Skip to main content
Splunk Lantern

Process name matching

You might want to compare the original names of files and process to the names of those being run when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You are concerned that adversaries are using masquerading techniques on your systems to hide tools used for credential dumping and other harmful activities. You want to search for indications that processes are being renamed in an effort to avoid detection.

To optimize the search shown below, you should specify an index and a time range. 

  1. Ensure that your deployment is ingesting Microsoft Sysmon data.
  2. Run the following search:
    EventCode=1 OriginalFileName=* process_name=*
    | eval OriginalFileName=upper(OriginalFileName) 
    | eval process_name=upper(process_name)
    | eval match=if(OriginalFileName=process_name,"Match","No Match")
    | search match="No Match"
    | table _time host OriginalFileName process_name match 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
EventCode=1 Search for process creation events.
OriginalFileName=*

Search for any original file name.

If you know the original name of the file, you can swap out the wildcard * to create a more focused search.

process_name=* Search for any original process name.
| eval OriginalFileName=upper(OriginalFileName) 
| eval process_name=upper(process_name)

Convert the file and process names into all uppercase to make them easier to compare.

| eval match=if(OriginalFileName=process_name,"Match","No Match") Compare the original file name and the process name. Create a new column that labels them Match or No Match, according to the results.
| search match="No Match" Return only the names that don't match.
| table _time host OriginalFileName process_name match Display the results in a table with columns in the order shown.

Result

The result is a list of all the non matching originalFilename and process_name pairs that would reliably  find masquerading processes. Note that this maps to Mitre ATT&CK technique (T1036). An example of the output of the search is shown in this previously published Splunk blog under the Process Monitoring heading. 

Note that it is a noisy search with many false positives. You can reduce noise by filtering out all the events that do not also match with indicators of compromise (IOCs). This is done in Splunk with lookup tables. The needed IOCs associated with the Supernova attack are available here, courtesy the Cybersecurity and Infrastructure Security Agency (CISA). A basic example of how to set up and use a lookup is covered in the Splunk blog Lookup Before You Go-Go...Hunting.

Another technique to identify masquerading is to use file hashes which is covered in the process hash matching article, which goes into more detail on the use of IOCs and lookups. 

  • Was this article helpful?