/
first_time_seen_command_line_argument.yml
68 lines (68 loc) · 3.1 KB
/
first_time_seen_command_line_argument.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
name: First time seen command line argument
id: a1b6e73f-98d5-470f-99ac-77aacd578473
version: 5
date: '2020-07-21'
author: Bhavin Patel, Splunk
status: deprecated
type: Hunting
description: This search looks for command-line arguments that use a `/c` parameter
to execute a command that has not previously been seen.
data_source:
- Sysmon Event ID 1
search: '| tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
as lastTime from datamodel=Endpoint.Processes where Processes.process_name = cmd.exe
Processes.process = "* /c *" by Processes.process Processes.process_name Processes.parent_process_name
Processes.dest| `drop_dm_object_name(Processes)`| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | search [| tstats `security_content_summariesonly`
earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Endpoint.Processes
where Processes.process_name = cmd.exe Processes.process = "* /c *" by Processes.process
| `drop_dm_object_name(Processes)` | inputlookup append=t previously_seen_cmd_line_arguments
| stats min(firstTime) as firstTime, max(lastTime) as lastTime by process | outputlookup
previously_seen_cmd_line_arguments | eval newCmdLineArgument=if(firstTime >= relative_time(now(),
"-70m@m"), 1, 0) | where newCmdLineArgument=1 | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | table process] | `first_time_seen_command_line_argument_filter` '
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: Legitimate programs can also use command-line arguments to
execute. Please verify the command-line arguments to check what command/program
is being executed. We recommend customizing the `first_time_seen_cmd_line_filter`
macro to exclude legitimate parent_process_name
references: []
tags:
analytic_story:
- DHS Report TA18-074A
- Suspicious Command-Line Executions
- Orangeworm Attack Group
- Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
- Hidden Cobra Malware
asset_type: Endpoint
confidence: 50
impact: 50
message: tbd
mitre_attack_id:
- T1059.001
- T1059.003
observable:
- name: field
type: Unknown
role:
- Unknown
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.process_name
- Processes.process
- Processes.parent_process_name
- Processes.dest
risk_score: 25
security_domain: endpoint