Process creation events
A Windows PC has been infected with malware, and you need to find any processes that were created by the malware.
Data required
These sample searches use Windows security event logs and Microsoft Sysmon data. You can replace this source with any other system log data data used in your organization.
Procedure
Option 1
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventDescription=ProcessCreate CommandLine=3791.exe host=<server name>
Search explanation
Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Search only process data. |
EventDescription=ProcessCreate |
Search for a process creation event. |
CommandLine=3791.exe |
Search for the 3791.exe process. |
host=<server name> |
Search a specific host. |
Next steps
This search returns the ID of the parent process that called or started the process you searched for. It also returns the parent command line so you can see the command that called the process.
Option 2
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="wineventlog:security" EventCode=4688 | stats count, values(Creator_Process_Name) AS Creator_Process_Name BY New_Process_Name | table New_Process_Name count Creator_Process_Name | sort count
Search explanation
Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search |
Explanation |
---|---|
sourcetype="wineventlog:security" |
Search only Windows event log security data. |
EventCode=4688 |
Search for event code 4688, which indicates a new process has been created. Some configuration is required to fully enable logging PowerShell commands under EventID 4688. For more information, see this blog post. |
| stats count, values(Creator_Process_Name) AS Creator_Process_Name BY New_Process_Name |
Provide a count and the distinct values of parent process names organized by the new process name. |
| table New_Process_Name count Creator_Process_Name |
Display the output in a table with three columns, ordered as shown in the search syntax. |
| sort count |
Return the results with the smallest count first. |
Next steps
This search returns the name of the process created, as well as the name of the parent process when applicable. It also shows when processes were not created on common locations, such as C:\windows\system32 or C:\Program Files. After you have identified the parent process ID, a possible next step is to use the parent ID to find related processes.
Finally, you might be interested in other processes associated with the Recognizing improper use of system administration tools use case.