The goal of this script is to make same checks as malprocfind plugin on logs generated by Sysmon.
The input is a csv file with time, processId, ParentCommandLine, ParentImage, process, CurrentDirectory, CommandLine, SecurityID, TerminalSessionID
The input file can be generated by Splunk.
-
Inject sysmon into Splunk with a good parser
-
Search in Splunk: index=sysmon-test | table _time, Computer, ProcessId, ParentCommandLine, ParentImage, process, CurrentDisrectory, CommandLine, SecurityID, TerminalSessionId
-
Export result as csv File
-
Run python2 mainLoic.py test.csv
It first search for usual exe of windows (like in Find Evil SANS Poster). Then it search for typosquating (to find for example scvhost.exe ou ssms.exe).