Command lines that are extremely long may be indicative of malicious activity on your hosts.
- Type: Anomaly
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2020-12-08
- Author: David Dorsey, Splunk
- ID: c77162d3-f93c-45cc-80c8-22f6a4264e7f
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | eval processlen=len(process) | eventstats stdev(processlen) as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev) as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process | `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost) + avgperhost)
Associated Analytic Story
- Suspicious Command-Line Executions
- Unusual Processes
- Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
How To Implement
You must be ingesting endpoint data that tracks process activity, including parent-child relationships, from your endpoints to populate the Endpoint data model in the Processes node. The command-line arguments are mapped to the process field in the Endpoint data model.
Kill Chain Phase
- Actions on Objectives
Known False Positives
Some legitimate applications start with long command lines.
|42.0||70||60||Unusually long command line $Processes.process_name$ on $dest$|
source | version: 5