Skip to main content
 
Splunk Lantern

Processes launched from randomized file paths

 

Information entropy allows you to determine how much randomness is present in a string, and randomness is often an indicator of malicious activity. You hypothesize that an attacker has infiltrated your network and is using randomized file paths to launch processes. You want to see what unusually random file paths exist on a local operating system.

Required data

System log data.  This sample search uses Windows data. You can replace this source with any other system log data used in your organization.

Procedure

Run the following search. You can optimize it by specifying an index and adjusting the time range.  

sourcetype=win*security EventCode=4688 New_Process_Name=*\Users\*
| `ut_shannon(New_Process_Name)`
| stats values(ut_shannon) AS "Shannon Entropy Score" BY New_Process_Name, host
| rename New_Process_Name AS Process, host AS Endpoint

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=win*security 

Search only Windows Security data.

EventCode=4688 

Search for event code 4688, which indicates a new process has been created.

New_Process_Name=*\Users\*

Search for new processes that have a user in the value.

| `ut_shannon(New_Process_Name)`

Calculate the entropy score for each new process.

The punctuation surrounding a Splunk macro is always a back tick (`), not a single quote (').

| stats values(ut_shannon) AS "Shannon Entropy Score" BY New_Process_Name, host

Show the entropy score for each process in a field called Shannon Entropy Score. Group the results by the New_Process_Name field and then by host.

| rename New_Process_Name As Process, host AS Endpoint

Rename the New_Process_Name column and host column as shown. 

Next steps

Investigate the file paths this search reveals to find indicators of an attack. Remember that the longer the string length, the less useful the Shannon Entropy score is. You might want to update the search to limit the string length of the process name or limit the entropy score.

Finally, you might be interested in other processes associated with these use cases: