Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Sysmon - Find Processes with Renamed Executables

Uncategorized

Description

Submitted by jwalzer

0 0 
index=* sourcetype="xmlwineventlog:microsoft-windows-sysmon/operational" EventCode=1 | rex field=Image "[\\\/](?<filename>[^\\\/]*)$" | eval filename=lower(filename)| stats dc(filename) as NumFilenames values(filename) as Filenames values(Image) as Images by Hashes | where NumFilenames>1

Comments

0 total

Be the first to comment on this SPL.

Leave a comment

You must log in to post a comment.

Ad slot: bottom