Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Looking for processes executions in temp directories with random file names

fdevera
Path Finder
‎10-07-2020 05:10 PM

I'm trying to get results which show randomized filenames but it's giving me randomization in the path directory location. I just want to see randomized filenames. Here's what I have so far:

 

 

eventtype=winevent EventCode=4688 (New_Process_Name="C:\\Windows\\TEMP\\*" OR New_Process_Name="C:\\users\\*\\appdata\\local\\temp\\*") NOT New_Process_Name="C:\\Users\\asiaynrf\\AppData\\Local\\Temp\\QIKCache\\*"
| lookup ut_shannon_lookup word as New_Process_Name 
| where ut_shannon > 4.5 
| stats  values(ut_shannon)  as "Shannon Entropy Score" by New_Process_Name,host 
| rename  New_Process_Name as Process,host as Endpoint | sort  -"Shannon Entropy Score"

 

 

 How do I limit randomization to filename and not the whole path?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2020 07:14 AM

To check the randomization of the filename rather than the whole path, extract the name from the New_Process_Name field.

eventtype=winevent EventCode=4688 (New_Process_Name="C:\\Windows\\TEMP\\*" OR New_Process_Name="C:\\users\\*\\appdata\\local\\temp\\*") NOT New_Process_Name="C:\\Users\\asiaynrf\\AppData\\Local\\Temp\\QIKCache\\*"
| rex field=New_Process_Name "\\\(?<filename>[^\\\]+)$"
| lookup ut_shannon_lookup word as filename
| where ut_shannon > 4.5 
| stats  values(ut_shannon)  as "Shannon Entropy Score" by New_Process_Name,host 
| rename  New_Process_Name as Process,host as Endpoint | sort  -"Shannon Entropy Score"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-08-2020 07:14 AM

To check the randomization of the filename rather than the whole path, extract the name from the New_Process_Name field.

eventtype=winevent EventCode=4688 (New_Process_Name="C:\\Windows\\TEMP\\*" OR New_Process_Name="C:\\users\\*\\appdata\\local\\temp\\*") NOT New_Process_Name="C:\\Users\\asiaynrf\\AppData\\Local\\Temp\\QIKCache\\*"
| rex field=New_Process_Name "\\\(?<filename>[^\\\]+)$"
| lookup ut_shannon_lookup word as filename
| where ut_shannon > 4.5 
| stats  values(ut_shannon)  as "Shannon Entropy Score" by New_Process_Name,host 
| rename  New_Process_Name as Process,host as Endpoint | sort  -"Shannon Entropy Score"
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...