Techniques
Sample rules
Windows Time Based Evasion via Choice Exec
- source: splunk
- technicques:
- T1497.003
- T1497
Description
This analytic is designed to detect potentially suspicious batch files that leverage choice.exe as a delay tactic. This technique, observed in the SnakeKeylogger malware, is utilized for time delays or ‘Sleep’ commands in its code execution or before the deletion of its copies on compromised hosts. Detecting this anomaly serves as a valuable pivot to uncover suspicious processes attempting to evade detection through time-based evasion techniques.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name =choice.exe Processes.process = "*/T*" Processes.process = "*/N*" by Processes.parent_process_name Processes.process_name Processes.process Processes.process_id Processes.parent_process_id Processes.process_guid Processes.dest Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_time_based_evasion_via_choice_exec_filter`