Information entropy allows you to determine how much randomness is present in a string, and randomness is often an indicator of malicious activity. You hypothesize that an attacker has infiltrated your network and is using randomized file paths to launch processes. You want to see what unusually random file paths exist on a local operating system.
Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=win*security EventCode=4688 New_Process_Name=*\Users\* | `ut_shannon(New_Process_Name)` | stats values(ut_shannon) AS "Shannon Entropy Score" BY New_Process_Name, host | rename New_Process_Name AS Process, host AS Endpoint
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Search only Windows Security data.
Search for event code 4688, which indicates a new process has been created.
Search for new processes that have a user in the value.
Calculate the entropy score for each new process.
The punctuation surrounding a Splunk macro is always a back tick (`), not a single quote (').
| stats values(ut_shannon) AS "Shannon Entropy Score" BY New_Process_Name, host
Show the entropy score for each process in a field called Shannon Entropy Score. Group the results by the New_Process_Name field and then by host.
| rename New_Process_Name As Process, host AS Endpoint
Rename the New_Process_Name column and host column as shown.
Investigate the file paths this search reveals to find indicators of an attack. Remember that the longer the string length, the less useful the Shannon Entropy score is. You might want to update the search to limit the string length of the process name or limit the entropy score.
Finally, you might be interested in other processes associated with these use cases: