Skip to main content
Splunk Lantern

Processes launched from randomized file paths

Information entropy allows you to determine how much randomness is present in a string, and randomness is often an indicator of malicious activity. You might want to see what unusually random file paths exist on a local operating system when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You hypothesize that an attacker has infiltrated your network and is using randomized file paths to launch processes.

To optimize the search shown below, you should specify an index and a time range.  In addition, this sample search uses Windows data. You can replace this source with any other system log data used in your organization.

  1. Run the following search: 
sourcetype=win*security EventCode=4688 New_Process_Name=*\Users\*
| `ut_shannon(New_Process_Name)`
| stats values(ut_shannon) AS "Shannon Entropy Score" BY New_Process_Name, host
| rename New_Process_Name AS Process, host AS Endpoint

Search Explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=win*security 

Search only Windows Security data.

EventCode=4688 

Search for event code 4688, which indicates a new process has been created.

New_Process_Name=*\Users\*

Search for new processes that have a user in the value.

| `ut_shannon(New_Process_Name)`

Calculate the entropy score for each new process.

The punctuation surrounding a Splunk macro is always a back tick (`), not a single quote (').

| stats values(ut_shannon) AS "Shannon Entropy Score" BY New_Process_Name, host

Show the entropy score for each process in a field called Shannon Entropy Score. Group the results by the New_Process_Name field and then by host.

| rename New_Process_Name As Process, host AS Endpoint

Rename the New_Process_Name column and host column as shown. 

Result

Investigate the file paths this search reveals to find indicators of an attack. Remember that the longer the string length, the less useful the Shannon Entropy score is. You might want to update the search to limit the string length of the process name or limit the entropy score.

  • Was this article helpful?