1+ name : Suspicious Process File Path
2+ id : 9be25988-ad82-11eb-a14f-acde48001122
3+ version : 6
4+ date : ' 2024-12-10'
5+ author : Teoderick Contreras, Splunk
6+ status : deprecated
7+ type :
8+ description : The following analytic identifies processes running from file paths not
9+ typically associated with legitimate software. It leverages data from Endpoint Detection
10+ and Response (EDR) agents, focusing on specific process paths within the Endpoint
11+ data model. This activity is significant because adversaries often use unconventional
12+ file paths to execute malicious code without requiring administrative privileges.
13+ If confirmed malicious, this behavior could indicate an attempt to bypass security
14+ controls, leading to unauthorized software execution, potential system compromise,
15+ and further malicious activities within the environment.
16+ data_source :
17+ - Sysmon EventID 1
18+ - Windows Event Log Security 4688
19+ - CrowdStrike ProcessRollup2
20+ search : ' | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
21+ as lastTime from datamodel=Endpoint.Processes where Processes.process_path IN("*\\windows\\fonts\\*",
22+ "*\\windows\\temp\\*", "*\\users\\public\\*", "*\\windows\\debug\\*", "*\\Users\\Administrator\\Music\\*",
23+ "*\\Windows\\servicing\\*", "*\\Users\\Default\\*", "*Recycle.bin*", "*\\Windows\\Media\\*", "\\Windows\\repair\\*",
24+ "*\\temp\\*" , "*\\PerfLogs\\*","*\\windows\\tasks\\*", "*:\\programdata\\*") by
25+ Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_path Processes.dest
26+ Processes.user | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)`
27+ | `security_content_ctime(lastTime)` | `suspicious_process_file_path_filter`'
28+ how_to_implement : The detection is based on data that originates from Endpoint Detection
29+ and Response (EDR) agents. These agents are designed to provide security-related
30+ telemetry from the endpoints where the agent is installed. To implement this search,
31+ you must ingest logs that contain the process GUID, process name, and parent process.
32+ Additionally, you must ingest complete command-line executions. These logs must
33+ be processed using the appropriate Splunk Technology Add-ons that are specific to
34+ the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint`
35+ data model. Use the Splunk Common Information Model (CIM) to normalize the field
36+ names and speed up the data modeling process.
37+ known_false_positives : Administrators may allow execution of specific binaries in
38+ non-standard paths. Filter as needed.
39+ references :
40+ - https://www.trendmicro.com/vinfo/hk/threat-encyclopedia/malware/trojan.ps1.powtran.a/
41+ - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
42+ - https://twitter.com/pr0xylife/status/1590394227758104576
43+ - https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
44+ - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
45+ drilldown_searches :
46+ - name : View the detection results for - "$dest$"
47+ search : ' %original_detection_search% | search dest = "$dest$"'
48+ earliest_offset : $info_min_time$
49+ latest_offset : $info_max_time$
50+ - name : View risk events for the last 7 days for - "$dest$"
51+ search : ' | from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$")
52+ starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime
53+ values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories)
54+ as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic)
55+ as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)`
56+ | `security_content_ctime(lastTime)`'
57+ earliest_offset : $info_min_time$
58+ latest_offset : $info_max_time$
59+ rba :
60+ message : Suspicious process $process_name$ running from a suspicious process path-
61+ $process_path$ on host- $dest$
62+ risk_objects :
63+ - field : dest
64+ type : system
65+ score : 35
66+ threat_objects :
67+ - field : process_path
68+ type : process_name
69+ tags :
70+ analytic_story :
71+ - Volt Typhoon
72+ - LockBit Ransomware
73+ - Data Destruction
74+ - XMRig
75+ - DarkGate Malware
76+ - Chaos Ransomware
77+ - Double Zero Destructor
78+ - Hermetic Wiper
79+ - Warzone RAT
80+ - Phemedrone Stealer
81+ - Prestige Ransomware
82+ - Graceful Wipe Out Attack
83+ - BlackByte Ransomware
84+ - IcedID
85+ - Handala Wiper
86+ - Meduza Stealer
87+ - CISA AA23-347A
88+ - AsyncRAT
89+ - Amadey
90+ - Industroyer2
91+ - ValleyRAT
92+ - Rhysida Ransomware
93+ - DarkCrystal RAT
94+ - Crypto Stealer
95+ - Azorult
96+ - Swift Slicer
97+ - AgentTesla
98+ - Qakbot
99+ - Remcos
100+ - Trickbot
101+ - Brute Ratel C4
102+ - RedLine Stealer
103+ - PlugX
104+ - MoonPeak
105+ - WhisperGate
106+ asset_type : Endpoint
107+ mitre_attack_id :
108+ - T1543
109+ product :
110+ - Splunk Enterprise
111+ - Splunk Enterprise Security
112+ - Splunk Cloud
113+ security_domain : endpoint
114+ tests :
115+ - name : True Positive Test
116+ attack_data :
117+ - data :
118+ https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/xmrig_miner/windows-sysmon.log
119+ source : XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
120+ sourcetype : XmlWinEventLog
0 commit comments