Techniques
Sample rules
High Process Termination Frequency
- source: splunk
- technicques:
- T1486
Description
This analytic is designed to identify a high frequency of process termination events on a computer in a short period of time, which is a common behavior of ransomware malware before encrypting files. This technique is designed to avoid an exception error while accessing (docs, images, database and etc..) in the infected machine for encryption.
Detection logic
`sysmon` EventCode=5
|bin _time span=3s
|stats values(Image) as proc_terminated min(_time) as firstTime max(_time) as lastTime count by _time dest EventCode ProcessID
| where count >= 15
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `high_process_termination_frequency_filter`