Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why do Splunkforwarder Processes Start Acrobat Reader?

chris
Motivator
‎01-24-2018 06:54 AM

Hi

going through sysmon logs I noticed, that the splunkforwarder (version 6.6.3) starts AcroRd32.exe on Windows clients.

Does any one know why? We are not indexing/monitoring the pdfs or the paths where the pdfs are located. Can this be turned off?

This is a sample event:
01/17/2018 03:17:38 PM
LogName=Microsoft-Windows-Sysmon/Operational
SourceName=Microsoft-Windows-Sysmon
EventCode=1
EventType=4
Type=Information
ComputerName=server.domain.org
User=NOT_TRANSLATED
Sid=S-1-5-18
SidType=0
TaskCategory=Process Create (rule: ProcessCreate)
OpCode=Info
RecordNumber=4300197
Keywords=None
Message=Process Create:
UtcTime: 2018-01-17 14:17:34.391
ProcessGuid: {F0E459B7-5AFE-5A5F-0000-00109C69EE2E}
ProcessId: 12428
Image: C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
CommandLine: "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer "C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\9A5H81Q9\Untitled (28).pdf"
CurrentDirectory: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\
User: DOMAIN\user
LogonGuid: {F0E459B7-F487-5A5E-0000-0020274C0F00}
LogonId: 0xf4c27
TerminalSessionId: 1
IntegrityLevel: Low
Hashes: MD5=F7C513664BD4A9DB4ABBEB2B5E4E01D2,IMPHASH=1439821F22F484CB770EECF65574FF20
ParentProcessGuid: {F0E459B7-4701-5A5F-0000-00102595771B}
ParentProcessId: 11408
ParentImage: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
ParentCommandLine: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2

Regards
Chris

Tags (2)
0 Karma
Reply

mhoogcarspel_sp
Splunk Employee
Splunk Employee
‎01-29-2018 02:08 AM

Splunk Support here, feedback from chris in the case:

" there seems to be an issue with
sysmon, not reporting the parent
process correctly sometimes. "

Something to keep in mind I guess when looking at reports from sysmon, if other avenues of research (like checking for malware) don't pan out.

Reply

nickhills
Ultra Champion
‎01-24-2018 07:49 AM

They don't - Suggest you check for malware urgently.

If my comment helps, please give it a thumbs up!
Reply

chris
Motivator
‎01-24-2018 02:22 PM

Thx, I have also opened a case with splunk

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...