Skip to main content
Splunk Lantern

Process hash matching

You might want to compare hashes of known, legitimate processes from your environment to processes running with unknown hashes when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You are concerned that adversaries are using masquerading techniques on your systems to hide tools used for credential dumping and other harmful activities. You want to search for indications that processes are being renamed in an effort to avoid detection.

To optimize the search shown below, you should specify an index and a time range. 

  1. Ensure that your deployment is ingesting Microsoft Sysmon data.
  2. Run the following search:
    index=<endpoint index name> EventCode=1 
    | eval knowngood=1
    | stats values(process_name) AS process_name values(Company) AS vendor values(Description) AS description values(FileVersion) AS version values(knowngood) AS known_good by SHA256,MD5
    | outputlookup UFKnownGood.csv
  3. This lookup becomes the baseline for your server. Next, leverage it again in a subsequent search to identify changes.
  4. Run the following search:
    index=<endpoint index name> EventCode=1  
    | lookup UFKnownGood.csv SHA256 OUTPUT known_good 
    | eval known_good = case(known_good == 1, "1", 1=1, "0") 
    | search known_good=0 
    | stats values(process_name) AS process_name values(Company) AS vendor values(Description) AS description values(FileVersion) AS version values(known_good) AS known_good by SHA256,MD5

Search explanation

The tables provide an explanation of what each part of these searches achieve. You can adjust the queries based on the specifics of your environment.

Splunk Search Explanation
index=<endpoint index name> Search only in your endpoint index.
EventCode=1 Search for process creation events.
| eval knowngood=1 Create a knowngood field with a value of 1 for each result.
| stats values(process_name) AS process_name values(Company) AS vendor values(Description) AS description values(FileVersion) AS version values(knowngood) AS known_good by SHA256,MD5 Return the values for the fields shown, sorting first by the SHA256 and then by the MD5 hash.
| outputlookup UFKnownGood.csv Send the results to a lookup called  FKnownLookup.csv.

The above search builds the lookup table that represents the baseline of hashes of known good processes and is used in the search below to identify unknown processes by hash. Any running processes with hashes not in the lookup are unknown processes and warrants an investigation and it could be masquerading so as to run undetected. The following search would output these processes.

Splunk Search Explanation
index=<endpoint index name> Search only in your endpoint index.
EventCode=1 Search for process creation events.
| lookup UFKnownGood.csv SHA256 OUTPUT known_good  Output the known_good value from the lookup table and add it to the current event
| eval known_good = case(known_good == 1, "1", 1=1, "0")  Set the known_good inside the case statement to the value from the OUTPUT of the lookup command above. If that value is 1, set the outer known_good term to “1”. If not, set force the next term in the case statement to try by using the “truthy” 1=1 relation, which sets the outer know_good field to “0”). 
| search known_good=0  Return events only of know_good = 0. This is logically equal to know_good is false.
| stats values(process_name) AS process_name values(Company) AS vendor values(Description) AS description values(FileVersion) AS version values(known_good) AS known_good by SHA256,MD5

Output the values of the fields and the current value of know_good grouped by the hashes.
 

Result

The results are all processes that are not part of the baseline and are considered suspicious. Examine them for binaries that are not in your approved lookup list. The vendor and description values can help you verify the legitimacy of any unknown binaries.

You can see the result of these searches in the previously published Splunk blog under the Process Monitoring heading. There you will see this example and also how to use data models and tstats to do the same thing which is appropriate when you have large volumes of data to search against. 

Splunk Enterprise Security also provides guidance on how to incorporate the lookups of IOCs using the threat intelligence framework. 

  • Was this article helpful?