Skip to main content
Splunk Lantern

High process termination frequency

This search looks for a high frequency of process termination on a machine, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing files in the infected machine for encryption.

 

Data required 

System log data

Procedure

  1. Ensure your deployment is ingesting logs with the image (process full path) of terminated process from your endpoints. 
  2. If you are using Sysmon, ensure you have at least version 6.0.4.
  3. Run the following search. You can optimize it by specifying an index and adjusting the time range.
| search (EventCode=5 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational)) 
| bin _time span=3s 
| stats values(Image) AS proc_terminated min(_time) AS firstTime max(_time) AS lastTime count BY Computer EventCode ProcessID 
| where (count >= 15) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| search (EventCode=5 (source=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational))  Search Sysmon Operational logs for event code 5, process termination events.
| bin _time span=3s  Sort matching events into discrete sets, or bins, with time spans of 3 seconds.
| stats values(Image) AS proc_terminated min(_time) AS firstTime max(_time) AS lastTime count BY Computer EventCode ProcessID  Return the values for the fields shown, sorting first by Computer and then by the rest of the fields shown.
| where (count >= 15)  Return instances where at least 15 processes are terminated at once.
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) 
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Convert these times into readable strings.

Next steps

False positives from this search may occur as legitimate users may terminate multiple processes at once. You will need to create a baseline appropriate to your environment to ascertain what needs further investigation, and perform further searches to establish whether the behaviour is legitimate or anomalous.

If you receive clear positive results from this search, start your incident response process for dealing with a ransomware infection. You should check for recent backups for the systems affected by the infection.

Finally, you might be interested in other processes associated with the Detecting a ransomware attack or Detecting Clop ransomware use cases.