This search looks for process names that consist only of a single letter.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint- Datasource: Splunk Add-on for Sysmon
- Last Updated: 2020-12-08
- Author: David Dorsey, Splunk
- ID: a4214f0b-e01c-41bc-8cc4-d2b71e3056b4
Kill Chain Phase
- Actions on Objectives
- CIS 2
1 2 3 4 5 6 7 8 9 | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes by Processes.dest, Processes.user, Processes.process, Processes.process_name | `drop_dm_object_name(Processes)` | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | eval process_name_length = len(process_name), endExe = if(substr(process_name, -4) == ".exe", 1, 0) | search process_name_length=5 AND endExe=1 | table count, firstTime, lastTime, dest, user, process, process_name | `single_letter_process_on_endpoint_filter`
The SPL above uses the following Macros:
Note that single_letter_process_on_endpoint_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
How To Implement
You must be ingesting data that records process activity from your hosts to populate the Endpoint data model in the Processes node. You must also be ingesting logs with both the process name and command line from your endpoints. The command-line arguments are mapped to the “process” field in the Endpoint data model.
Known False Positives
Single-letter executables are not always malicious. Investigate this activity with your normal incident-response process.
Associated Analytic story
|63.0||70||90||A suspicious process $process_name$ with single letter in host $dest$|
source | version: 3