Try in Splunk Security Cloud
Description
Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Endpoint_Processes
- Last Updated: 2020-02-04
- Author: Bhavin Patel, Splunk
- ID: f4368e3f-d59f-4192-84f6-748ac5a3ddb6
Narrative
Being able to profile a host’s processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.
This Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.
In the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.
Detections
| Name |
Technique |
Type |
| Attacker Tools On Endpoint |
Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning |
TTP |
| Credential ExtractionFGDump and CacheDump |
OS Credential Dumping, Security Account Manager |
TTP |
| Detect Rare Executables |
|
Anomaly |
| Detect processes used for System Network Configuration Discovery |
System Network Configuration Discovery |
TTP |
| First time seen command line argument |
Command and Scripting Interpreter, Indirect Command Execution |
Anomaly |
| Rare Parent-Child Process Relationship |
Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools |
Anomaly |
| RunDLL Loading DLL By Ordinal |
System Binary Proxy Execution, Rundll32 |
TTP |
| Rundll32 Shimcache Flush |
Modify Registry |
TTP |
| Suspicious Copy on System32 |
Rename System Utilities, Masquerading |
TTP |
| System Processes Run From Unexpected Locations |
Masquerading, Rename System Utilities |
Anomaly |
| Uncommon Processes On Endpoint |
Malicious File |
Hunting |
| Unusual LOLBAS in short period of time |
Command and Scripting Interpreter, Scheduled Task/Job |
Anomaly |
| Unusually Long Command Line |
|
Anomaly |
| Unusually Long Command Line |
|
Anomaly |
| Unusually Long Command Line - MLTK |
|
Anomaly |
| Verclsid CLSID Execution |
Verclsid, System Binary Proxy Execution |
Hunting |
| WinRM Spawning a Process |
Exploit Public-Facing Application |
TTP |
| Windows DotNet Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Anomaly |
| Windows DotNet Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
| Windows InstallUtil in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
| Windows LOLBin Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Anomaly |
| Windows NirSoft AdvancedRun |
Tool |
TTP |
| Windows Remote Assistance Spawning Process |
Process Injection |
TTP |
| Windows Rename System Utilities Acccheckconsole exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
| Windows Rename System Utilities Adplus exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
| Windows Rename System Utilities Advpack dll LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
| Windows Rename System Utilities Agentexecutor exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
| Windows Rename System Utilities Appinstaller exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
| Windows Rename System Utilities Appvlp exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
| Windows Rename System Utilities Aspnet compiler exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
| Windows Rename System Utilities At exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
| Windows Rename System Utilities Atbroker exe LOLBAS in Non Standard Path |
Masquerading, Rename System Utilities |
Anomaly |
| Wscript Or Cscript Suspicious Child Process |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
TTP |
Reference
source | version: 2