THIS IS A DEPRECATED DETECTION
This detection has been marked deprecated by the Splunk Threat Research team. This means that it will no longer be maintained or supported.
Command lines that are extremely long may be indicative of malicious activity on your hosts. This search leverages the Splunk Streaming ML DSP plugin to help identify command lines with lengths that are unusual for a given user. This detection is inspired on Unusually Long Command Line authored by Rico Valdez.
- Type: Anomaly
- Product: Splunk Behavioral Analytics
- Datamodel: Endpoint_Processes
- Last Updated: 2020-10-06
- Author: Ignacio Bermudez Corrales, Splunk
- ID: 58f43aba-1775-445e-b19c-be2b87d83ae3
Kill Chain Phase
- Actions on Objectives
- CIS 8
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | from read_ssa_enriched_events() | eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)) | eval cmd_line=ucast(map_get(input_event, "process"), "string", null), dest_user_id=ucast(map_get(input_event, "dest_user_id"), "string", null), dest_device_id=ucast(map_get(input_event, "dest_device_id"), "string", null), process_name=ucast(map_get(input_event, "process_name"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) | where cmd_line!=null and dest_user_id!=null | eval cmd_line_norm=replace(cast(cmd_line, "string"), /\s(--?\w+) |(\/\w+)/, " ARG"), cmd_line_norm=replace(cmd_line_norm, /\w:\\[^\s]+/, "PATH"), cmd_line_norm=replace(cmd_line_norm, /\d+/, "N"), input=parse_double(len(coalesce(cmd_line_norm, ""))) | select timestamp, process_name, dest_device_id, dest_user_id, cmd_line, input | adaptive_threshold algorithm="quantile" entity="process_name" window=60480000 | where label AND quantile>0.99 | first_time_event input_columns=["dest_device_id", "cmd_line"] | where first_time_dest_device_id_cmd_line | eval start_time = timestamp, end_time = timestamp, entities = mvappend(dest_device_id, dest_user_id), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name]) | into write_ssa_detected_events();
The SPL above uses the following Macros:
unusually_long_command_line_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
List of fields required to use this analytic.
How To Implement
You must be ingesting sysmon endpoint data that monitors command lines.
Known False Positives
This detection may flag suspiciously long command lines when there is not sufficient evidence (samples) for a given process that this detection is tracking; or when there is high variability in the length of the command line for the tracked process. Also, some legitimate applications may use long command lines. Such is the case of Ansible, that encodes Powershell scripts using long base64. Attackers may use this technique to obfuscate their payloads.
Associated Analytic Story
|12.0||30||40||A process $process_name$ with a long commandline $cmd_line$ executed in host $dest_device_id$|
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
source | version: 1