Calculating process duration using Carbon Black and Splunk
Update: See "An easier method of finding duration of processes" to simplify this.
I came across this interesting tweet from @subTee that got me interested in not just this TTP but looking at process durations in general. That could be a good method to have in the toolbox.
It makes sense that userinit.exe should not run for long so I looked to see how I could calculate the duration using Carbon Black process logs. One method of calculating values where you need timestamps from two different events is to use the Splunk streamstats command but I try to avoid it because it can be slow. Luckily Carbon Black shows an event for both process start and process stop which has the timestamps so I just needed to get them together.
field name "type" contains process start or process stop
field name process_guid contains the unique id for the process
Calculate the duration of the process
Breakdown:
The values(type) loads the start and end field names to make sure I get both and I count to make sure using mvcount(types).
The values(_time) loads the timestamp for both events to the multi-value field.
The first two eval statements pull out the start and end times using the mvindex command.
The final eval calculates the duration of the process in seconds.
It turned out great and runs fast since it uses stats.
The next pivot was to think about what a long running userinit might be doing. If it was doing C2 then I could easily look for netconn from that process. That is a simple signature so I won't add it here but I can tell you that userinit is very quiet network wise so If it is used for that I will see it.
Now that I have the search down I can watch durations for powershell, wscript, cscript and others.
-Good hunting
I came across this interesting tweet from @subTee that got me interested in not just this TTP but looking at process durations in general. That could be a good method to have in the toolbox.
It makes sense that userinit.exe should not run for long so I looked to see how I could calculate the duration using Carbon Black process logs. One method of calculating values where you need timestamps from two different events is to use the Splunk streamstats command but I try to avoid it because it can be slow. Luckily Carbon Black shows an event for both process start and process stop which has the timestamps so I just needed to get them together.
field name "type" contains process start or process stop
field name process_guid contains the unique id for the process
Calculate the duration of the process
Breakdown:
The values(type) loads the start and end field names to make sure I get both and I count to make sure using mvcount(types).
The values(_time) loads the timestamp for both events to the multi-value field.
The first two eval statements pull out the start and end times using the mvindex command.
The final eval calculates the duration of the process in seconds.
It turned out great and runs fast since it uses stats.
The next pivot was to think about what a long running userinit might be doing. If it was doing C2 then I could easily look for netconn from that process. That is a simple signature so I won't add it here but I can tell you that userinit is very quiet network wise so If it is used for that I will see it.
Now that I have the search down I can watch durations for powershell, wscript, cscript and others.
-Good hunting
Comments
Post a Comment