Command line string length

You might need to calculate the length of command line strings when doing the following:

• Monitoring command line interface actions

Prerequisites 

In order to execute this procedure in your environment, you may need to first on-board the data, services, or apps shown in the following table.

Example

The purpose of this example is to show how this procedure works in a general environment. In your environment, you can optimize the search by specifying an index, a time range, or a different data source. 

You have a hypothesis that long command line strings are concerning because they can harbor malicious commands. You want to create a table of all logs in a certain time period that have command line strings of a certain length.

1. Run the following search:

sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine=* 
| table _time host CommandLine
| eval cl_length=len(CommandLine)

Search Explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Result

If your result set is not large, you might decide to read through the contents of the strings to see if anything looks suspicious. However, if the search returns a large number of events, you might decide to apply statistical methods to the data. You can calculate average, standard deviation, maximum, minimum, and more on these numeric values so that you can better determine which ones are outliers that you might want to investigate. The sort and where commands can also be used to filter out data below your defined threshold and bring the longest (or shortest) strings to the top.