Try in Splunk Security Cloud

Description

Leveraging the Windows command-line interface (CLI) is one of the most common attack techniques–one that is also detailed in the MITRE ATT&CK framework. Use this Analytic Story to help you identify unusual or suspicious use of the CLI on Windows systems.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2020-02-03
  • Author: Bhavin Patel, Splunk
  • ID: f4368ddf-d59f-4192-84f6-778ac5a3ffc7

Narrative

The ability to execute arbitrary commands via the Windows CLI is a primary goal for the adversary. With access to the shell, an attacker can easily run scripts and interact with the target system. Often, attackers may only have limited access to the shell or may obtain access in unusual ways. In addition, malware may execute and interact with the CLI in ways that would be considered unusual and inconsistent with typical user activity. This provides defenders with opportunities to identify suspicious use and investigate, as appropriate. This Analytic Story contains various searches to help identify this suspicious activity, as well as others to aid you in deeper investigation.

Detections

Name Technique Type
Detect Prohibited Applications Spawning cmd exe Windows Command Shell Hunting
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter TTP
Detect Use of cmd exe to Launch Script Interpreters Windows Command Shell TTP
System Processes Run From Unexpected Locations Rename System Utilities TTP
Unusually Long Command Line   Anomaly
Unusually Long Command Line - MLTK   Anomaly

Reference

source | version: 2