Skip to main content
Splunk Lantern

Visualizing processes and their parent/child relationships

Applicability

This article covers how to hunt for processes using Windows data, and a different process will be needed for other operating systems.

Problem

You are a security analyst, combing through your data looking for signs of malicious activity. You spot a process which looks interesting to you, and you want to trace the activity or relationships of that process. At first, you try to brute force this by copying/pasting parent and child process IDs over and over again, but this turns out to be a time-consuming and frustrating task. You're concerned that the next time you need to do this in the middle of an ongoing security incident, you may miss one item that could have led you to something interesting. Splunk does a great job of ingesting process data, allowing you to search and correlate, but it's challenging to visualize parent/child relationships for this data, especially spanning multiple generations.

Solution

First, you'll need to ensure you have completed some prerequisites:

  1. Configure the Splunk Add-on for Microsoft Sysmon and Splunk Add-on for Microsoft Windows, together with the Windows Universal Forwarder, to capture process data.
  2. Configure the Windows endpoints to capture the process-related events. Two types of data you can use for capturing new process creation events are:
    1. Sysmon with Event Code 1 enabled (SwiftOnSecurity or Olaf Hartong’s Sysmon configs are both good places to start). If you want to use the Process tracking using an add-on solution described later, this data type will be best.
    2. Windows Security Event Logs with Event ID 4688, including command line in process creation events.

Step 1 - Process tracking using search

In this example, let’s assume you have a known malicious spreadsheet in your environment, and you want to understand if it’s been opened. If it has, you'd also like to know what has transpired.

 To optimize the searches shown below, you should specify an index and a time range.

  1. Look to see if the spreadsheet filename, salaries.xls, has been observed in any EventCode 1 events in Sysmon.
  2. Run the following search:
source="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=1
| search CommandLine="*Salaries.xls*"
| table _time host user ProcessId CommandLine

Search explanation 

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
source="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=1

Search Sysmon data for process creation events.

This part of the search uses a source (not sourcetype) for Sysmon data.

| search CommandLine="*Salaries.xls*"

Search for the spreadsheet filename salaries.xls.

| table _time host user ProcessId CommandLine

Display the results showing the time these events occurred, on which host, the user they are associated with, their associated process ID, and the full command line that triggered the process.

Results

Process creation events referencing Salaries.xls are returned from this search. The search will also let you know the command line that triggered the process - for example, showing that Excel.exe is opening the spreadsheet.

Using the previous search, you can use the table command again to display more fields such as the parent process name, the parent process ID, parent process path, process path, and more. These fields can help you explore further and confirm that processes are running from expected locations.

| table parent_process_name parent_process_id parent_process_path process_path

Process path information is a very valuable piece of information when looking for processes launching from places they shouldn’t be (temp directories, startup folders, etc). You can use the process ID returned from this search to begin hunting down the entire process tree, using the resulting process ID as the parent process ID in each new search, although this can be time consuming.

Step 2 - Process tracking using an add-on

With this step of the process, you can use the PSTree for Splunk app to pass in parent and child fields and then create a table of the resulting process family structure.

 To optimize the searches shown below, you should specify an index and a time range.

  1. Install the PSTree for Splunk app, along with the Splunk Python SDK.
  2. Run the following search:
source="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=1 user=[username]
| rex field=ParentImage "\x5c(?<ParentName>[^\x5c]+)$"
| rex field=Image "\x5c(?<ProcessName>[^\x5c]+)$"
| eval parent = ParentName." (".ParentProcessId.")"
| eval child = ProcessName." (".ProcessId.")"
| eval detail=strftime(_time,"%Y-%m-%d %H:%M:%S")." ".CommandLine
| pstree child=child parent=parent detail=detail spaces=50
| search tree=*Salaries.xls*
| table tree

Search explanation 

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
source="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=1 user=[username]

Search Sysmon data for process creation events from a specified user.

| rex field=ParentImage "\x5c(?<ParentName>[^\x5c]+)$"
| rex field=Image "\x5c(?<ProcessName>[^\x5c]+)$"
Create new fields (ParentName and ProcessName) from data within the existing ParentImage and Image fields.
| eval parent = ParentName." (".ParentProcessId.")"
| eval child = ProcessName." (".ProcessId.")"
| eval detail=strftime(_time,"%Y-%m-%d %H:%M:%S")." ".CommandLine
Combine both the extracted ParentName and ProcessName fields with pre-existing ParentProcessId and ProcessId field information. Another field called detail is also created, which combines the _time field information with the CommandLine field information.
| pstree child=child parent=parent detail=detail spaces=50

All three new fields, parent, child, and detail can now be used in the pstree custom command added by the PSTree app. The spaces=50 definition helps you format the resulting table so that the first column doesn’t contain lots of wasted space.

| search tree=*Salaries.xls*
 

As we’re trying to trace processes based on our original salaries.xls spreadsheet, we must pass this in as a search parameter after the pstree command has completed its operations.

| table tree Create a table from the tree data.

Results

This search will return a table listing process traces several layers deep, with timestamps and command-line data included to assist you in your investigation.

Additional resources

The content in this guide comes from a previously published blog, one of the thousands of Splunk resources available to help users succeed. In addition, these Splunk resources might help you understand and implement this use case:

  • Was this article helpful?