Executable payload added through the command line
Your company uses Kaseya IT management software and your systems have been compromised by REvil ransomware. You want to search for processes run on the command line that indicate the payload used by REvil ransomware infections has been added to your Kaseya working folders.
Required data
Procedure
Option 1 - Search using Sysmon
Run the following search. You can optimize it by specifying an index and adjusting the time range.
source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 cmdline="c:\\kworking\\agent.exe*" | table _time, host, cmdline
Search explanation
The table provides an explanation of what each part of this search achieves.
| Splunk Search | Explanation |
|---|---|
| source="WinEventLog:Microsoft-Windows-Sysmon/Operational" | Search only Sysmon operational logs. |
| EventCode=1 |
Search for process creation events in Sysmon data. |
| cmdline="c:\\kworking\\agent.exe*" |
Search for executables added to your Kaseya working folder. You can change the directory to search for other malicious executables if you do not use Kaseya software. |
| | table _time, host, cmdline | Display the results in a table with columns in the order shown. |
Result
If any results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
Option 2 - Search using Windows Events
Run the following search. You can optimize it by specifying an index and adjusting the time range.
source="WinEventLog:Security" EventCode=4688 Process_Command_Line="c:\\kworking\\agent.exe*" | table _time, host, Process_Command_Line
Search explanation
Here is an explanation of what each part of this search achieves.
| Splunk Search | Explanation |
|---|---|
| source="WinEventLog:Security" | Search only Windows Event Security logs. |
| EventCode=4688 |
Search for process creation events. |
| Process_Command_Line="c:\\kworking\\agent.exe*" |
Search for executables added to your Kaseya working folder. You can change the directory to search for other malicious executables if you do not use Kaseya software. |
| | table _time, host, cmdline | Display the results in a table with columns in the order shown. |
Next steps
If any results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
Next steps
Finally, you might be interested in other processes associated with the Detecting REvil ransomware infections use case.