Techniques
Sample rules
Windows Command and Scripting Interpreter Hunting Path Traversal
- source: splunk
- technicques:
- T1059
Description
The following analytic identifies path traversal command-line executions, leveraging data from Endpoint Detection and Response (EDR) agents. It detects patterns in command-line arguments indicative of path traversal techniques, such as multiple instances of “/..”, “..”, or “\..”. This activity is significant as it often indicates attempts to evade defenses by executing malicious code, such as through msdt.exe. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time)
as lastTime FROM datamodel=Endpoint.Processes where
Processes.process IN ("*\\..*", "*//..*", "*\..*", "*/..*")
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path Processes.process
Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id
Processes.process_integrity_level Processes.process_name Processes.process_path
Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| eval count_of_pattern1 = (mvcount(split(process,"/.."))-1)
| eval count_of_pattern2 = (mvcount(split(process,"\.."))-1)
| eval count_of_pattern3 = (mvcount(split(process,"\\.."))-1)
| eval count_of_pattern4 = (mvcount(split(process,"//.."))-1)
| search count_of_pattern1 > 1
OR
count_of_pattern2 > 1
OR
count_of_pattern3 > 1
OR
count_of_pattern4 > 1
| `windows_command_and_scripting_interpreter_hunting_path_traversal_filter`