Skip to main content
Splunk Lantern

Process creation events

You might want to identify process creation events to view dates and times that can help figure out when a malicious process started. This information is useful when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

A Windows PC has been infected with malware, and you need to find any processes that were created by the malware.

To optimize the searches shown below, you should specify an index and a time range. In addition, this sample search uses Windows security event logs and Microsoft Sysmon data. You can replace this source with any other system log data data used in your organization.

Option 1

  1. Enter the following search command into the search bar:
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventDescription=ProcessCreate CommandLine=3791.exe host=<server name>

Search explanation

Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational 

Search only process data. 

EventDescription=ProcessCreate 

Search for a process creation event.

CommandLine=3791.exe 

Search for the 3791.exe process. 

host=<server name>

Search a specific host.

Result

This search returns the ID of the parent process that called or started the process you searched for. It also returns the parent command line so you can see the command that called the process.

Option 2

  1. Enter the following search command into the search bar:
sourcetype="wineventlog:security" EventCode=4688
| stats count, values(Creator_Process_Name) AS Creator_Process_Name BY New_Process_Name
| table New_Process_Name count Creator_Process_Name
| sort count

Search explanation

Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search

Explanation

sourcetype="wineventlog:security" 

Search only Windows event log security data. 

EventCode=4688 

Search for event code 4688, which indicates a new process has been created.

Some configuration is required to fully enable logging PowerShell commands under EventID 4688. For more information, see this blog post.

| stats count, values(Creator_Process_Name) AS Creator_Process_Name BY New_Process_Name

Provide a count and the distinct values of parent process names organized by the new process name. 

| table New_Process_Name count Creator_Process_Name

Display the output in a table with three columns, ordered as shown in the search syntax.

| sort count

Return the results with the smallest count first.

Result

This search returns the name of the process created, as well as the name of the parent process when applicable. It also shows when processes were not created on common locations, such as C:\windows\system32 or C:\Program Files. After you have identified the parent process ID, a possible next step is to use the parent ID to find related processes. 

  • Was this article helpful?