Processes with High Entropy Names

Description

Some malware will launch processes with randomized filenames.


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Security Impact

To avoid detection, malware often will launch malicious code with random filenames and/or paths. In this example, we use Shannon Entropy, provided by the URL Toolbox app, to identify these probable random names and report on them. Files with non-human-created character patterns are returned.

Alert Volume

Medium (?)

SPL Difficulty

Hard

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Obfuscated Files or Information

MITRE Threat Groups

APT18
APT19
APT28
APT29
APT3
APT32
APT33
APT37
BlackOasis
Cobalt Group
Dark Caracal
Darkhotel
Dust Storm
Elderwood
FIN7
FIN8
Gallmaker
Group5
Honeybee
Lazarus Group
Leafminer
Leviathan
Machete
Magic Hound
MuddyWater
Night Dragon
OilRig
Patchwork
Putter Panda
Silence
Soft Cell
TA505
Threat Group-3390
Tropic Trooper
Turla
menuPass

Kill Chain Phases

Installation

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

Implementing this search is similar to any of the other searches that require EDR data. In order to use it, we need to get process launch events. For the demo and live version of this search we use Windows Security Event ID 4688, as it tends to be the most common, but you could apply it to any other data source that shows you launched processes -- just adjust the file path field (NewProcessName) to match (it is not a CIM field).

   Known False Positives

This search looks for potentially randomized filenames using Shannon Entropy. Entropy is a basic measure of randomness, but tends to become less accurate with longer strings. You should not review these alerts directly (except for access to extremely sensitive system), but instead use them for context, or to aggregate risk (as mentioned under How To Respond).

   How To Respond

When this search returns values, initiate your incident response process and identify the file, path, user and system associated with this alert. Contact the user and system owner to determine if it is authorized, and document if it is authorized and by whom. If not, the user credentials may have been used by another party and additional investigation is warranted as randomized file names on a system may serve as a way to mask malware.

   Help

Processes with High Entropy Names Help

This example leverages the Simple Search assistant. Our dataset is a collection of process launch logs (either Sysmon EventCode 1, or Windows Event ID 4688 -- either works). The search then leverages the URL Toolbox app from apps.splunk.com to determine entropy in the filename or file path. It takes filenames with the highest entropy, and surfaces them.

SPL for Processes with High Entropy Names

Demo Data

First we pull in our demo dataset. We are filtering here to just process launches in the Users directory, so that we are focusing in on what unprivileged users can run (and not getting noise from things like software updates).
Next we use the Shannon Entropy algorithm provided by the free app URL Toolbox to calculate a very basic randomness score for this string.
Shannon Entropy gives a numeric score, you will usually want to filter on values above of 3.5 or 4.
Finally we use stats to put everything in a convenient table.
And of course we use rename to provide field names that will make sense to analysts.

Live Data

First we pull in our basic dataset, which consists of Process Launch Logs (in this case coming from Windows Security Event ID 4688, but could come from any). We are filtering here to just process launches in the Users directory, so that we are focusing in on what unprivileged users can run (and not getting noise from things like software updates).
Next we use the Shannon Entropy algorithm provided by the free app URL Toolbox to calculate a very basic randomness score for this string.
Shannon Entropy gives a numeric score, you will usually want to filter on values above of 4 or 4.5.
Finally we use stats to put everything in a convenient table.
And of course we use rename to provide field names that will make sense to analysts.