Fake Windows Processes

Description

This example finds processes normally run from Windows\System32 or Windows\SysWOW64, running from some other location. This can indicate a malicious process trying to hide as a legitimate process.


Use Case

Advanced Threat Detection

Category

Endpoint Compromise

Alert Volume

Low (?)

SPL Difficulty

Medium

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Masquerading

MITRE Threat Groups

APT1
APT32
APT41
BRONZE BUTLER
Carbanak
Dragonfly 2.0
FIN6
FIN7
Ke3chang
MuddyWater
PLATINUM
Patchwork
Poseidon Group
Scarlet Mimic
Soft Cell
Sowbug
TEMP.Veles
admin@338
menuPass

Kill Chain Phases

Installation

Data Sources

Windows Security
Endpoint Detection and Response

   How to Implement

This use case requires one of two options. Option one consists of having Sysmon installed on the endpoints you wish to monitor and the Sysmon add-on installed on both the Splunk forwarders and search heads. Or option two, to have your AD Administrator turn on Process Tracking in your Windows Audit logs (docs).

   Known False Positives

None at the moment

   How To Respond

When this search fires, you will want to start your incident response process and investigate the actions taken by this process.

   Help

Fake Windows Processes Help

This use case looks for system processes that normally run out of Windows\System32 or Windows\SysWOW64, but are running from some other location. This can indicate a malicious process that is trying to hide as a legitimate process. Ransomware often spawns processes that use a legitimate process name as a disguise.

SPL for Fake Windows Processes

Demo Data

First we load our basic demo data
Next we are going to look for any process launches (Sysmon EventCode 1) that are being launched from the standard Windows x86 or x64 system directories.
In order for us to see if those filenames are typically associated with Windows processes, we need to get the filename alone. Here, the rex command allows us to do a relatively simple regex to extract that filename (though Splunk has other mechanisms).
Now that we have our filenames, we want to look them up. Splunk has a capability of looking up data in a CSV file through the lookup command. This will take the filename we just extracted, "look it up" in the csv file, and then add any new fields.
The field from the lookup is "systemFile" so we can now search for any true systemFile field.
And finally we can pull out all the filenames and put them into a usable format via the table command.

Live Data

First we load our Windows Process Launch logs (Event ID 4688), or any Sysmon process launch logs (EventCode 1). We are going to look for any process launches that are being launched from the standard Windows x86 or x64 system directories.
Because we have two different potential data with their own filenames, we are using eval to put them together into one. (Splunk's Common Information Model makes this much easier and more automatic.)
In order for us to see if those filenames are typically associated with Windows processes, we need to get the filename alone. Here, the rex command allows us to do a relatively simple regex to extract that filename (though Splunk has other mechanisms).
Now that we have our filenames, we want to look them up. Splunk has a capability of looking up data in a CSV file through the lookup command. This will take the filename we just extracted, "look it up" in the csv file, and then add any new fields.
The field from the lookup is "systemFile" so we can now search for any true systemFile field.
And finally we can pull out all the filenames and put them into a usable format via the table command.