Detection rules › Splunk
Rare Process Execution (Sysmon)
Rare process executions are anomalies within an organization and are normally worth looking at. Although these kinds of detections can be false positive prone, they can be utilized as supporting evidence or as a last resort to detect malicious activity your other detection content may be missing
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.003 Command and Scripting Interpreter: Windows Command Shell, T1204.002 User Execution: Malicious File |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '5026.5675'
title: Rare Process Execution
description: 'Rare process executions are anomalies within an organization and are
normally worth looking at. Although these kinds of detections can be false positive
prone, they can be utilized as supporting evidence or as a last resort to detect
malicious activity your other detection content may be missing. -- Threat Actor
Association: Traveling Spider, Volt Typhoon, Wizard Spider - Software Association:
Conti, Nefilim, Ryuk'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` EventCode=1 NOT (process_path
IN ("C:\\Program Files*","C:\\Windows\\SoftwareDistribution\\Download\\Install\\*","C:\\ProgramData\\Microsoft\\Windows
Defender\\platform*") OR parent_process_path IN ("C:\\Program Files*","C:\\Windows\\SoftwareDistribution\\Download\\Install\\*"))|
rex field=process_path "^(?<process_path_ext>.+)\x5c[^\x5c]+$"| fields _time, host,
user, process, process_*, parent_*`group_events("host, process_name", 10)` | eventstats
dc(host) as dc_host by process_name| eventstats c(process_path_ext) as c_process_path_ext
by process_path_ext| eventstats c(process) as c_process by process| where process_path!=parent_process_path
and (dc_host=1 and c_process_path_ext<3 and c_process<3)`hec_collect`'
techniques:
- execution:command and scripting interpreter:windows command shell
- execution:user execution:malicious file
technique_id:
- T1204.002
- T1059.003
data_category:
- Windows Sysmon
references:
- https://www.splunk.com/en_us/blog/security/detecting-early-signs-of-compromise-using-windows-sysinternal.html
- https://d1zq5d3dtjfcoj.cloudfront.net/F-Secure-APT29-9985.png
Stages and Predicates
Stage 1: search
search NOT (parent_process_path IN ("C:\\Program Files*", "C:\\Windows\\SoftwareDistribution\\Download\\Install\\*") OR process_path IN ("C:\\Program Files*", "C:\\ProgramData\\Microsoft\\Windows Defender\\platform*", "C:\\Windows\\SoftwareDistribution\\Download\\Install\\*")) EventCode=1 source="*" source IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
Stage 2: eval
eval _rex_skipped = (...)
Stage 3: fields
fields _time, host, parent_*, process, process_*, user
Stage 4: bucket
bucket _time
Stage 5: stats
stats BY host, process_name, _time
Stage 6: eventstats
eventstats … AS dc_host BY process_name
Stage 7: eventstats
eventstats … AS c_process_path_ext BY process_path_ext
Stage 8: eventstats
eventstats … AS c_process BY process
Stage 9: where
where c_process<3 c_process_path_ext<3 dc_host=1 process_path!=
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
parent_process_path | in | "C:\\Program Files*", "C:\\Windows\\SoftwareDistribution\\Download\\Install\\*" |
process_path | in | "C:\\Program Files*", "C:\\ProgramData\\Microsoft\\Windows Defender\\platform*", "C:\\Windows\\SoftwareDistribution\\Download\\Install\\*" |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
c_process | lt |
|
c_process_path_ext | lt |
|
dc_host | eq |
|