I am trying to test the following search that looks for processes that run from a different directory other than Windows\System32 or Windows\SysWOW64. As a test, I copied defrag.exe and ran it and then ran the search thinking defrag.exe running from the desktop would show up as an event, but I got zero hits.
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=*Windows\\System32* Image!=*Windows\\SysWOW64* | rex field=process .*\\\(?<filename>\S+)\s?$ | lookup isWindowsSystemFile_lookup filename | search systemFile=true
The lookup contains defrag.exe*:
filename systemFile
defrag.exe* TRUE
Would appreciate any help as to why it's not being flagged as an event based on the search
Can you make sure that you have the filename field defined correctly if you do this?
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=*Windows\\System32* Image!=*Windows\\SysWOW64* | rex field=process .*\\\(?<filename>\S+)\s?$ | table filename
Assuming so, make sure that the isWindowsSystemFile_lookup is in the Ransomware app, or at least that you have WILDCARD(filename) in the transforms.conf that defines that lookup.
Try this,
your search | lookup isWindowsSystemFile_lookup filename OUTPUT systemFile | search systemFile=True
Plugged in the following but still no hit - thx
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=*Windows\\System32* Image!=*Windows\\SysWOW64* | rex field=process .*\\\(?<filename>\S+)\s?$ | lookup isWindowsSystemFile_lookup filename OUTPUT systemFile | search systemFile=True | table _time dest host user Image
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\System32 Image!=Windows\SysWOW64 | rex field=process .*\(?\S+)\s?$ | rename filename as event_filename | lookup isWindowsSystemFile_lookup filename as event_filename OUTPUTNEW systemFile | search systemFile=True | table _time dest host user Image
Still no events are returned
I m getting results
| rex field=Image_File_Name ".*\(?P<Image_File_Name>\S+)" | lookup isWindowsSystemFile_lookup filename as Image_File_Name OUTPUTNEW systemFile | search systemFile=true
transforms.conf
[isWindowsSystemFile_lookup]
filename = isWindowsSystemFile_lookup.csv
isWindowsSystemFile_lookup.csv
filename systemFile
defrag.exe TRUE
I got output.
The lookup is set as follows as it's from the Splunk Security Essentials for Ransomware app:
lookup table file - system32_executables.csv
lookup definition - isWindowsSystemFile_lookup
Permissions are set for All apps for both
Thx
you got the result.
Still no results
I even tested copying and then executing calc.exe from my desktop and a generic search returns those events, but the full search doesn't return any events
try don't use defrag.exe* true instead use defrag.exe true in lookup file i.e csv file
modified csv to defrag.exe and added calc.exe, and re-ran search but still no results
Thx
post one sample event. Guessing your regex is wrong.
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\\System32 Image!=Windows\\SysWOW64 defrag.exe | rex field=process .*\\\(?<filename>\S+)\s?$
I get two events and with the regex above, Defrag.exe is listed as the process. Here's one event:
154100x800000000000000012056657Microsoft-Windows-Sysmon/Operationalxxxx2017-07-11 15:07:14.980{534C8769-E9A2-5964-0000-00108D9AED10}12444C:\Users\xxx\Desktop\Defrag.exeDefrag.exeC:\Users\xxx\Desktop\PITT\XXX{XXX}xxx3MediumSHA256=E12F5A5804519A4C8F4EDA5B27B3477D89AA4B80E5D9BFA359C1D6794D947965,IMPHASH=C815E8E72E2B3316E4709BA7A4494AF9{534C8769-E99A-5964-0000-00106C7CED10}16244C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe"
ah, issue is because case sensitive. Use Defrag.exe instead of defrag.exe in lookup file. while searching text can be either lower or upper case. If you are using lookup case is important.
Changed defrag.exe* to Defrag.exe* and re-ran search with no results. Modified Defrag.exe* to Defrag.exe and still no results.
Your extraction have double quotes (") so you have to use double quotes in your lookup or correct the field extraction. Check the extraction | rex .*\\\(?<filename>\S+)\s?\"$
then use defrag.exe in your lookup.
I modified the lookup file header from filename to process and modified the search as below, but still didn't get any results - thx
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\\System32 Image!=Windows\\SysWOW64 | lookup isWindowsSystemFile_lookup process | search systemFile=true | table _time dest host user process
Finally got it - had to modify the lookup file from defrag.exe* to Defrag.exe
I set the field process to lowercase as follows and then set the lookup file back to defrag.exe*, ran the search and got no results.
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\\System32 Image!=Windows\\SysWOW64 | eval process=lower(process) | lookup isWindowsSystemFile_lookup process | search systemFile=true | table _time dest host user process
I modified the defrag.exe* to defrag,exe and ran the search and I get the two events. How can I keep the * for the process names?
Thx
Try breaking it down to it's crudest search to test results:
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational defrag.exe
Does the crude search actually produce any results? I know it's basic, but I find it helps to start simple and step forward...
Thx - I did do that earlier and two events are returned
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=*Windows\\System32* Image!=*Windows\\SysWOW64* defrag.exe