ID | Technique | Tactic |
---|---|---|
T1204.002 | Malicious File | Execution |
T1036.008 | Masquerade File Type | Defense Evasion |
Detection: Suspicious Process Executed From Container File
Description
The following analytic identifies a suspicious process executed from within common container/archive file types such as ZIP, ISO, IMG, and others. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line executions. This activity is significant as it is a common technique used by adversaries to execute scripts or evade defenses. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or persist within the environment, posing a significant security risk.
Search
1
2| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process IN ("*.ZIP\\*","*.ISO\\*","*.IMG\\*","*.CAB\\*","*.TAR\\*","*.GZ\\*","*.RAR\\*","*.7Z\\*") AND Processes.action="allowed" by Processes.dest Processes.parent_process Processes.process Processes.user
3| `drop_dm_object_name(Processes)`
4| regex process="(?i).*(ZIP
5|ISO
6|IMG
7|CAB
8|TAR
9|GZ
10|RAR
11|7Z)\\\\.+\.(BAT
12|BIN
13|CAB
14|CMD
15|COM
16|CPL
17|EX_
18|EXE
19|GADGET
20|INF1
21|INS
22|INX
23|
24|HTM
25|HTML
26|ISU
27|JAR
28|JOB
29|JS
30|JSE
31|LNK
32|MSC
33|MSI
34|MSP
35|MST
36|PAF
37|PIF
38|PS1
39|REG
40|RGS
41|SCR
42|SCT
43|SHB
44|SHS
45|U3P
46|VB
47|VBE
48|VBS
49|VBSCRIPT
50|WS
51|WSF
52|WSH)\"?$"
53| rex field=process "(?i).+\\\\(?<file_name>[^\\\]+\.(ZIP
54|ISO
55|IMG
56|CAB
57|TAR
58|GZ
59|RAR
60|7Z))\\\\((.+\\\\)+)?(?<process_name>.+\.(BAT
61|BIN
62|CAB
63|CMD
64|COM
65|CPL
66|EX_
67|EXE
68|GADGET
69|INF1
70|INS
71|INX
72|
73|HTM
74|HTML
75|ISU
76|JAR
77|JOB
78|JS
79|JSE
80|LNK
81|MSC
82|MSI
83|MSP
84|MST
85|PAF
86|PIF
87|PS1
88|REG
89|RGS
90|SCR
91|SCT
92|SHB
93|SHS
94|U3P
95|VB
96|VBE
97|VBS
98|VBSCRIPT
99|WS
100|WSF
101|WSH))\"?$"
102| `security_content_ctime(firstTime)`
103| `security_content_ctime(lastTime)`
104| `suspicious_process_executed_from_container_file_filter`
Data Source
Name | Platform | Sourcetype | Source | Supported App |
---|---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | 'crowdstrike:events:sensor' |
'crowdstrike' |
N/A |
Macros Used
Name | Value |
---|---|
security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
suspicious_process_executed_from_container_file_filter | search * |
suspicious_process_executed_from_container_file_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | True |
Implementation
The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the Processes
node of the Endpoint
data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
Known False Positives
Various business process or userland applications and behavior.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
A suspicious process $process_name$ was launched from $file_name$ on $dest$. | 16 | 80 | 20 |
References
-
https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations
-
https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
xmlwineventlog |
Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
xmlwineventlog |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2