Techniques
Sample rules
Windows System LogOff Commandline
- source: splunk
- technicques:
- T1529
Description
The following analytic identifies Windows commandline to logoff a windows host machine. This technique was seen in several APT, RAT like dcrat and other commodity malware to shutdown the machine to add more impact, interrupt access, aid destruction of the system like wiping disk or inhibit system recovery. This TTP is a good pivot to check why application trigger this commandline which is not so common way to logoff a machine.
Detection logic
| tstats `security_content_summariesonly` values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name = shutdown.exe OR Processes.original_file_name = shutdown.exe) Processes.process="*shutdown*" Processes.process IN ("* /l*", "* -l*") Processes.process IN ("* /t*","* -t*","* /f*","* -f*") by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.original_file_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_system_logoff_commandline_filter`