All Apps and Add-ons

Splunk search not working

jwalzerpitt
Influencer

I am trying to test the following search that looks for processes that run from a different directory other than Windows\System32 or Windows\SysWOW64. As a test, I copied defrag.exe and ran it and then ran the search thinking defrag.exe running from the desktop would show up as an event, but I got zero hits.

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=*Windows\\System32* Image!=*Windows\\SysWOW64* | rex field=process .*\\\(?<filename>\S+)\s?$ | lookup isWindowsSystemFile_lookup filename | search systemFile=true

The lookup contains defrag.exe*:

filename          systemFile
defrag.exe*       TRUE 

Would appreciate any help as to why it's not being flagged as an event based on the search

0 Karma

David
Splunk Employee
Splunk Employee

Can you make sure that you have the filename field defined correctly if you do this?
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=*Windows\\System32* Image!=*Windows\\SysWOW64* | rex field=process .*\\\(?<filename>\S+)\s?$ | table filename

Assuming so, make sure that the isWindowsSystemFile_lookup is in the Ransomware app, or at least that you have WILDCARD(filename) in the transforms.conf that defines that lookup.

0 Karma

sbbadri
Motivator

Try this,

your search | lookup isWindowsSystemFile_lookup filename OUTPUT systemFile | search systemFile=True

0 Karma

jwalzerpitt
Influencer

Plugged in the following but still no hit - thx

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=*Windows\\System32* Image!=*Windows\\SysWOW64* | rex field=process .*\\\(?<filename>\S+)\s?$ | lookup isWindowsSystemFile_lookup filename OUTPUT systemFile | search systemFile=True | table _time dest host user Image
0 Karma

sbbadri
Motivator

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\System32 Image!=Windows\SysWOW64 | rex field=process .*\(?\S+)\s?$ | rename filename as event_filename | lookup isWindowsSystemFile_lookup filename as event_filename OUTPUTNEW systemFile | search systemFile=True | table _time dest host user Image

0 Karma

jwalzerpitt
Influencer

Still no events are returned

0 Karma

sbbadri
Motivator

I m getting results

| rex field=Image_File_Name ".*\(?P&ltImage_File_Name&gt\S+)" | lookup isWindowsSystemFile_lookup filename as Image_File_Name OUTPUTNEW systemFile | search systemFile=true

transforms.conf

[isWindowsSystemFile_lookup]
filename = isWindowsSystemFile_lookup.csv

isWindowsSystemFile_lookup.csv

filename systemFile
defrag.exe TRUE

I got output.

jwalzerpitt
Influencer

The lookup is set as follows as it's from the Splunk Security Essentials for Ransomware app:

lookup table file - system32_executables.csv
lookup definition - isWindowsSystemFile_lookup

Permissions are set for All apps for both

Thx

0 Karma

sbbadri
Motivator

you got the result.

0 Karma

jwalzerpitt
Influencer

Still no results

I even tested copying and then executing calc.exe from my desktop and a generic search returns those events, but the full search doesn't return any events

0 Karma

sbbadri
Motivator

try don't use defrag.exe* true instead use defrag.exe true in lookup file i.e csv file

0 Karma

jwalzerpitt
Influencer

modified csv to defrag.exe and added calc.exe, and re-ran search but still no results

Thx

0 Karma

sbbadri
Motivator

post one sample event. Guessing your regex is wrong.

0 Karma

jwalzerpitt
Influencer
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\\System32 Image!=Windows\\SysWOW64 defrag.exe | rex field=process .*\\\(?<filename>\S+)\s?$

I get two events and with the regex above, Defrag.exe is listed as the process. Here's one event:

154100x800000000000000012056657Microsoft-Windows-Sysmon/Operationalxxxx2017-07-11 15:07:14.980{534C8769-E9A2-5964-0000-00108D9AED10}12444C:\Users\xxx\Desktop\Defrag.exeDefrag.exeC:\Users\xxx\Desktop\PITT\XXX{XXX}xxx3MediumSHA256=E12F5A5804519A4C8F4EDA5B27B3477D89AA4B80E5D9BFA359C1D6794D947965,IMPHASH=C815E8E72E2B3316E4709BA7A4494AF9{534C8769-E99A-5964-0000-00106C7CED10}16244C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe"

0 Karma

sbbadri
Motivator

ah, issue is because case sensitive. Use Defrag.exe instead of defrag.exe in lookup file. while searching text can be either lower or upper case. If you are using lookup case is important.

jwalzerpitt
Influencer

Changed defrag.exe* to Defrag.exe* and re-ran search with no results. Modified Defrag.exe* to Defrag.exe and still no results.

0 Karma

vasanthmss
Motivator

Your extraction have double quotes (") so you have to use double quotes in your lookup or correct the field extraction. Check the extraction | rex .*\\\(?<filename>\S+)\s?\"$ then use defrag.exe in your lookup.

V
0 Karma

jwalzerpitt
Influencer

I modified the lookup file header from filename to process and modified the search as below, but still didn't get any results - thx

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\\System32 Image!=Windows\\SysWOW64 | lookup isWindowsSystemFile_lookup process | search systemFile=true | table _time dest host user process
0 Karma

jwalzerpitt
Influencer

Finally got it - had to modify the lookup file from defrag.exe* to Defrag.exe

I set the field process to lowercase as follows and then set the lookup file back to defrag.exe*, ran the search and got no results.

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\\System32 Image!=Windows\\SysWOW64 | eval process=lower(process) | lookup isWindowsSystemFile_lookup process | search systemFile=true | table _time dest host user process

I modified the defrag.exe* to defrag,exe and ran the search and I get the two events. How can I keep the * for the process names?

Thx

0 Karma

sheamus69
Communicator

Try breaking it down to it's crudest search to test results:

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational defrag.exe

Does the crude search actually produce any results? I know it's basic, but I find it helps to start simple and step forward...

0 Karma

jwalzerpitt
Influencer

Thx - I did do that earlier and two events are returned

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=*Windows\\System32* Image!=*Windows\\SysWOW64* defrag.exe
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...