it's possible for a legitimate file to be created with the same name as one noted in the lookup file. filenames listed in the lookup file should be unique enough that collisions are rare. looking at the location of the file and the process responsible for the activity can help determine whether or not the activity is legitimate.

endpoint
splunk

Techniques

Sample rules

Suspicious File Write

source: splunk
technicques:

Description

The search looks for files created with names that have been linked to malicious activity.

Detection logic


| tstats `security_content_summariesonly` count values(Filesystem.action) as action values(Filesystem.file_path) as file_path min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem by Filesystem.file_name Filesystem.dest 
| `security_content_ctime(lastTime)` 
| `security_content_ctime(firstTime)` 
| `drop_dm_object_name(Filesystem)` 
| `suspicious_writes` 
| `suspicious_file_write_filter`