LoFP / false positives will be found. https and http is a url protocol handler that will trigger this analytic. tune based on process or command-line.

Techniques

• T1059

Sample rules

Windows Identify Protocol Handlers

• source: splunk
• technicques:
  • T1059

Description

The following analytic identifies the use of protocol handlers executed via the command line. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because protocol handlers can be exploited to execute arbitrary commands or launch applications, potentially leading to unauthorized actions. If confirmed malicious, an attacker could use this technique to gain code execution, escalate privileges, or maintain persistence within the environment, posing a significant security risk.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes  by Processes.dest Processes.parent_process_name Processes.user Processes.process_name Processes.process 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `drop_dm_object_name(Processes)` 
| lookup windows_protocol_handlers handler AS process OUTPUT handler ishandler 
| where ishandler="TRUE" 
| `windows_identify_protocol_handlers_filter`