Skip to main content
Splunk Lantern

Process creation events

A Windows PC has been infected with malware, and you need to find any processes that were created by the malware.

Data required 

System log data

These sample searches use Windows security event logs and Microsoft Sysmon data. You can replace this source with any other system log data data used in your organization.

Procedure

Option 1

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventDescription=ProcessCreate CommandLine=3791.exe host=<server name>

Search explanation

Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational 

Search only process data. 

EventDescription=ProcessCreate 

Search for a process creation event.

CommandLine=3791.exe 

Search for the 3791.exe process. 

host=<server name>

Search a specific host.

Next steps

This search returns the ID of the parent process that called or started the process you searched for. It also returns the parent command line so you can see the command that called the process.

Option 2

Run the following search. You can optimize it by specifying an index and adjusting the time range.

sourcetype="wineventlog:security" EventCode=4688
| stats count, values(Creator_Process_Name) AS Creator_Process_Name BY New_Process_Name
| table New_Process_Name count Creator_Process_Name
| sort count

Search explanation

Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

sourcetype="wineventlog:security" 

Search only Windows event log security data. 

EventCode=4688 

Search for event code 4688, which indicates a new process has been created.

Some configuration is required to fully enable logging PowerShell commands under EventID 4688. For more information, see this blog post.

| stats count, values(Creator_Process_Name) AS Creator_Process_Name BY New_Process_Name

Provide a count and the distinct values of parent process names organized by the new process name. 

| table New_Process_Name count Creator_Process_Name

Display the output in a table with three columns, ordered as shown in the search syntax.

| sort count

Return the results with the smallest count first.

Next steps

This search returns the name of the process created, as well as the name of the parent process when applicable. It also shows when processes were not created on common locations, such as C:\windows\system32 or C:\Program Files. After you have identified the parent process ID, a possible next step is to use the parent ID to find related processes. 

Finally, you might be interested in other processes associated with the Recognizing improper use of system administration tools use case.