All Apps and Add-ons

Splunk search not working

Motivator

I am trying to test the following search that looks for processes that run from a different directory other than Windows\System32 or Windows\SysWOW64. As a test, I copied defrag.exe and ran it and then ran the search thinking defrag.exe running from the desktop would show up as an event, but I got zero hits.

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=*Windows\\System32* Image!=*Windows\\SysWOW64* | rex field=process .*\\\(?<filename>\S+)\s?$ | lookup isWindowsSystemFile_lookup filename | search systemFile=true

The lookup contains defrag.exe*:

filename          systemFile
defrag.exe*       TRUE 

Would appreciate any help as to why it's not being flagged as an event based on the search

0 Karma

Splunk Employee
Splunk Employee

Can you make sure that you have the filename field defined correctly if you do this?
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=*Windows\\System32* Image!=*Windows\\SysWOW64* | rex field=process .*\\\(?<filename>\S+)\s?$ | table filename

Assuming so, make sure that the isWindowsSystemFile_lookup is in the Ransomware app, or at least that you have WILDCARD(filename) in the transforms.conf that defines that lookup.

0 Karma

Motivator

Try this,

your search | lookup isWindowsSystemFile_lookup filename OUTPUT systemFile | search systemFile=True

0 Karma

Motivator

Plugged in the following but still no hit - thx

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=*Windows\\System32* Image!=*Windows\\SysWOW64* | rex field=process .*\\\(?<filename>\S+)\s?$ | lookup isWindowsSystemFile_lookup filename OUTPUT systemFile | search systemFile=True | table _time dest host user Image
0 Karma

Motivator

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\System32 Image!=Windows\SysWOW64 | rex field=process .*\(?\S+)\s?$ | rename filename as eventfilename | lookup isWindowsSystemFilelookup filename as event_filename OUTPUTNEW systemFile | search systemFile=True | table _time dest host user Image

0 Karma

Motivator

Still no events are returned

0 Karma

Motivator

I m getting results

| rex field=ImageFileName ".*\(?P&ltImageFileName&gt\S+)" | lookup isWindowsSystemFilelookup filename as ImageFile_Name OUTPUTNEW systemFile | search systemFile=true

transforms.conf

[isWindowsSystemFilelookup]
filename = isWindowsSystemFile
lookup.csv

isWindowsSystemFile_lookup.csv

filename systemFile
defrag.exe TRUE

I got output.

Motivator

The lookup is set as follows as it's from the Splunk Security Essentials for Ransomware app:

lookup table file - system32executables.csv
lookup definition - isWindowsSystemFile
lookup

Permissions are set for All apps for both

Thx

0 Karma

Motivator

you got the result.

0 Karma

Motivator

Still no results

I even tested copying and then executing calc.exe from my desktop and a generic search returns those events, but the full search doesn't return any events

0 Karma

Motivator

try don't use defrag.exe* true instead use defrag.exe true in lookup file i.e csv file

0 Karma

Motivator

modified csv to defrag.exe and added calc.exe, and re-ran search but still no results

Thx

0 Karma

Motivator

post one sample event. Guessing your regex is wrong.

0 Karma

Motivator
sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\\System32 Image!=Windows\\SysWOW64 defrag.exe | rex field=process .*\\\(?<filename>\S+)\s?$

I get two events and with the regex above, Defrag.exe is listed as the process. Here's one event:

154100x800000000000000012056657Microsoft-Windows-Sysmon/Operationalxxxx2017-07-11 15:07:14.980{534C8769-E9A2-5964-0000-00108D9AED10}12444C:\Users\xxx\Desktop\Defrag.exeDefrag.exeC:\Users\xxx\Desktop\PITT\XXX{XXX}xxx3MediumSHA256=E12F5A5804519A4C8F4EDA5B27B3477D89AA4B80E5D9BFA359C1D6794D947965,IMPHASH=C815E8E72E2B3316E4709BA7A4494AF9{534C8769-E99A-5964-0000-00106C7CED10}16244C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe"

0 Karma

Motivator

ah, issue is because case sensitive. Use Defrag.exe instead of defrag.exe in lookup file. while searching text can be either lower or upper case. If you are using lookup case is important.

Motivator

Changed defrag.exe* to Defrag.exe* and re-ran search with no results. Modified Defrag.exe* to Defrag.exe and still no results.

0 Karma

Motivator

Your extraction have double quotes (") so you have to use double quotes in your lookup or correct the field extraction. Check the extraction | rex .*\\\(?<filename>\S+)\s?\"$ then use defrag.exe in your lookup.

0 Karma

Motivator

I modified the lookup file header from filename to process and modified the search as below, but still didn't get any results - thx

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\\System32 Image!=Windows\\SysWOW64 | lookup isWindowsSystemFile_lookup process | search systemFile=true | table _time dest host user process
0 Karma

Motivator

Finally got it - had to modify the lookup file from defrag.exe* to Defrag.exe

I set the field process to lowercase as follows and then set the lookup file back to defrag.exe*, ran the search and got no results.

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=Windows\\System32 Image!=Windows\\SysWOW64 | eval process=lower(process) | lookup isWindowsSystemFile_lookup process | search systemFile=true | table _time dest host user process

I modified the defrag.exe* to defrag,exe and ran the search and I get the two events. How can I keep the * for the process names?

Thx

0 Karma

Communicator

Try breaking it down to it's crudest search to test results:

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational defrag.exe

Does the crude search actually produce any results? I know it's basic, but I find it helps to start simple and step forward...

0 Karma

Motivator

Thx - I did do that earlier and two events are returned

sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 Image!=*Windows\\System32* Image!=*Windows\\SysWOW64* defrag.exe
0 Karma