Try in Splunk Security Cloud

Description

Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-02-04
  • Author: Bhavin Patel, Splunk
  • ID: f4368e3f-d59f-4192-84f6-748ac5a3ddb6

Narrative

Being able to profile a host’s processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.
This Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.
In the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.

Detections

Name Technique Type
Attacker Tools On Endpoint Match Legitimate Name or Location, Active Scanning, OS Credential Dumping TTP
Credential Extraction indicative of FGDump and CacheDump with s option OS Credential Dumping TTP
Credential Extraction indicative of FGDump and CacheDump with v option OS Credential Dumping TTP
Credential Extraction indicative of use of Mimikatz modules OS Credential Dumping TTP
Credential Extraction native Microsoft debuggers peek into the kernel OS Credential Dumping TTP
Credential Extraction native Microsoft debuggers via z command line option OS Credential Dumping TTP
Detect Rare Executables   Anomaly
Detect processes used for System Network Configuration Discovery System Network Configuration Discovery TTP
First time seen command line argument Command and Scripting Interpreter, Regsvr32, Indirect Command Execution Anomaly
More than usual number of LOLBAS applications in short time period Command and Scripting Interpreter, Scheduled Task/Job Anomaly
Rare Parent-Child Process Relationship Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools Anomaly
RunDLL Loading DLL By Ordinal Rundll32 TTP
System Processes Run From Unexpected Locations Rename System Utilities TTP
Unusually Long Command Line   Anomaly
Unusually Long Command Line   Anomaly
Unusually Long Command Line - MLTK   Anomaly
WinRM Spawning a Process Exploit Public-Facing Application TTP

Reference

source | version: 2