Suspicious Command-Line Executions
Description
Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques–one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2020-02-03
- Author: Bhavin Patel, Splunk
- ID: f4368ddf-d59f-4192-84f6-778ac5a3ffc7
Narrative
The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.
Detections
Reference
- https://attack.mitre.org/wiki/Technique/T1059
- https://www.microsoft.com/en-us/wdsi/threats/macro-malware
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
source | version: 2