Analytics Story: Unusual Processes

Date: 2020-02-04 ID: f4368e3f-d59f-4192-84f6-748ac5a3ddb6 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.

Why it matters

Being able to profile a host's processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types. This Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host. In the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Attacker Tools On Endpoint	OS Credential Dumping, Match Legitimate Resource Name or Location, Active Scanning	TTP
Detect Rare Executables	User Execution	Anomaly
Potential System Network Configuration Discovery Activity	System Network Configuration Discovery	Anomaly
Rundll32 Shimcache Flush	Modify Registry	TTP
RunDLL Loading DLL By Ordinal	Rundll32	TTP
Suspicious Copy on System32	Rename Legitimate Utilities	Anomaly
Suspicious Process Executed From Container File	Malicious File, Masquerade File Type	TTP
System Processes Run From Unexpected Locations	Rename Legitimate Utilities	Anomaly
Unusually Long Command Line	None	Anomaly
Unusually Long Command Line - MLTK	None	Anomaly
Verclsid CLSID Execution	Verclsid	Hunting
Windows DotNet Binary in Non Standard Path	Rename Legitimate Utilities, InstallUtil	TTP
Windows InstallUtil in Non Standard Path	Rename Legitimate Utilities, InstallUtil	TTP
Windows NirSoft AdvancedRun	Tool	TTP
Windows Registry Payload Injection	Fileless Storage	TTP
Windows Remote Assistance Spawning Process	Process Injection	TTP
WinRM Spawning a Process	Exploit Public-Facing Application	TTP
Wscript Or Cscript Suspicious Child Process	Process Injection, Parent PID Spoofing, Create or Modify System Process	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Cisco Network Visibility Module Flow Data	Network	`cisco:nvm:flowdata`	`not_applicable`
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

Source: GitHub | Version: 2