/
unusually_long_command_line.yml
61 lines (61 loc) · 3.41 KB
/
unusually_long_command_line.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
name: Unusually Long Command Line
id: c77162d3-f93c-45cc-80c8-22f6a4264e7f
version: 5
date: '2020-12-08'
author: David Dorsey, Splunk
status: experimental
type: Anomaly
description: |-
The following analytic detects command lines that are extremely long, which might be indicative of malicious activity on your hosts because attackers often use obfuscated or complex command lines to hide their actions and evade detection. This helps to mitigate the risks associated with long command lines to enhance your overall security posture and reduce the impact of attacks. This detection is important because it suggests that an attacker might be attempting to execute a malicious command or payload on the host, which can lead to various damaging outcomes such as data theft, ransomware, or further compromise of the system. False positives might occur since legitimate processes or commands can sometimes result in long command lines. Next steps include conducting extensive triage and investigation to differentiate between legitimate and malicious activities. Review the source of the command line and the command itself during the triage. Additionally, capture and inspect any relevant on-disk artifacts and review concurrent processes to identify the source of the attack.
data_source:
- Sysmon EventID 1
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Processes by Processes.user Processes.dest Processes.process_name
Processes.process | `drop_dm_object_name("Processes")` | `security_content_ctime(firstTime)`|
`security_content_ctime(lastTime)`| eval processlen=len(process) | eventstats stdev(processlen)
as stdev, avg(processlen) as avg by dest | stats max(processlen) as maxlen, values(stdev)
as stdevperhost, values(avg) as avgperhost by dest, user, process_name, process
| `unusually_long_command_line_filter` |eval threshold = 3 | where maxlen > ((threshold*stdevperhost)
+ avgperhost)'
how_to_implement: The detection is based on data that originates from Endpoint Detection
and Response (EDR) agents. These agents are designed to provide security-related
telemetry from the endpoints where the agent is installed. To implement this search,
you must ingest logs that contain the process GUID, process name, and parent process.
Additionally, you must ingest complete command-line executions. These logs must
be processed using the appropriate Splunk Technology Add-ons that are specific to
the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
data model. Use the Splunk Common Information Model (CIM) to normalize the field
names and speed up the data modeling process.
known_false_positives: Some legitimate applications start with long command lines.
references: []
tags:
analytic_story:
- Suspicious Command-Line Executions
- Unusual Processes
- Possible Backdoor Activity Associated With MUDCARP Espionage Campaigns
- Ransomware
asset_type: Endpoint
confidence: 60
impact: 70
message: Unusually long command line $process_name$ on $dest$
observable:
- name: dest
type: Endpoint
role:
- Victim
- name: process_name
type: Process
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Processes.user
- Processes.dest
- Processes.process_name
- Processes.process
risk_score: 42
security_domain: endpoint