Unusual Processes

Try in Splunk Security Cloud

Description

Quickly identify systems running new or unusual processes in your environment that could be indicators of suspicious activity. Processes run from unusual locations, those with conspicuously long command lines, and rare executables are all examples of activities that may warrant deeper investigation.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Endpoint_Processes
• Last Updated: 2020-02-04
• Author: Bhavin Patel, Splunk
• ID: f4368e3f-d59f-4192-84f6-748ac5a3ddb6

Narrative

Being able to profile a host’s processes within your environment can help you more quickly identify processes that seem out of place when compared to the rest of the population of hosts or asset types.
This Analytic Story lets you identify processes that are either a) not typically seen running or b) have some sort of suspicious command-line arguments associated with them. This Analytic Story will also help you identify the user running these processes and the associated process activity on the host.
In the event an unusual process is identified, it is imperative to better understand how that process was able to execute on the host, when it first executed, and whether other hosts are affected. This extra information may provide clues that can help the analyst further investigate any suspicious activity.

Detections

Name	Technique	Type
Attacker Tools On Endpoint	Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning	TTP
Credential ExtractionFGDump and CacheDump	OS Credential Dumping, Security Account Manager	TTP
Detect Rare Executables		Anomaly
Detect processes used for System Network Configuration Discovery	System Network Configuration Discovery	TTP
First time seen command line argument	Command and Scripting Interpreter, Indirect Command Execution	Anomaly
Rare Parent-Child Process Relationship	Exploitation for Client Execution, Command and Scripting Interpreter, Scheduled Task/Job, Software Deployment Tools	Anomaly
RunDLL Loading DLL By Ordinal	System Binary Proxy Execution, Rundll32	TTP
Rundll32 Shimcache Flush	Modify Registry	TTP
Suspicious Copy on System32	Rename System Utilities, Masquerading	TTP
System Processes Run From Unexpected Locations	Masquerading, Rename System Utilities	TTP
Uncommon Processes On Endpoint	Malicious File	Hunting
Unusual LOLBAS in short period of time	Command and Scripting Interpreter, Scheduled Task/Job	Anomaly
Unusually Long Command Line		Anomaly
Unusually Long Command Line		Anomaly
Unusually Long Command Line - MLTK		Anomaly
Verclsid CLSID Execution	Verclsid, System Binary Proxy Execution	Hunting
WinRM Spawning a Process	Exploit Public-Facing Application	TTP
Windows DotNet Binary in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	Anomaly
Windows DotNet Binary in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	TTP
Windows InstallUtil in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	TTP
Windows LOLBin Binary in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	Anomaly
Windows NirSoft AdvancedRun	Tool	TTP
Windows Remote Assistance Spawning Process	Process Injection	TTP
Wscript Or Cscript Suspicious Child Process	Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation	TTP

Reference

• https://web.archive.org/web/20210921093439/https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-two.html
• https://www.splunk.com/pdfs/technical-briefs/advanced-threat-detection-and-response-tech-brief.pdf
• https://www.sans.org/reading-room/whitepapers/logging/detecting-security-incidents-windows-workstation-event-logs-34262

source | version: 2