Skip to main content
Splunk Lantern

Executable payload added through the command line

Your company uses Kaseya IT management software and your systems have been compromised by REvil ransomware. You want to search for processes run on the command line  that indicate the payload used by REvil ransomware infections has been added to your Kaseya working folders. 

Procedure

Option 1 - Search using Sysmon

Run the following search. You can optimize it by specifying an index and adjusting the time range.

source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 cmdline="c:\\kworking\\agent.exe*"
| table _time, host, cmdline

Search explanation 

The table provides an explanation of what each part of this search achieves.

Splunk Search Explanation
source="WinEventLog:Microsoft-Windows-Sysmon/Operational" Search only Sysmon operational logs. 
EventCode=1

Search for process creation events in Sysmon data.

cmdline="c:\\kworking\\agent.exe*"

Search for executables added to your Kaseya working folder.

You can change the directory to search for other malicious executables if you do not use Kaseya software.

| table _time, host, cmdline Display the results in a table with columns in the order shown.

Result 

If any results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.

Option 2 - Search using Windows Events

Run the following search. You can optimize it by specifying an index and adjusting the time range.

source="WinEventLog:Security" EventCode=4688 Process_Command_Line="c:\\kworking\\agent.exe*"
| table _time, host, Process_Command_Line

Search explanation

Here is an explanation of what each part of this search achieves.

Splunk Search Explanation
source="WinEventLog:Security" Search only Windows Event Security logs. 
EventCode=4688

Search for process creation events.

Process_Command_Line="c:\\kworking\\agent.exe*"

Search for executables added to your Kaseya working folder.

You can change the directory to search for other malicious executables if you do not use Kaseya software.

| table _time, host, cmdline Display the results in a table with columns in the order shown.

Next steps

If any results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.

Next steps

Finally, you might be interested in other processes associated with the Detecting REvil ransomware infections use case.