Skip to main content
Splunk Lantern

Command line string length

You might need to calculate the length of command line strings when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You have a hypothesis that long command line strings are concerning because they can harbor malicious commands. You want to create a table of all logs in a certain time period that have command line strings of a certain length.

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search:
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine=* 
| table _time host CommandLine
| eval cl_length=len(CommandLine)

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" 

Search Sysmon operational data.

CommandLine=* 

Filter for logs with a value in the command line field.

| table _time host CommandLine 

Display the results in a table with columns in the order shown.

| eval cl_length=len(CommandLine)

Create a new field called cl_length that shows the length of each command line string the search returns.

Result

If your result set is not large, you might decide to read through the contents of the strings to see if anything looks suspicious. However, if the search returns a large number of events, you might decide to apply statistical methods to the data. You can calculate average, standard deviation, maximum, minimum, and more on these numeric values so that you can better determine which ones are outliers that you might want to investigate. The sort and where commands can also be used to filter out data below your defined threshold and bring the longest (or shortest) strings to the top. 

  • Was this article helpful?