Splunk is still the most widely deployed SIEM in enterprise environments and the SPL query language is one of the most powerful tools available to a SOC analyst who knows how to use it properly. These queries come from production deployments at major financial institutions. Every one has been tuned against real alert volume and real false positive patterns.

Environment Notes

All queries use index=win_* and sourcetype="WinEventLog:Security" or source="XmlWinEventLog:Security". Default time range earliest=-30d latest=now. EventCode 4688 requires command line auditing enabled via Group Policy. Tune exclusion lists before enabling alerts.

Query 1: Suspicious Process Creation — LOLBin Abuse

Detects Living-off-the-Land Binary execution from unexpected parent processes. One of the most reliable indicators of post-exploitation activity because attackers use signed Windows binaries to avoid detection. The parent process context is the strongest signal.

index=win_* (sourcetype="WinEventLog:Security" OR source="XmlWinEventLog:Security")
EventCode=4688 earliest=-30d latest=now
| eval image=lower(coalesce(New_Process_Name, Process_Name))
| eval parent=lower(coalesce(Creator_Process_Name, Parent_Process_Name))
| eval cmdline=coalesce(Process_Command_Line, CommandLine)
| where match(image, "(certutil|mshta|wscript|cscript|regsvr32|rundll32|msiexec)\.exe$")
| where NOT match(parent, "(explorer|services|svchost|msiexec|taniumclient|ccmexec|devenv)\.exe$")
| where isnotnull(cmdline) AND cmdline!=""
| eval suspicious=case(
    match(cmdline, "(?i)(http|https)"), "network_call",
    match(cmdline, "(?i)-urlcache"), "certutil_download",
    match(cmdline, "(?i)(AppData|Temp|Downloads)"), "user_writable_path",
    true(), "review"
  )
| table _time host user parent image cmdline suspicious
| sort 0 -_time

What to flag immediately

Query 2: Encoded PowerShell Execution

Detects PowerShell commands using Base64 encoding to obfuscate payloads. Attackers use encoding to bypass command line logging and string-based detections. The combination of encoded commands with download cradles is a near-certain indicator of malicious execution.

index=win_* (sourcetype="WinEventLog:Security" OR source="XmlWinEventLog:Security")
EventCode=4688 earliest=-30d latest=now
| eval image=lower(coalesce(New_Process_Name, Process_Name))
| eval cmdline=coalesce(Process_Command_Line, CommandLine)
| where match(image, "powershell\.exe$")
| where match(cmdline, "(?i)(-enc|-encodedcommand|-e\s+[A-Za-z0-9+/=]{20,})")
| eval risk=case(
    match(cmdline, "(?i)(IEX|Invoke-Expression|DownloadString|WebClient)"), "critical",
    match(cmdline, "(?i)(bypass|hidden|noprofile|noninteractive)"), "high",
    true(), "review"
  )
| eval parent=lower(coalesce(Creator_Process_Name, Parent_Process_Name))
| table _time host user parent cmdline risk
| sort 0 -_time

Query 3: New Local Administrator Account Creation Off Hours

Attackers create local administrator accounts as a persistence mechanism almost always during off-hours when SOC staffing is at minimum. This query filters account creation to outside business hours and specifically targets privileged group additions.

index=win_* (sourcetype="WinEventLog:Security" OR source="XmlWinEventLog:Security")
(EventCode=4720 OR EventCode=4732) earliest=-30d latest=now
| eval hour=strftime(_time, "%H")
| where hour < "07" OR hour > "19"
| eval activity=case(
    EventCode==4720, "Account Created",
    EventCode==4732, "Added to Privileged Group",
    true(), "Unknown"
  )
| eval target_user=coalesce(TargetUserName, Target_Account_Name)
| eval subject_user=coalesce(SubjectUserName, Subject_Account_Name)
| where NOT match(target_user, "\$$")
| table _time host subject_user target_user activity EventCode
| sort 0 -_time

Query 4: Credential Dumping via Task Manager or ProcDump

Detects common credential dumping tools targeting the LSASS process. Attackers dump LSASS memory to extract password hashes and Kerberos tickets for lateral movement. This query catches both tool-based and manual dumping attempts.

index=win_* (sourcetype="WinEventLog:Security" OR source="XmlWinEventLog:Security")
EventCode=4688 earliest=-30d latest=now
| eval image=lower(coalesce(New_Process_Name, Process_Name))
| eval cmdline=coalesce(Process_Command_Line, CommandLine)
| where (
    match(image, "(procdump|mimikatz|wce|pwdump)") OR
    match(cmdline, "(?i)(lsass|MiniDump|sekurlsa|logonpasswords|dcsync)") OR
    (match(image, "taskmgr\.exe") AND match(cmdline, "(?i)lsass"))
  )
| table _time host user image cmdline
| sort 0 -_time

Query 5: Scheduled Task Creation for Persistence

Scheduled tasks are one of the most common persistence mechanisms because they survive reboots and are often overlooked during IR. This query focuses on tasks created off-hours that execute scripts or binaries from user-writable locations.

index=win_* (sourcetype="WinEventLog:Security" OR source="XmlWinEventLog:Security")
EventCode=4698 earliest=-30d latest=now
| eval hour=strftime(_time, "%H")
| where hour < "07" OR hour > "19"
| eval task_content=coalesce(TaskContent, Message)
| where match(task_content, "(?i)(powershell|cmd|wscript|cscript|mshta|AppData|Temp|Downloads)")
| eval subject_user=coalesce(SubjectUserName, Subject_Account_Name)
| table _time host subject_user task_content
| sort 0 -_time

Query 6: Lateral Movement via Pass the Hash

Pass-the-hash attacks use stolen NTLM hashes for authentication without knowing plaintext passwords. The distinctive pattern is network logons using NTLM from unexpected source systems, particularly accounts authenticating to multiple new hosts in a short window.

index=win_* (sourcetype="WinEventLog:Security" OR source="XmlWinEventLog:Security")
EventCode=4624 earliest=-30d latest=now
| eval logon_type=coalesce(Logon_Type, LogonType)
| eval auth_package=coalesce(Authentication_Package_Name, AuthenticationPackageName)
| where logon_type="3" AND auth_package="NTLM"
| eval account=coalesce(Account_Name, TargetUserName)
| eval workstation=coalesce(Workstation_Name, WorkstationName)
| where NOT match(account, "\$$")
| stats
    count as ntlm_logins,
    dc(host) as unique_targets,
    values(host) as target_list
    by account, workstation
| where ntlm_logins > 10 OR unique_targets > 3
| sort -ntlm_logins
Baselining Before Alerting

Run every query against 30 days of historical data before enabling alerts. Document what fires. Anything that fires repeatedly from the same legitimate source gets added to an exclusion list. A week of baselining gives you rules with almost zero false positive noise in production.

Query 7: Reconnaissance via Net Commands

Attackers use built-in Windows net commands to enumerate users, groups, and shares immediately after gaining access. Clustering multiple net commands from the same host in a short window is a strong post-exploitation indicator.

index=win_* (sourcetype="WinEventLog:Security" OR source="XmlWinEventLog:Security")
EventCode=4688 earliest=-30d latest=now
| eval image=lower(coalesce(New_Process_Name, Process_Name))
| eval cmdline=coalesce(Process_Command_Line, CommandLine)
| where match(image, "\\bnet\.exe$|\\bnet1\.exe$")
| where match(cmdline, "(?i)(user|group|localgroup|share|view|use|accounts|session)")
| bin _time span=5m
| stats
    count as cmd_count,
    values(cmdline) as commands
    by _time host user
| where cmd_count > 3
| sort 0 -_time
Intelligence Pack
Get a new production query every Tuesday

The SOCAuthority Weekly Intelligence Pack delivers one production-ready Splunk, CrowdStrike, or Sentinel query every Tuesday with full context, false positive notes, and MITRE mapping. Plus monthly Office Hours, private Discord, and a growing detection archive.

Join Intelligence Pack — $14.99/month Free Triage Checklist

Cancel anytime. 30-day money back guarantee.