Skip to main content
Splunk Lantern

Previously seen command line argument

New command line processes indicate new programs that might or might not be legitimate. You want to create a lookup file of known processes that you can use to check against new ones found in command line arguments to decide if further investigation is necessary. 

Data required 

Endpoint data

Procedure

  1. To complete this process, your deployment needs to ingest process activity from your hosts using logs with both the process name and command line from your endpoints. You should also ensure you are ingesting normalized endpoint data, populating the Processes node of the Endpoint data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
|tstats summariesonly=true allow_old_summaries=true min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name=cmd.exe AND Processes.process="* /c *" BY Processes.process 
|rename "Processes.*" as "*"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

|tstats summariesonly=true allow_old_summaries=true min(_time) AS firstTime max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE Processes.process_name=cmd.exe AND Processes.process="* /c *" BY Processes.process 

Query the Endpoint.Processes data model object for the process name "cmd.exe" and a process that includes /c, which runs a command. Return the first and last time that each matching command line argument was seen.

|rename "Processes.*" as "*"

Rename the data model object for better readability.

Next steps

After you create this baseline, you can look for new command line arguments that might indicate a threat.

For additional information about this search, such as its applicability to common frameworks and standards, see this project on GitHub.

You might also be interested in other processes associated with the Detecting techniques in the Orangeworm attack group and Monitoring command line interface actions use cases.