:no_entry: THIS IS A DEPRECATED DETECTION

This detection has been marked deprecated by the Splunk Threat Research team. This means that it will no longer be maintained or supported.

Try in Splunk Security Cloud

Description

Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Splunk Streaming ML DSP plugin to help identify command lines with lengths that are unusual for a given user. This detection is inspired on Unusually Long Command Line authored by Rico Valdez.

  • Type: Anomaly
  • Product: Splunk Behavioral Analytics
  • Datamodel: Endpoint_Processes
  • Last Updated: 2020-10-06
  • Author: Ignacio Bermudez Corrales, Splunk
  • ID: 58f43aba-1775-445e-b19c-be2b87d83ae3

Annotations

ATT&CK
Kill Chain Phase
  • Actions on Objectives
NIST
  • PR.PT
  • DE.CM
CIS20
  • CIS 8
CVE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
 
| from read_ssa_enriched_events() 
| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)) 
| eval cmd_line=ucast(map_get(input_event, "process"), "string", null), dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null), dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) 
| where cmd_line!=null and dest_user_id!=null 
| eval cmd_line_norm=replace(cast(cmd_line, "string"), /\s(--?\w+)
|(\/\w+)/, " ARG"), cmd_line_norm=replace(cmd_line_norm, /\w:\\[^\s]+/, "PATH"), cmd_line_norm=replace(cmd_line_norm, /\d+/, "N"), input=parse_double(len(coalesce(cmd_line_norm, ""))) 
| select timestamp, process_name, dest_device_id, dest_user_id, cmd_line, input 
| adaptive_threshold algorithm="quantile" entity="process_name" window=60480000 
| where label AND quantile>0.99 
| first_time_event input_columns=["dest_device_id", "cmd_line"] 
| where first_time_dest_device_id_cmd_line 
| eval start_time = timestamp, end_time = timestamp, entities = mvappend(dest_device_id, dest_user_id), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name]) 
| into write_ssa_detected_events();

Macros

The SPL above uses the following Macros:

:information_source: unusually_long_command_line_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • process_name
  • _time
  • dest_device_id
  • dest_user_id
  • process

How To Implement

You must be ingesting sysmon endpoint data that monitors command lines.

Known False Positives

This detection may flag suspiciously long command lines when there is not sufficient evidence (samples) for a given process that this detection is tracking; or when there is high variability in the length of the command line for the tracked process. Also, some legitimate applications may use long command lines. Such is the case of Ansible, that encodes Powershell scripts using long base64. Attackers may use this technique to obfuscate their payloads.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
12.0 30 40 A process $process_name$ with a long commandline $cmd_line$ executed in host $dest_device_id$

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1