an event, is part of theEndpointdata model in Splunk. The Endpoint data model is designed to include information related to file access, process activity, and user activity on endpoints. Fields likefile_aclare critical for understanding permissions and potential security risks associated with file access and manipulation, which are key aspects of endpoint security monitoring.

The Lockheed Martin Cyber Kill Chain® is a widely recognized framework that breaks down the stages of a cyber attack. The stages are: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control (C2), and Actions on Objectives. The scenario described—modifying the registry on a compromised Windows system to ensure malware runs at boot time—fits into theInstallationphase. This phase involves placing a persistent backdoor or other malicious software on the victim's system, ensuring it can be executed again, even after a system reboot. By modifying the registry, the attacker is achieving persistence, a classic example of the Installation phase.

Thestatscommand is used to generate statistics, such as counts, over specific fields. In this case, the commandindex=security_logs eventtype=failed_login | stats count as failed_attempts by src_ip | sort -failed_attemptscreates a temporary table that counts the number of failed login attempts (failed_attempts) for each source IP (src_ip). Thesort -failed_attemptsensures the results are ordered by the number of failed attempts in descending order, making it easier for an analyst to identify problematic IPs.

Pyramid of Pain Overview:The Pyramid of Pain categorizes indicators based on how difficult they are for attackers to alter:

Hash Values (Low Impact):Attackers can easily change a file's hash by altering even a single byte, rendering this indicator obsolete.

IP Addresses, Domain Names (Moderate Impact):Slightly harder to change than hash values but still relatively easy for attackers to adapt.

TTPs (High Impact):Tactics, Techniques, and Procedures are the most difficult for attackers to alter because they involve the fundamental ways attackers operate. Detecting and responding to TTPs can significantly disrupt an attacker’s strategy.

Why Hash Values Are Least Effective:

Ease of Evasion:Attackers can quickly generate new hash values by modifying files, making it a weak indicator for continuous monitoring.

Short Lifespan:Once detected and blocked, a hash value is of limited use because attackers can simply recompile or pack the malware to create a new hash.