Splunk Enterprise Security

Sysmon query for unauthorized process

frank3nstien
New Member

How can i detect unauthorized sysmon process of Event ID 4 and 255 using splunk query?

0 Karma

larchinal75
Explorer

Good afternoon frank3nstien,

The two events that you are looking at are very rare and only happen under certain circumstances.

Event ID 4: This triggers when the service state has changed. This will fire if you restart the service, shut it down, or any other actions that could be taken upon the service. If you want to find logs regarding this Event ID follow these steps.

While Sysmon is running, go to powershell and type in "services.msc". This will open the list of services currently running on your machine. Find Sysmon and select it. Then click restart. If you want more than one log, repeat the restart action multiple times. Now wait some time then check Splunk for Event ID 4.

Event ID 255: Error: I honestly do not know how to produce this event but again it is a rare event.

I hope this helps! Have a wonderful day!

Resources:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...