• hunter

SPLUNK PILL 101-#AA02-Process change


source="WinEventLog:Microsoft-Windows-Sysmon/Operational"

OriginalFileName IN ("*cmstp.exe", "*certutil.exe", "*cscript.exe", "*cmd.exe" , "*net.exe", "*powershell.exe" , "*powershell_ise.exe" , "*psexec.exe" , "*msiexec.exe", "*mshta.exe" , "*rundll32.exe", "*regsvr32.exe" , "*wmic.exe" , "*wscript.exe")

NOT Image IN ("*cmstp.exe", "*certutil.exe", "*cscript.exe", "*cmd.exe" , "*net.exe", "*powershell.exe" , "*powershell_ise.exe" , "*psexec.exe" , "*msiexec.exe", "*mshta.exe" , "*rundll32.exe", "*regsvr32.exe" , "*wmic.exe" , "*wscript.exe")


Short prescription


Based on sysmon Event ID 1 ( process creation ) and 7 (image loaded)

If there is an information in PE header ( for most if not all Microsoft binaries) then OriginalFileName will show true binary executable name and can be compared to Image field

Not bulletproof, PE header can be changed by any hex editor but this will change hash

Having golden workstation or gold hashes repository is always good thing

All hashes can be stored in lookuptable or KV store

23 views0 comments

Recent Posts

See All