-
Notifications
You must be signed in to change notification settings - Fork 354
/
suspicious_reg_exe_process.yml
61 lines (61 loc) · 2.64 KB
/
suspicious_reg_exe_process.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
name: Suspicious Reg exe Process
id: a6b3ab4e-dd77-4213-95fa-fc94701995e0
version: 4
date: '2020-07-22'
author: David Dorsey, Splunk
type: batch
datamodel: []
description: This search looks for reg.exe being launched from a command prompt not
started by the user. When a user launches cmd.exe, the parent process is usually
explorer.exe. This search filters out those instances.
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Processes where Processes.parent_process_name
!= explorer.exe Processes.process_name =cmd.exe by Processes.user Processes.process_name
Processes.parent_process_name Processes.dest Processes.process_id Processes.parent_process_id
| `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| search [| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
where Processes.parent_process_name=cmd.exe Processes.process_name= reg.exe by Processes.parent_process_id
Processes.dest Processes.process_name | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | rename parent_process_id as process_id |dedup
process_id| table process_id dest] | `suspicious_reg_exe_process_filter` '
how_to_implement: You must be ingesting data that records process activity from your
hosts to populate the Endpoint data model in the Processes node. You must also be
ingesting logs with both the process name and command line from your endpoints.
The command-line arguments are mapped to the "process" field in the Endpoint data
model.
known_false_positives: It's possible for system administrators to write scripts that
exhibit this behavior. If this is the case, the search will need to be modified
to filter them out.
references:
- https://car.mitre.org/wiki/CAR-2013-03-001
tags:
analytic_story:
- Windows Defense Evasion Tactics
- Disabling Security Tools
- DHS Report TA18-074A
asset_type: Endpoint
automated_detection_testing: passed
cis20:
- CIS 8
dataset:
- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1112/atomic_red_team/windows-sysmon.log
kill_chain_phases:
- Actions on Objectives
mitre_attack_id:
- T1112
nist:
- DE.CM
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.parent_process_name
- Processes.process_name
- Processes.user
- Processes.parent_process_name
- Processes.dest
- Processes.process_id
- Processes.parent_process_id
security_domain: endpoint