Analytics Story: Unusual Processes

Date: 2020-02-04 ID: f4368e3f-d59f-4192-84f6-748ac5a3ddb6 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.

Why it matters

Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types. This Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host. In the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Uncommon Processes On Endpoint Malicious File Hunting
Attacker Tools On Endpoint Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning TTP
Detect processes used for System Network Configuration Discovery System Network Configuration Discovery TTP
Detect Rare Executables User Execution Anomaly
Rundll32 Shimcache Flush Modify Registry TTP
RunDLL Loading DLL By Ordinal System Binary Proxy Execution, Rundll32 TTP
Suspicious Copy on System32 Rename System Utilities, Masquerading TTP
Suspicious Process Executed From Container File Malicious File, Masquerade File Type TTP
System Processes Run From Unexpected Locations Masquerading, Rename System Utilities Anomaly
Unusually Long Command Line None Anomaly
Unusually Long Command Line - MLTK None Anomaly
Verclsid CLSID Execution Verclsid, System Binary Proxy Execution Hunting
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows NirSoft AdvancedRun Tool TTP
Windows Registry Payload Injection Obfuscated Files or Information, Fileless Storage TTP
Windows Remote Assistance Spawning Process Process Injection TTP
WinRM Spawning a Process Exploit Public-Facing Application TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 2