Skip to main content
Splunk Lantern

Executable payload added through the command line

You might need to check for executables added to a system through the command line when doing the following:

Prerequisites  

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example 

Your company uses Kaseya IT management software and your systems have been compromised by REvil ransomware. You want to search for processes run on the command line  that indicate the payload used by REvil ransomware infections has been added to your Kaseya working folders.

To optimize the searches shown below, you should specify an index and a time range. 

Option 1 - Search using Sysmon

  1. Run the following search:
source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 cmdline="c:\\kworking\\agent.exe*"
| table _time, host, cmdline

Search explanation 

The table provides an explanation of what each part of this search achieves.

Splunk Search Explanation
source="WinEventLog:Microsoft-Windows-Sysmon/Operational" Search only Sysmon operational logs. 
EventCode=1

Search for process creation events in Sysmon data.

cmdline="c:\\kworking\\agent.exe*"

Search for executables added to your Kaseya working folder.

You can change the directory to search for other malicious executables if you do not use Kaseya software.

| table _time, host, cmdline Display the results in a table with columns in the order shown.

Result 

If any results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.

 

Option 2 - Search using Windows Events

  1. Run the following search:
source="WinEventLog:Security" EventCode=4688 Process_Command_Line="c:\\kworking\\agent.exe*"
| table _time, host, Process_Command_Line

Search explanation

Here is an explanation of what each part of this search achieves.

Splunk Search Explanation
source="WinEventLog:Security" Search only Windows Event Security logs. 
EventCode=4688

Search for process creation events.

Process_Command_Line="c:\\kworking\\agent.exe*"

Search for executables added to your Kaseya working folder.

You can change the directory to search for other malicious executables if you do not use Kaseya software.

| table _time, host, cmdline Display the results in a table with columns in the order shown.

Result

If any results indicate the infection has been detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.