Skip to main content
Splunk Lantern

Suspicious script in the command line

You might need to identify scripts run on the command line when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You believe a script run on the command line caused a user’s machine to become infected with malware. You want to see the entire script to be able to analyze it further.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Sysmon data. You can replace this source with any other system log data used in your organization.

  1. Run the following search:
host=<hostname> sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational *.exe CommandLine=* EventCode=1
|table CommandLine length

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

host=<hostname> 

Restrict your search to the known infected host.

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Search only Windows Sysmon operational logs.

Sysmon can create many types of logs. As your organization scales, you’ll want to be wise with the kinds of events Sysmon captures. SwiftOnSecurity offers a popular XML configuration file.

*.exe

Search for process execution.

CommandLine=*

Search for command line processes. 

EventCode=1

Search for process creation events in Sysmon data.

|table CommandLine

Display the CommandLine field results of the search in a table.

Result

The CommandLine results provide the context of the process execution. After you identify a suspicious script, review it for content that you can create alarms from to prevent or detect future, similar attacks.

  • Was this article helpful?