You might need to calculate the length of command line strings when doing the following:
Prerequisites
In order to execute this procedure in your environment, the following data, services, or apps are required:
Example
You have a hypothesis that long command line strings are concerning because they can harbor malicious commands. You want to create a table of all logs in a certain time period that have command line strings of a certain length.
NOTE: To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine=*
| table _time host CommandLine
| eval cl_length=len(CommandLine)
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|
Splunk Search |
Explanation |
|
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" |
Search Sysmon operational data. |
|
CommandLine=* |
Filter for logs with a value in the command line field. |
|
| table _time host CommandLine |
Display the results in a table with columns in the order shown. |
|
| eval cl_length=len(CommandLine) |
Create a new field called cl_length that shows the length of each command line string the search returns. |
Result
If your result set is not large, you might decide to read through the contents of the strings to see if anything looks suspicious. However, if the search returns a large number of events, you might decide to apply statistical methods to the data. You can calculate average, standard deviation, maximum, minimum, and more on these numeric values so that you can better determine which ones are outliers that you might want to investigate. The sort and where commands can also be used to filter out data below your defined threshold and bring the longest (or shortest) strings to the top.
Comments
0 comments
Please sign in to leave a comment.