Techniques
Sample rules
High Process Termination Frequency
- source: splunk
- technicques:
- T1486
Description
The following analytic identifies a high frequency of process termination events on a computer within a short period. It leverages Sysmon EventCode 5 logs to detect instances where 15 or more processes are terminated within a 3-second window. This behavior is significant as it is commonly associated with ransomware attempting to avoid exceptions during file encryption. If confirmed malicious, this activity could indicate an active ransomware attack, potentially leading to widespread file encryption and significant data loss.
Detection logic
`sysmon` EventCode=5
|bin _time span=3s
|stats values(Image) as proc_terminated min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID
| where count >= 15
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `high_process_termination_frequency_filter`