Processes with High Entropy Names

Processes with High Entropy Names

Description

Some malware will launch processes with randomized filenames.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Security Impact

To avoid detection, malware often will launch malicious code with random filenames and/or paths. In this example, we use Shannon Entropy, provided by the URL Toolbox app, to identify these probable random names and report on them. Files with non-human-created character patterns are returned.

Alert Volume

Medium

SPL Difficulty

Hard

Data Availability

Bad

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Obfuscated Files or Information

MITRE Threat Groups

APT29
Chimera
APT32
Gamaredon Group
Dust Storm
Elderwood
Gallmaker
Whitefly
Patchwork
TA505
Cobalt Group
Soft Cell
Group5
Night Dragon
Leafminer
Lazarus Group
APT3
Darkhotel
Molerats
APT19
Turla
Tropic Trooper
Inception
Leviathan
Frankenstein
Wizard Spider
OilRig
APT41
APT-C-36
Rocke
Silence
FIN6
FIN7
BlackOasis
Threat Group-3390
APT18
MuddyWater
Mofang
Machete
menuPass
Honeybee
APT28
APT33
Sandworm Team
Putter Panda
FIN8
Dark Caracal
APT37
Magic Hound
Blue Mockingbird

Kill Chain Phases

Installation

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

Implementing this search is similar to any of the other searches that require EDR data. In order to use it, we need to get process launch events. For the demo and live version of this search we use Windows Security Event ID 4688, as it tends to be the most common, but you could apply it to any other data source that shows you launched processes -- just adjust the file path field (NewProcessName) to match (it is not a CIM field).

   Known False Positives

This search looks for potentially randomized filenames using Shannon Entropy. Entropy is a basic measure of randomness, but tends to become less accurate with longer strings. You should not review these alerts directly (except for access to extremely sensitive system), but instead use them for context, or to aggregate risk (as mentioned under How To Respond).

   How To Respond

When this search returns values, initiate your incident response process and identify the file, path, user and system associated with this alert. Contact the user and system owner to determine if it is authorized, and document if it is authorized and by whom. If not, the user credentials may have been used by another party and additional investigation is warranted as randomized file names on a system may serve as a way to mask malware.

   Help

Processes with High Entropy Names Help

This example leverages the Simple Search assistant. Our dataset is a collection of process launch logs (either Sysmon EventCode 1, or Windows Event ID 4688 -- either works). The search then leverages the URL Toolbox app from apps.splunk.com to determine entropy in the filename or file path. It takes filenames with the highest entropy, and surfaces them.

SPL for Processes with High Entropy Names

Demo Data

First we pull in our demo dataset. We are filtering here to just process launches in the Users directory, so that we are focusing in on what unprivileged users can run (and not getting noise from things like software updates).
Next we use the Shannon Entropy algorithm provided by the free app URL Toolbox to calculate a very basic randomness score for this string.
Shannon Entropy gives a numeric score, you will usually want to filter on values above of 3.5 or 4.
Finally we use stats to put everything in a convenient table.
And of course we use rename to provide field names that will make sense to analysts.

Live Data

First we pull in our basic dataset, which consists of Process Launch Logs (in this case coming from Windows Security Event ID 4688, but could come from any). We are filtering here to just process launches in the Users directory, so that we are focusing in on what unprivileged users can run (and not getting noise from things like software updates).
Next we use the Shannon Entropy algorithm provided by the free app URL Toolbox to calculate a very basic randomness score for this string.
Shannon Entropy gives a numeric score, you will usually want to filter on values above of 4 or 4.5.
Finally we use stats to put everything in a convenient table.
And of course we use rename to provide field names that will make sense to analysts.