Process hash matching
You are concerned that adversaries are using masquerading techniques on your systems to hide tools used for credential dumping and other harmful activities. You want to search for indications that processes are being renamed in an effort to avoid detection.
Data required
- Microsoft Sysmon
- Endpoint data that captures context about running processes and services
Procedure
- Ensure that your deployment is ingesting Microsoft Sysmon data, configuring the Splunk Add-on for Sysmon.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
index=<endpoint index name> EventCode=1
| eval knowngood=1
| stats values(process_name) AS process_name values(Company) AS vendor values(Description) AS description values(FileVersion) AS version values(knowngood) AS known_good by SHA256,MD5
| outputlookup UFKnownGood.csv
This lookup becomes the baseline for your server. Next, leverage it again in a subsequent search to identify changes.
3. Run the following search. You can optimize it by specifying an index and adjusting the time range.
index=<endpoint index name> EventCode=1
| lookup UFKnownGood.csv SHA256 OUTPUT known_good
| eval known_good = case(known_good == 1, "1", 1=1, "0")
| search known_good=0
| stats values(process_name) AS process_name values(Company) AS vendor values(Description) AS description values(FileVersion) AS version values(known_good) AS known_good by SHA256,MD5
Search explanation
The tables provide an explanation of what each part of these searches achieve. You can adjust the queries based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
| index=<endpoint index name> | Search only in your endpoint index. |
| EventCode=1 | Search for process creation events. |
| | eval knowngood=1 | Create a knowngood field with a value of 1 for each result. |
| | stats values(process_name) AS process_name values(Company) AS vendor values(Description) AS description values(FileVersion) AS version values(knowngood) AS known_good by SHA256,MD5 | Return the values for the fields shown, sorting first by the SHA256 and then by the MD5 hash. |
| | outputlookup UFKnownGood.csv | Send the results to a lookup called FKnownLookup.csv. |
The above search builds the lookup table that represents the baseline of hashes of known good processes and is used in the search below to identify unknown processes by hash. Any running processes with hashes not in the lookup are unknown processes and warrants an investigation and it could be masquerading so as to run undetected. The following search would output these processes.
| Splunk Search | Explanation |
|---|---|
| index=<endpoint index name> | Search only in your endpoint index. |
| EventCode=1 | Search for process creation events. |
| | lookup UFKnownGood.csv SHA256 OUTPUT known_good | Output the known_good value from the lookup table and add it to the current event |
| | eval known_good = case(known_good == 1, "1", 1=1, "0") | Set the known_good inside the case statement to the value from the OUTPUT of the lookup command above. If that value is 1, set the outer known_good term to “1”. If not, set force the next term in the case statement to try by using the “truthy” 1=1 relation, which sets the outer know_good field to “0”). |
| | search known_good=0 | Return events only of know_good = 0. This is logically equal to know_good is false. |
| | stats values(process_name) AS process_name values(Company) AS vendor values(Description) AS description values(FileVersion) AS version values(known_good) AS known_good by SHA256,MD5 |
Output the values of the fields and the current value of know_good grouped by the hashes. |
Next steps
The results are all processes that are not part of the baseline and are considered suspicious. Examine them for binaries that are not in your approved lookup list. The vendor and description values can help you verify the legitimacy of any unknown binaries.
You can see the result of these searches in the previously published Splunk blog under the Process Monitoring heading. There you will see this example and also how to use data models and tstats to do the same thing which is appropriate when you have large volumes of data to search against.
Splunk Enterprise Security also provides guidance on how to incorporate the lookups of IOCs using the threat intelligence framework.
Finally, you might be interested in other processes associated with the Detecting masquerading use case.