System information gathering using the Dxdiag application
This search detects a suspicious dxdiag.exe process command-line execution. Dxdiag is used to collect the system information of the target host. This technique has been seen used by Remcos RATS, various actors, and other malware to collect information as part of the recon or collection phase of an attack.
Data required
Procedure
- Content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=dxdiag.exe OR "Processes.original_file_name"=dxdiag.exe) "Processes.process"="* /t *") BY "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" | rename "Processes.*" AS "*" | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime)
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
| tstats summariesonly=false allow_old_summaries=true count, min(_time) AS firstTime, max(_time) AS lastTime FROM datamodel=Endpoint.Processes WHERE (("Processes.process_name"=dxdiag.exe OR "Processes.original_file_name"=dxdiag.exe) "Processes.process"="* /t *") BY "Processes.dest", "Processes.user", "Processes.parent_process_name", "Processes.parent_process", "Processes.process_name", "Processes.process", "Processes.process_id", "Processes.parent_process_id" | Query the Endpoint.Processes data model object to search for dxdiag.exe process command-line executions. Sort first by destination, then by the rest of the fields shown. |
| rename "Processes.*" AS "*" | Rename data model fields for better readability. |
| convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(firstTime) | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime(lastTime) |
Convert these times into readable strings. |
Next steps
This behavior should be rarely seen in a corporate network, but this command line could be used by a network administrator to audit host machine specifications. Because of this, this search may contain false positives in its results. To triage further, analyze what commands were passed after it pipes out the result to a file for further processing.
During triage, isolate the endpoint and review for source of exploitation.
If your results indicate an attack has occurred, the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
You might also be interested in other processes associated with the Detecting indicators of Remcos RAT malware use case.