Hi
going through sysmon logs I noticed, that the splunkforwarder (version 6.6.3) starts AcroRd32.exe on Windows clients.
Does any one know why? We are not indexing/monitoring the pdfs or the paths where the pdfs are located. Can this be turned off?
This is a sample event:
01/17/2018 03:17:38 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=server.domain.org
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=4300197
Keywords=None
Message=Process Create:
UtcTime: 2018-01-17 14:17:34.391
ProcessGuid: {F0E459B7-5AFE-5A5F-0000-00109C69EE2E}
ProcessId: 12428
Image: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
CommandLine: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9A5H81Q9\Untitled (28).pdf"
CurrentDirectory: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\
User: DOMAIN\user
LogonGuid: {F0E459B7-F487-5A5E-0000-0020274C0F00}
LogonId: 0xf4c27
TerminalSessionId: 1
IntegrityLevel: Low
Hashes: MD5=F7C513664BD4A9DB4ABBEB2B5E4E01D2,IMPHASH=1439821F22F484CB770EECF65574FF20
ParentProcessGuid: {F0E459B7-4701-5A5F-0000-00102595771B}
ParentProcessId: 11408
ParentImage: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
ParentCommandLine: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2
Regards
Chris
Splunk Support here, feedback from chris in the case:
" there seems to be an issue with
sysmon, not reporting the parent
process correctly sometimes. "
Something to keep in mind I guess when looking at reports from sysmon, if other avenues of research (like checking for malware) don't pan out.
They don't - Suggest you check for malware urgently.
Thx, I have also opened a case with splunk