| ID | Technique | Tactic |
|---|---|---|
| T1204 | User Execution | Execution |
Detection: Detect Rare Executables
Description
The following analytic detects the execution of rare processes that appear only once across the network within a specified timeframe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This activity is significant for a SOC as it helps identify potentially malicious activities or unauthorized software, which could indicate a security breach or ongoing attack. If confirmed malicious, such rare processes could lead to data theft, privilege escalation, or complete system compromise, making early detection crucial for minimizing impact. The search currently identifies processes executed on fewer than 10 hosts, but this threshold can be adjusted based on the organization's environment and risk tolerance. The search groups results by process name which can lead to blind spots if a malicious process uses a common name. To mitigate this, consider enhancing the detection logic to group by additional attributes such as process hash.
Search
1
2| tstats `security_content_summariesonly`
3 dc(Processes.dest) as dc_dest
4 values(Processes.dest) as dest
5 values(Processes.user) as user
6 min(_time) as firstTime
7 max(_time) as lastTime
8 latest(Processes.action) as action
9 values(Processes.original_file_name) as original_file_name
10 values(Processes.parent_process) as parent_process
11 values(Processes.parent_process_exec) as parent_process_exec
12 latest(Processes.parent_process_guid) as parent_process_guid
13 latest(Processes.parent_process_id) as parent_process_id
14 values(Processes.parent_process_name) as parent_process_name
15 values(Processes.parent_process_path) as parent_process_path
16 values(Processes.process) as process
17 values(Processes.process_exec) as process_exec
18 latest(Processes.process_guid) as process_guid
19 values(Processes.process_hash) as process_hash
20 values(Processes.process_path) as process_path
21 latest(Processes.process_id) as process_id
22 latest(Processes.process_integrity_level) as process_integrity_level
23 latest(Processes.user_id) as user_id
24 latest(Processes.vendor_product) as vendor_product
25from datamodel=Endpoint.Processes
26by Processes.process_name
27
28| `drop_dm_object_name(Processes)`
29
30| search dc_dest < 10
31
32| `security_content_ctime(firstTime)`
33
34| `security_content_ctime(lastTime)`
35
36| `detect_rare_executables_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | Other | 'crowdstrike:events:sensor' |
'crowdstrike' |
| Sysmon EventID 1 |  Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
| Windows Event Log Security 4688 | Windows |
'XmlWinEventLog' |
'XmlWinEventLog:Security' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| detect_rare_executables_filter | search * |
detect_rare_executables_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Installation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes node of the Endpoint data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
Known False Positives
Some legitimate processes may be only rarely executed in your environment. Apply additional filters as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A rare process - [$process_name$] has been detected on less than 10 hosts on $dest$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 25 | process_name |
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 11